[ad_1]
Authored in collaboration with Sunil Kumar Guduru (Enterprise Networking)
The integration of data know-how (IT) and operational know-how (OT) techniques, also referred to as IT/OT integration, is a vital course of in industries resembling manufacturing, vitality, and utilities. While IT techniques deal with knowledge administration, OT techniques handle bodily processes and management techniques for important infrastructure resembling energy grids, water therapy vegetation, and manufacturing tools.
OT techniques have been as soon as remoted from exterior networks, making them much less weak to cyber threats. Digital Transformation and Smart Manufacturing have accelerated the convergence of IT & OT networks within the course of business with Industry 4.0. While this integration can deliver important advantages resembling elevated effectivity, improved visibility, and higher decision-making, it might probably additionally improve the chance of cyber-attacks.
IoT (Internet of Things) gadgets and sensors are proliferating into IT networks and are managed below a single IT community infrastructure to construct smarter and safer workspaces. These IoT gadgets introduce a number of safety threats to IT networks since IoT gadgets usually have restricted processing energy and reminiscence, making it difficult to implement strong security measures and are largely disadvantaged of safety updates. Attackers exploit these vulnerabilities to pivot from compromised IoT gadgets to extra important techniques and knowledge.
In a latest Gartner Market Guide for OT Cybersecurity, it was reported that 82% of organizations have moved past the attention part and at the moment are exploring and implementing OT safety options. As industries proceed to embrace new applied sciences, the necessity for safe IT/OT integration will proceed to develop.
Security ought to be an integral a part of Network Design
As networks converge and sensible manufacturing accelerates, it’s crucial that safety ought to be an integral a part of the community design and never after although. The IT/OT integration is driving the necessity for community segmentation, entry management, and stateful inspection of visitors shifting throughout totally different domains. To deal with these challenges, safe firewall providers have to be inserted into the community on the IT/OT convergence factors. These firewalls turn into important to fashionable cybersecurity methods to safe important networks and safeguard helpful knowledge from fashionable subtle threats.
Adding bodily firewalls at IT/OT convergence factors within the community can create further factors of congestion, which can influence the community’s total efficiency. Moreover, these new firewall home equipment would require further rack area, cooling, energy, and hyperlink redundancy resulting in elevated operational bills.
Cisco’s Enterprise Networking and Security groups have collaborated to develop an revolutionary answer to seamlessly insert containerized firewall providers at IT/OT convergence factors. The Cisco Secure Firewall ASA Virtual is a stateful firewall that’s packaged as a Docker container and is hosted on Cisco Catalyst 9300 sequence switches as an software, as a substitute of being bodily current subsequent to them. The digital and container type components of Cisco Secure Firewall ASA Virtual offers an an identical set of capabilities.
Benefits of internet hosting containerized Cisco Secure Firewall capabilities on Catalyst 9300 switches
By internet hosting the containerized Secure Firewall ASA on Catalyst 9300 entry switches, organizations profit from enhanced safety and simplified community deployment. This not solely reduces the complexity of steering the visitors to centralized firewalls utilizing advanced tunnels but in addition eliminates the necessity for added {hardware}.
Positioning the firewall providers nearer to the supply offers an economical and extremely environment friendly means of securing IT/OT converged networks. It additionally minimises the latency for time-sensitive SOS functions, by imposing the insurance policies close to the supply the place the gadgets hook up with the community.
The redundant hyperlinks and energy provides of the Catalyst 9300 swap are leveraged by the digital firewall occasion hosted on them. This reduces the necessity for added servers and bodily firewall home equipment, saving on rack area, cooling necessities, and operational prices.
By leveraging these capabilities, organizations can simplify community design, cut back prices, and enhance their safety posture.
How does the containerized Secure Firewall ASA shield the IT/OT community from threats?
Stateful Inspection: All visitors that crosses the IT/OT domains ought to be subjected to stateful inspection to adjust to safety compliance. The containzerized Secure Firewall ASA maintains a stateful connection desk that retains observe of the state and context of every community connection passing by means of and applies context-based entry management. If any software requires further ports for its operation, the firewall dynamically opens and tracks these ports whereas guaranteeing that safety insurance policies and entry controls stay in place. All these occasions are logged for audit functions and can be utilized for tracing and stopping safety breaches.
