As mentioned in the previous post, we’re nearing the decision point on our next cloud pod architecture. One of my tasks related to this project is to run a parallel effort to figure out what everything will look like above the compute and storage infrastructure. In our case, that means the upper layer switching/routing, the firewalls, the load balancers, and the connectivity to our customer’s physical space/equipment in the data center.
As I’ve mentioned in previous posts, with our first cloud pod we selected the Juniper ISG platform which encompasses the VSYS technology that allows the creation of virtual firewalls for each customer. At the time, we looked at Check Point, Cisco, and Juniper as well as a few of the pure cloud firewall players surfacing at the time. So I wanted to go out there to see what had changed in the market since that first cloud pod was built two years ago.
I started out with the Cisco ASA platform. Our company, and my team specifically, are now very familiar with this platform as it’s one of the products we offer as a managed firewall product. It functions well and we’ve seen strong performance from the platform. From a virtual firewall perspective, it also allows virtual contexts to be created. This allows the same type of functionality as the Juniper VSYS technology as it enables us to create virtual firewall clusters for customers on shared hardware infrastructure.
One thing to keep in mind regarding our cloud offerings is that they are targeted at the enterprise market. We aren’t trying to sell companies a few VMs or a development environment in the cloud. Our focus is on production virtualization environments that enterprises will be able to depend on for mission-critical applications. As such, we see customers having the same types of requirements in the cloud that we see them have in our dedicated physical data center spaces.
That leads me to why we selected the Juniper platform during cloud round one. One of the primary reasons we made this decision was because the Juniper platform allowed us to terminate IPSEC VPN tunnels into the virtual environment of each customer. Just like 95% of our legacy data center customers need VPN access into their physical data center environments, a similar ratio need VPN access into their virtual data centers. Juniper offered that ability and it’s worked very well for us. Our first cloud pod is now at about 40% capacity and almost all of those customers have at least one site-to-site VPN tunnel to a remote location and they each have several remote access VPN accounts for administrators of the environment. We handle all of it on the Juniper ISG-2000s and the good news is that it’s supported in the same manner as we support our customers using Juniper dedicated firewalls.
Cisco ASA at the time (spring 2009) did not have the capability to terminate VPN on a virtual context once the virtual context features were enabled. My hope was that they would have addressed this by now (two years later) and that we could move to the ASA platform after finding success with it in our dedicated spaces. Unfortunately, I was disappointed. Cisco is still not there and I’m not sure if they are going to get there unless someone puts some significant pressure on them to get these features on the platform. I sat through the latest product overview with my account team and was once again told the features were not available in the virtual contexts. The toughest part is that all the Cisco guys even seem disappointed and it appeared that I certainly wasn’t the first customer to point out these shortcomings.
Basically, Cisco tried to address the problem by proposing a new solution using a set of Cisco ASAs enabled with the virtual contexts, a set of ASAs off to the side to handle SSL remote access VPN users, and then a set of ASR 1000s to handle the site-to-site IPSEC tunnels. Obviously that would be a stretch for me to go deploy a solution with three clusters of very expensive devices to handle the functionality of a single cluster of Juniper ISGs today. We just can’t justify it at this point so we’re sticking with the Juniper platform which has proved reliable for these needs. We really did want Cisco to have a viable offering but it just wasn’t there yet.
Additionally, we went through a brief overview of the new Cisco Virtual Security Gateway (VSG) which is integrated with the Nexus 1000v. Since the 1000V is going to enable some much needed functionality on the virtual distributed switching side, we were excited to see this announcement and thought perhaps it could hold some value as a virtual firewall product for our cloud environments. However, we learned that at this time it’s primary just meant as a VM to VM based firewall. What we need is a border firewall that would protect all the VMs in a customer environment under a single set of administrative policies or zones, similar to what a dedicated firewall cluster would do for a data center environment. We’re looking for something similar to VMWare’s vShield Edge and Cisco says that’s coming in the next phased release of the VSG solution. We can’t wait to see how that plays out.
For now, we’re sticking with the Juniper ISG platform using their VSYS technology. It works. It’s proven. We know how to deploy and support it. We also know it’s limitations (we’ll save that for another day).
Filed under: Business & Networking, Cisco, Data Center, Juniper, Network Virtualization | Tagged: Cisco ASA, Cisco Virtual Security Gateway, Cisco VSG, Cloud Firewall, Juniper ISG, Juniper VSYS, Virtual Context |
John McAuley 
Hi John,
Thank you very much for providing such a in depth review of the virtual firewall offerings. I am working as a Network Engineer for a company in London and we are looking into replacing our Cisco VF solution (2 boxes – 1 for VPN and 1 context firewall) with something more scalable. I must say that your blog post have proved very helpful and informative. Would you care enough to post a blog entry on the shortcomings of the Juniper ISG2000?
Thanks,
Michal
Hi Michal,
One of the things I’ve got on my list to write about is a virtual firewall product update. I’ll get to that but wanted to just quickly respond and advise you to look at Fortinet’s product line too. Like the Junipers, they can be an all in one box and the founders are the old Netscreen guys so the functions and interfaces are similar to the things we like about the Junipers. The Juniper has been a great platform for us and we haven’t had many issues with them. NSM is lacking as a management platform and we found some significant bugs related to IPSEC throughput. We basically had to disable three of the four VPN engines for the platform because there was a problem related to how the different engines handle the packets and the order kept getting messed up. Juniper’s solution was to just disable three of the VPN processors which essentially takes your VPN throughput down to about 600Mbps. That’s ok for our cloud pods because we aren’t doing a lot of VPN throughput. But it is a limitation that you need to consider if you do significant amounts of IPSEC throughput.
We are going to be testing the Fortinet products early next year and hopefully they will address both of these concerns in addition to offering more scalability. You can basically do 250 virtual firewalls per blade in their blade systems. That allows us to scale out on the same platform rather than adding multiple firewall clusters horizontally. I’ll put something up here once we conclude that testing but hopefully this will get you started.
John
John,
Thank you very much for your input and all the suggestions. I look forward to your next blog entry on this matter.
I am currently in talks with Juniper to provide us with evaluation box so we can test it in our lab. Our intention is to provide simple Internet breakout from our MPLS cloud to our customers. We need basic thinks like:
– .1q trunk on the MPLS side so we can create per-customer subinterfaces and put them into customer’s virtual systems
– .1q trunk on the Internet side 2ith per customer subinterfaces allocated either single IP addresses for basic PAT or subnets for static or dynamic NAT
– we want the box to run single OSPF instance per virtual system
– last thing that was already confirmed is the ability for the virtual system to terminate IPSEC
These are our requirements really. We do not anticipate any further requirements on our customer’s side.
The VPN IPSEC throughput shouldn’t be an issue as if we hit such traffic levels then we would start considering installing second box anyway, but thank you for pointing this out.
From what I have read so far I think that the Juniper box will be a perfect solution for us to replace completely not scalable CIsco solution. Seriously, I have no idea why Cisco has overlooked this part of the market?
Anyway, I will definitely look into the Fortinet’s offering and compare it with Juiper’s.
Thank you very much for all the information and I would like to wish you a Merry Christmas and a Happy New Year.
Michal