The Future of the Firewall is Not a Firewall
By TK Keanini I have seen the future of the firewall and it is not a firewall!
Firewalls have been with us since the late 1980s and they have become synonymous with access control. It is time to redefine that relationship because while access control will remain a need from now into the distant future, the way to deliver access control must change given the evolution of networking and new methods of computing. We need to focus on how to deliver a consistent outcome regardless of what is appropriate for these environments.
All around us, consumers want to get as close to “paying for the outcome” versus paying for everything that is required to lead to that outcome. Some of you might remember the days when you wanted to run computer services for your company and it began with you having to rent real estate, HVAC, all the things that led up to finally operating computers and the applications offering those services. A very strong analogy here is ride sharing (like Uber or Lyft) whereby the consumer would like the outcome of “transportation” without the need for a car, insurance payments, covered parking, or the skill to drive. Hold on to this thought because the analogy carries through my entire explanation.
When you look at a ride sharing service, not only is the person paying for the direct outcome but depending on your location, different options are presented. For example, if I’m in a city center, I might be presented with not only different classes of automobiles, but I might also be offered electric scooters, bicycles, or maybe even pedicabs for shorter distances. Again, the outcome is getting from point A to point B, but depending on the environment, some transports might be more appropriate. When you look at the outcome of access control, how that is implemented in the traditional data center is drastically different in public cloud; it is different for mobile computing versus orchestrated containerized workloads. My point being, the policy of who should be able to communicate with whom and what applications can be used requires a similar decision as ride sharing and should be abstracted away from the local device that carries out that task. And this my friends, is why the future of firewalls is not a firewall, but Cisco Defense Orchestrator!
Just like with Cisco’s larger intent-based networking, Cisco Defense Orchestrator (CDO) allows you to state your intention via a policy that spans your hybrid multi-cloud environment. You assert your access policies and Cisco Defense Orchestrator will handle the rest.
This pattern of being able to articulate your intent and having machines reconcile with the dynamic changes in the world is happening across the entire information technology field. We see this happening in container-based computing with the increasing popularity of Kubernetes. As demand ebbs and flows, Kubernetes handles the orchestration to ensure the service levels you intend to deliver are reconciled with the scaling of the services architecture. This same pattern is seen with intent-based networking in that a business can state a policy of connectivity and the Cisco DNA architecture carries this out ensuring that latency, bandwidth, and quality of service are all being met. In all cases, this pattern has made it simpler for the humans to focus on the outcome as machines take on the more complicated and adaptive computing tasks.
Cisco Defense Orchestrator follows the same design pattern whereby an access policy is asserted and depending on the network topology and computing environment, enforcement-point specific configurations are implemented. Where once there was a tight coupling between the firewall being synonymous with the access policy, Cisco Defense Orchestrator separates the access policy from the configuration details of enforcement-points. You can model and explicitly state the access policy of the business such that it can then be applied to the legacy firewalls, next-generation firewalls, host-based firewalls, software defined networking, or any other form of enforcement-point that may come up in the future! Inherently this decoupling also makes policy more testable, more scalable, and simpler to manage.
Cisco Defense Orchestrator has taken the firewall, a word that we would typically view as a noun or a thing and made it an action verb or an outcome. When I realized this, my mind was blown! Just like ride sharing, abstracting away the outcome of transportation from the forms of transportation was not only genius, but also a highly durable and forward-thinking methodology. Access control and the policies that embody what the business requires have been abstracted away from the device forms that will best carry out that access control! You no longer have to worry about topology, legacy firewalls, next-gen firewalls, application firewalls, software defined networking, public cloud workloads, or the many things that we don’t even know today that will appear tomorrow. Instead, we can now focus on the outcome which is the “intended state of access.” #mindblown
Want to learn more? Watch a quick explainer video or visit our Cisco Defense Orchestrator homepage.
Like what you see? Try our free 30-day trial of Cisco Defense Orchestrator to simplify security policy management across your Cisco ASA, FTD, or Meraki MX platforms.
Source:: Cisco Security Notice