Editor’s Note: As of January 2022, iland is now 11:11 Systems, a managed infrastructure solutions provider at the forefront of cloud, connectivity, and security. As a legacy iland.com blog post, this article likely contains information that is no longer relevant. For the most up-to-date product information and resources, or if you have further questions, please refer to the 11:11 Systems Success Center or contact us directly.
When companies move to the cloud, they often remark on how freeing it is to get rid of all their hardware servers and no longer monitor and maintain them. However, something a lot of people don’t realize is that this action gives network engineers pause.
I talk to a lot of network engineers during their migration to 11:11 System’s Cloud, and there is an overwhelming opinion that software networking can’t compete with tried and true network hardware. The common misconception is that they’ll have to toss their hardware firewall in the trash and instead get a junky, virtual machine running an “out of the box” service as their corporate firewall replacement.
Before I explain why, I’ll tell you a bit about me. I joined 11:11 Systems with a general desire to be at the front of the pack when it came to learning new technologies. I wanted to be the guy that was playing around with new technology the minute it was released: no “too long, didn’t read” guides by users, no “copy and paste someone else’s code.” I wanted to be the guy to discover all of this information on my own and come up with creative ways to implement the technology. I got lucky, and 11:11 just so happened to be the perfect place for me to do that. 11:11 adopts new technologies and provides its employees with all the right tools to test and implement these technologies at lightning speed.
One of these new technologies came out in 2014 and is called Cisco ASAv. The Cisco ASAv is the first virtual version of Cisco’s famous ASA firewall. Almost everyone I’ve come into contact with is familiar with the Cisco ASA, and most of those people have used them in some shape or form before. When the Cisco ASAv came out, 11:11 immediately jumped on it, gave it to me, and said, “Here. Make this work.” This is what network engineers’ dreams are made of. As they say, the rest is history.
Today, 11:11 Systems not only takes company servers and makes them virtual, but it also takes company networking and makes it virtual — all without losing any functionality. The Cisco ASAv gets deployed from a template in our environment and goes from non-existent to powered on and running in five minutes. By the end of the day, we have the ASAv attached to a public network, our customer has an SSH connection open to it, and we’re working together on the phone to finalize their configuration. I always hear something along the lines of, “Man, this is awesome. I had no idea this existed,” from the customer.
Sure, it’s a cool idea; a virtual Cisco ASA is a shiny, new toy. But what’s the big deal if it just does what the hardware ASA does? Well, it doesn’t just do what a hardware ASA does; it provides so much more. The ASAv allows us to deploy a high-availability pair that is setup for failover events and then utilize VMware host rules to keep the ASAv firewalls on separate hosts:
- In the event a VMware host goes down, the ASAv fails over to the backup ASAv.
- In the event where the ASAv itself goes down, it fails over to the backup ASAv.
- In the event that you accidentally wipe your entire config, we’ll pull a backup of your config from our monitoring system.
- In the event that you delete the ASAv pair, we’ll pull a backup of your ASAv itself.
Let’s quickly look at the hardware ASA. In the event the ISP at your data center goes down, you’re going to have a bad time. In the event that the power at the datacenter goes out, you’re going to have a bad time. In the event that the ASA is old and finally croaks in the middle of the night, you’re going to have a bad time. This could go on forever.
So we have a high-availability pair of virtual ASA firewalls on flexible, redundant hosts. It can’t get any better, right? Enter Cisco REST API. Welcome to automated configurations and error checking, advanced monitoring, and so much more. Imagine deploying a server and having your ASAv automatically add firewall rules based on your server’s role in your network. For me, this means deploying an entire customer network in a few minutes, including everything from the base network to an SSL VPN for remote management to multiple IPSEC VPN tunnels for securing WAN traffic.
At this point, you’re looking at your hardware firewall and wondering what you’re doing with your life. The Cisco ASAv is a game-changer in the software-defined networking world, and 11:11 is a seasoned veteran when it comes to migrating customers off of hardware networking devices. Reliability, redundancy, speed, and ease are what we’ve all wanted in our networking job, and 11:11 has found a way to turn that pipe dream into reality.