As mentioned in the previous post, we’re nearing the decision point on our next cloud pod architecture. One of my tasks related to this project is to run a parallel effort to figure out what everything will look like above the compute and storage infrastructure. In our case, that means the upper layer switching/routing, the firewalls, the load balancers, and the connectivity to our customer’s physical space/equipment in the data center.
As I’ve mentioned in previous posts, with our first cloud pod we selected the Juniper ISG platform which encompasses the VSYS technology that allows the creation of virtual firewalls for each customer. At the time, we looked at Check Point, Cisco, and Juniper as well as a few of the pure cloud firewall players surfacing at the time. So I wanted to go out there to see what had changed in the market since that first cloud pod was built two years ago.
I started out with the Cisco ASA platform. Our company, and my team specifically, are now very familiar with this platform as it’s one of the products we offer as a managed firewall product. It functions well and we’ve seen strong performance from the platform. From a virtual firewall perspective, it also allows virtual contexts to be created. This allows the same type of functionality as the Juniper VSYS technology as it enables us to create virtual firewall clusters for customers on shared hardware infrastructure.
One thing to keep in mind regarding our cloud offerings is that they are targeted at the enterprise market. We aren’t trying to sell companies a few VMs or a development environment in the cloud. Our focus is on production virtualization environments that enterprises will be able to depend on for mission-critical applications. As such, we see customers having the same types of requirements in the cloud that we see them have in our dedicated physical data center spaces.
That leads me to why we selected the Juniper platform during cloud round one. One of the primary reasons we made this decision was because the Juniper platform allowed us to terminate IPSEC VPN tunnels into the virtual environment of each customer. Just like 95% of our legacy data center customers need VPN access into their physical data center environments, a similar ratio need VPN access into their virtual data centers. Juniper offered that ability and it’s worked very well for us. Our first cloud pod is now at about 40% capacity and almost all of those customers have at least one site-to-site VPN tunnel to a remote location and they each have several remote access VPN accounts for administrators of the environment. We handle all of it on the Juniper ISG-2000s and the good news is that it’s supported in the same manner as we support our customers using Juniper dedicated firewalls.
Cisco ASA at the time (spring 2009) did not have the capability to terminate VPN on a virtual context once the virtual context features were enabled. My hope was that they would have addressed this by now (two years later) and that we could move to the ASA platform after finding success with it in our dedicated spaces. Unfortunately, I was disappointed. Cisco is still not there and I’m not sure if they are going to get there unless someone puts some significant pressure on them to get these features on the platform. I sat through the latest product overview with my account team and was once again told the features were not available in the virtual contexts. The toughest part is that all the Cisco guys even seem disappointed and it appeared that I certainly wasn’t the first customer to point out these shortcomings.
Basically, Cisco tried to address the problem by proposing a new solution using a set of Cisco ASAs enabled with the virtual contexts, a set of ASAs off to the side to handle SSL remote access VPN users, and then a set of ASR 1000s to handle the site-to-site IPSEC tunnels. Obviously that would be a stretch for me to go deploy a solution with three clusters of very expensive devices to handle the functionality of a single cluster of Juniper ISGs today. We just can’t justify it at this point so we’re sticking with the Juniper platform which has proved reliable for these needs. We really did want Cisco to have a viable offering but it just wasn’t there yet.
Additionally, we went through a brief overview of the new Cisco Virtual Security Gateway (VSG) which is integrated with the Nexus 1000v. Since the 1000V is going to enable some much needed functionality on the virtual distributed switching side, we were excited to see this announcement and thought perhaps it could hold some value as a virtual firewall product for our cloud environments. However, we learned that at this time it’s primary just meant as a VM to VM based firewall. What we need is a border firewall that would protect all the VMs in a customer environment under a single set of administrative policies or zones, similar to what a dedicated firewall cluster would do for a data center environment. We’re looking for something similar to VMWare’s vShield Edge and Cisco says that’s coming in the next phased release of the VSG solution. We can’t wait to see how that plays out.
For now, we’re sticking with the Juniper ISG platform using their VSYS technology. It works. It’s proven. We know how to deploy and support it. We also know it’s limitations (we’ll save that for another day).