Network Segmentation: One of the first use instances for internet hosting the containerized Secure Firewall ASA on Catalyst 9300 at IT/OT convergence is community segmentation. By segmenting inner networks, organizations enhance their safety posture by limiting the unfold of cyber-attacks. The firewall can be utilized to create separate safety zones inside the community, permitting organizations to regulate visitors movement between these zones. The firewall occasion helps as much as 10 logical (in/out) interfaces, which could be leveraged for segmentation. This segmentation helps restrict the power of an attacker to maneuver laterally inside the community by containing any breach to a particular zone.
Access Control: The containerized Secure Firewall ASA offers entry management within the IT/OT community by means of ACLs and Security Group Tags (SGT). With SGTs, the firewall applies safety insurance policies primarily based on labels as a substitute of IP addresses. The firewall makes use of SGTs to authenticate OT gadgets and assign them to a particular safety group, resembling “OT,” which might additional be used for stateful inspection.
Traffic Encryption: The firewall helps encryption protocols like SSL (Secure Sockets Layer) and IPsec (Internet Protocol Security) to safe IoT/OT visitors from eavesdropping and man-in-middle assaults. The communication between totally different IoT/OT clusters that go by means of the shared IT community could be encrypted utilizing IPsec, permitting remoted IoT/OT networks to be related securely.
Secure Remote Management: The containerized firewall helps SSL and TLS VPNs, permitting distant customers to ascertain safe connections to the Catalyst 9300. SSL/TLS VPNs present encrypted communication tunnels for safe entry to inner community sources, defending delicate knowledge throughout distant administration actions.
Management and Orchestration
Cisco Enterprise DNA Center (DNAC) is a administration and orchestration controller that gives an automatic workflow for the life cycle administration and community connectivity configurations for functions just like the containerized Secure Firewall ASA hosted on Catalyst switches. It ensures the firewall software is at all times up-to-date and safe, which is important for sustaining the integrity and efficiency of the community. DNAC offers better agility and scalability within the deployment and administration of the containerized Secure Firewall ASA in massive deployments the place the firewall performance is distributed throughout the community. Once the firewall is instantiated and community providers configured, it’s onboarded to Cisco Defencs Orchestrator for safety coverage administration and occasion logging. Cisco Defense Orchestrator is a cloud-based centralized administration and orchestration platform that simplifies coverage administration for varied Cisco safety merchandise together with the containerized firewall. Defense Orchestrator is really helpful for creating and deploying constant safety insurance policies throughout massive networks. It performs coverage evaluation and streamlines the configuration and administration processes.
For small deployments, the firewall software could be hosted on Catalyst switches manually utilizing CLI or programmatically utilizing RESTOCONF/NETCONF. Cisco Adaptive Security Device Manager (ASDM) is a web-based administration and monitoring software program packaged in a Secure Firewall ASA picture. ASDM empowers customers to configure, monitor, and troubleshoot the firewall in smaller deployments by means of a user-friendly interface, enhancing safety administration capabilities.
Licensing
Customers can leverage their present digital Secure Firewall ASA Virtual license entitlement to run containerized Secure Firewall ASA situations on the Catalyst 9300 switches. This offers funding safety and suppleness emigrate present digital ASA situations hosted on servers to Catalyst 9300 switches. This permits clients to seamlessly transition their community safety infrastructure whereas maximizing the worth of their Secure Firewall ASA Virtual licenses.
Conclusion
As industries proceed to digitize and undertake superior applied sciences, IT/OT integration has turn into important. However, this integration additionally introduces new cybersecurity dangers, making it extra vital than ever to implement efficient safety measures.
Hosting a containerized Secure Firewall ASA on Cisco Catalyst 9300 switches provides a versatile and handy answer for inserting Secure Firewall providers within the fashionable community. It provides stateful inspection for visitors flowing throughout the domains, reduces the assault floor by logically segmenting the community, enforces granular entry controls throughout the community, and connects remoted OT/IoT clusters securely for safe distant administration. Overall, it might probably assist to mitigate the dangers related to IT/OT integration, maintaining important infrastructure protected from cyber-attacks.
To study extra about Application Hosting options on Catalyst Switching, please go to Enterprise Switching Page on DevNet: https://developer.cisco.com/app-hosting/
Cisco Secure Firewall ASA Virtual:
https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/adapt-security-virtual-appliance-ds.html
We’d love to listen to what you assume. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: