Cisco Secure Firewall on AWS: Build resilience at scale with stateful firewall clustering

By
Ztec 100
-
0
147
Cisco Secure Firewall on AWS: Build resilience at scale with stateful firewall clustering


Organizations embrace the general public cloud for the agility, scalability, and reliability it gives when working purposes. But simply as organizations want these capabilities to make sure their purposes function the place wanted and as wanted, in addition they require their safety does the identical. Organizations could introduce a number of particular person firewalls into their AWS infrastructure to provide this end result. In concept, this can be a great determination, however in observe—this might result in uneven routing points. Complex SNAT configuration can mitigate uneven routing points, however this isn’t sensible for sustaining public cloud operations. Organizations are searching for his or her long-term cloud methods by ruling out SNAT and are calling for a extra dependable and scalable resolution for connecting their purposes and safety for always-on safety.

To resolve these challenges, Cisco created stateful firewall clustering with Secure Firewall in AWS.

 

Cisco Secure Firewall clustering overview

Firewall clustering for Secure Firewall Threat Defense Virtual gives a extremely resilient and dependable structure for securing your AWS cloud setting. This functionality allows you to group a number of Secure Firewall Threat Defense Virtual home equipment collectively as a single logical gadget, often called a “cluster.”

A cluster gives all of the conveniences of a single gadget (administration and integration right into a community) whereas making the most of the elevated throughput and redundancy you’ll anticipate from deploying a number of gadgets individually. Cisco makes use of Cluster Control Link (CCL) for forwarding uneven site visitors throughout gadgets within the cluster. Clusters can go as much as 16 members, and we use VxLAN for CCL.

In this case, clustering has the next roles:

Figure 1: Cisco Secure Firewall Clustering Overview

The above diagram explains site visitors circulation between the shopper and the server with the insertion of the firewall cluster within the community. Below defines the roles of clustering and the way packet circulation interacts at every step.

 

Clustering roles and duties 

Owner: The Owner is the node within the cluster that originally receives the connection.

    • The Owner maintains the TCP state and processes the packets. 
    • A connection has just one Owner. 
    • If the unique Owner fails, the brand new node receives the packets, and the Director chooses a brand new Owner from the out there nodes within the cluster.

Backup Owner: The node that shops TCP/UDP state data acquired from the Owner in order that the connection could be seamlessly transferred to a brand new proprietor in case of failure.

Director: The Director is the node within the cluster that handles proprietor lookup requests from the Forwarder(s). 

    • When the Owner receives a brand new connection, it chooses a Director primarily based on a hash of the supply/vacation spot IP handle and ports. The Owner then sends a message to the Director to register the brand new connection. 
    • If packets arrive at any node aside from the Owner, the node queries the Director. The Director then seeks out and defines the Owner node in order that the Forwarder can redirect packets to the proper vacation spot. 
    • A connection has just one Director. 
    • If a Director fails, the Owner chooses a brand new Director.

Forwarder: The Forwarder is a node within the cluster that redirects packets to the Owner. 

    • If a Forwarder receives a packet for a connection it doesn’t personal, it queries the Director to hunt out the Owner 
    • Once the Owner is outlined, the Forwarder establishes a circulation, and redirects any future packets it receives for this connection to the outlined Owner.

Fragment Owner: For fragmented packets, cluster nodes that obtain a fraction decide a Fragment Owner utilizing a hash of the fragment supply IP handle, vacation spot IP handle, and the packet ID. All fragments are then redirected to the Fragment Owner over Cluster Control Link.  

 

Integration with AWS Gateway Load Balancer (GWLB)

Cisco introduced assist for AWS Gateway Load Balancer (Figure 2). This function permits organizations to scale their firewall presence as wanted to fulfill demand (see particulars right here).

Figure 2: Cisco Secure Firewall and AWS Gateway Load Balancer integration

 

Cisco Secure Firewall clustering in AWS

Building off the earlier determine, organizations can reap the benefits of the AWS Gateway Load Balancer with Secure Firewall’s clustering functionality to evenly distribute site visitors on the Secure Firewall cluster. This permits organizations to maximise the advantages of clustering capabilities together with elevated throughput and redundancy. Figure 3 reveals how positioning a Secure Firewall cluster behind the AWS Gateway Load Balancer creates a resilient structure. Let’s take a better have a look at what’s going on within the diagram.

Figure 3: Cisco Secure Firewall clustering in AWS

Figure 3 reveals an Internet person trying to entry a workload. Before the person can entry the workload, the person’s site visitors is routed to Firewall Node 2 for inspection. The site visitors circulation for this instance consists of:

User -> IGW -> GWLBe -> GWLB -> Secure Firewall (2) -> GLWB -> GWLBe -> Workload

In the occasion of failure, the AWS Gateway Load Balancer cuts off current connections to the failed node, making the above resolution non-stateful.

Recently, AWS introduced a brand new function for his or her load balancers often called Target Failover for Existing Flows. This function permits forwarding of current connections to a different goal within the occasion of failure.

Cisco is an early adaptor of this function and has mixed Target Failover for Existing Flows with Secure Firewall clustering capabilities to create the business’s first stateful cluster in AWS.

aws
Figure 4: Cisco Secure Firewall clustering rehashing current circulation to a brand new node

Figure 4 reveals a firewall failure occasion and the way the AWS Gateway Load Balancer makes use of the Target Failover for Existing Flows function to change the site visitors circulation from Firewall Node 2 to Firewall Node 3. The site visitors circulation for this instance consists of:

User -> IGW -> GWLBe -> GWLB -> Secure Firewall (3) -> GLWB -> GWLBe -> Workload

 

Conclusion

Organizations want dependable and scalable safety to guard always-on purposes of their AWS cloud setting. With stateful firewall clustering capabilities from Cisco, organizations can defend their purposes whereas sustaining cloud advantages equivalent to agility, scalability, and reliability.

Cisco Secure Firewall Threat Defense Virtual is accessible within the AWS market, offering options like firewalling, utility visibility & management, IPS, URL filtering, and malware protection. Cisco gives versatile choices for firewall licensing, equivalent to pay-as-you-go (PAYG) and bring-your-own-license (BYOL). To be taught extra about how Cisco Secure Firewall clustering capabilities may help defend your AWS purposes, see our further assets, take a look at our 30-day free trial, or converse to your Cisco gross sales consultant.

 

Additional Resources 

Cisco Secure Firewall Clustering within the Cloud

Building a Scalable Security Architecture on AWS with Cisco Secure Firewall and AWS Gateway Load Balancer

Introducing AWS Gateway Load Balancer Target Failover for Existing Flows

Secure Firewall for Public Cloud webpage

We’d love to listen to what you assume. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:



LEAVE A REPLY

Please enter your comment!
Please enter your name here