Solution Overview: Cisco Adaptive Addressing Advanced Web ThreatsSecurity Virtual Appliance Comes to Amazon Web Services Solution Overview: Cisco Adaptive Security Virtual Appliance Comes to Amazon Web Services Solution Overview: Cisco Adaptive Security Virtual Appliance Comes to Amazon Web Services Now you can get the benefits of the industry-leading Cisco® Adaptive Security Virtual Appliance in the Amazon Web Services (AWS) cloud. The virtual appliance brings both firewall and VPN features and use cases. Cisco on the AWS Marketplace offers: • Full Adaptive Security Appliance feature set Figure 1. Unified Management of the Adaptive Security Virtual Appliance with a Hybrid Cloud AWS VPC Policy Mgmt and Reporting Cisco ASDM EC2 Cisco Security Manager Subnet 1 Internet ASAv EC2 Subnet 2 • Easy licensing for dynamic virtual environments • Compatibility with existing configuration and management tools • Cisco AnyConnect® and clientless remote-access VPN and site-to-site VPN • Elastic scalability • Cloud automation using RESTful API How the Amazon Virtual Private Cloud Works The Amazon Virtual Private Cloud (VPC) is a virtual network dedicated to your AWS account. It lets you provision a network that is logically isolated from other virtual networks in the AWS cloud. You can launch your AWS resources such as Amazon EC2 instances into your VPC. You have complete control over your virtual networking environment, which includes an IP address range, selected subnets, a configuration of route tables, network gateways, and security policy. You can build a VPN connection between your corporate data center and your VPC and use the AWS cloud as an extension of the data center. © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Corporate Data Center 3rd Party Mgmt Tools (via REST-API) Public Private Solutions for integrating Amazon AWS with your existing network become simpler when your Cisco cloud virtual firewall runs the same features and policies as your on-premises physical Adaptive Security Appliance or hypervisor-based virtual appliance. The security team needs no additional training to extend the onpremises security policies into the cloud firewall. The virtual appliance provides the familiar user interface, so your team can take advantage of the existing network management tools and processes. In addition to the software command line, a representational state transfer (REST) application programming interface (API) has been added to all Adaptive Security Appliance platforms to allow programmable configuration and monitoring (see Figure 1). Amazon VPC is designed to provide a customized network configuration. For example, you can place web servers in public-facing networks that have access to the Internet and place your backend servers such as databases or application servers in a private subnet with no Internet access. You can provision multiple layers of security to provide controlled access to Amazon EC2 instances in each subnet. Corporate Users Note: The middle box shows how the Cisco Adaptive Security Device Manager and third-party management tools provide security, policy management, and reporting for your users. Use Cases in Amazon AWS Extending the Data Center Amazon VPC is an extension of your corporate network. It gives you the flexibility of scaling resources at a low optional and managerial cost. You can deploy the virtual appliance to provide highly secure connectivity using an IPsec tunnel between your corporate firewall and the appliance. The VPN tunnel is created over the public Internet and encrypted using a number of advanced algorithms to provide confidentiality of the data transmitted between the Amazon VPC and your corporate data center (see Figure 2). Users located in the corporate network can access applications hosted in AWS (subnet1 and subnet2) by means of a site-to-site tunnel. NEXT 2 Solution Overview: Cisco Adaptive Security Virtual Appliance Comes to Amazon Web Services AWS EC2 VPC Subnet 1 Subnet 2 VPC Subnet 1 AWS Figure 3. VPC-Edge Stateful Firewall EC2 Subnet 2 Figure 2. Data Center Extension Using a Site-to-Site Tunnel EC2 EC2 ASAv ASAv Private Public Corporate User Private Public Internet Site to Site VPN connection (Data & management) Corporate Data Center Internet VPC-Edge Firewall Adding Amazon VPC to your operations is similar to adding a new network. The Cisco virtual appliance is a complete cloud security platform, offering a scalable stateful firewall, VPN, routing, and application inspection. You can deploy the appliance at the edge of Amazon VPC (see Figure 3) and provide security to internal servers. You have use of private IP addresses on servers hosted in AWS and can translate addresses on the virtual appliance so that users can access those servers through the Internet. Users Users accessing AWS resources using tranlated IPs VM-to-VM security In Amazon VPC most of the applications have a multitier design. Example: Web servers are located in public-facing networks with access to the Internet, while the database and applications are located in another network with no Internet access. The Adaptive Security Virtual Appliance can be deployed to protect communication between tiers in a multitier application environment (see Figure 4). One must take following points into consideration while designing security for communications between virtual machines: • AWS security groups applied to the virtual machine and the Cisco appliance interfaces must allow needed communication. • AWS source and destination checks on all involved network interfaces must be disengaged. © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. PREV NEXT 3 Solution Overview: Cisco Adaptive Security Virtual Appliance Comes to Amazon Web Services Figure 4. VM-to-VM Security AWS AWS VPC EC2 Public Private Subnet 2 VPC Public Private VPC Subnet 1 AWS Figure 5. VPC Peering EC2 Subnet 1 EC2 Subnet 1 EC2 Internet ASAv ASAv Private Public VPC Peering Today AWS is making the VPC model even more flexible. You now have the ability to create a VPC peering connection, a networking connection between two VPCs. Instances in either VPC can communicate with each other. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The Adaptive Security Virtual Appliance can be deployed at both ends to provide highly secure connections using an IPsec site-to-site tunnel (see Figure 5). ASAv EC2 EC2 Subnet 2 Subnet 2 Highly Secure Connectivity for Remote Users Enterprises across the globe are continually working toward increasing employee productivity and flexibility. Mobility has moved up the priority list of many IT executives, who are expanding mobility initiatives throughout the organization. The Cisco virtual appliance can be deployed as VPN gateway to provide highly secure connectivity to remote users. It supports a wide variety of remote-access VPN technologies such as AnyConnect®, clientless VPN, IPsec (Internet Key Exchange Versions 1 and 2, known as IKEv1 and IKEv2) and third-party client support with IKEv2. The Cisco VPN configuration makes it easy for your IT staff to quickly provision remote-access VPN for mobile users and employees using their own devices (see Figure 6). Users can access applications on AWS using their personal devices even when they are remote. © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. PREV NEXT 4 Solution Overview: Cisco Adaptive Security Virtual Appliance Comes to Amazon Web Services Cisco Capital Figure 6. Highly Secure Connectivity for Remote Users Financing to Help You Achieve Your Objectives Subnet 2 VPC Subnet 1 AWS EC2 EC2 Cisco Capital can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more. Next Steps ASAv For more information, please visit the following pages: Private Public Users connecting using VPN Internet • Cisco Adaptive Security Virtual Appliance “Bring Your Own License” product page on Amazon Marketplace • Cisco seller page on Amazon Marketplace • Product webpage How to Deploy the Adaptive Security Virtual Appliance in Amazon AWS The Cisco Adaptive Security Virtual Appliance is available in the Amazon AWS Marketplace by searching on “Cisco ASAv” or “Cisco.” From the AWS Marketplace page, you can deploy the appliance in the bring-yourown-license (BYOL) mode. For configuration assistance, please refer to the documentation on the Cisco Adaptive Security Virtual Appliance webpage. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C22-735598-00 08/15 PREV 5