Firewall Overview

The default option is a Cisco Adaptive Security Virtual Appliance (ASAv). Based on your requirements, MacStadium can upgrade you to a physical Cisco Adaptive Security Appliance (ASA).

With Cisco firewalls, you and your security team can:

  • Access and manage the firewall as the root user (root access).
  • Leverage Cisco AnyConnect for secure remote user access.
  • Filter any Internet and internal traffic real-time. For example, you can pass traffic from selected IPs or IP ranges (e.g., a Jenkins master) and block all other traffic.
  • Connect your local infrastructure to your MacStadium private cloud through secure remote network or site-to-site encrypted Virtual Private Network (VPN) tunnels.
  • Connect a public cloud, such as AWS, Azure, or Google Cloud, to your MacStadium private cloud through secure remote network or site-to-site encrypted Virtual Private Network (VPN) tunnels.
  • Perform packet inspection, port blocking, and breach protection.
  • Configure high availability and failover.
  • Limit access to approved users to ensure complete access control.

Cisco Adaptive Security Virtual Appliance (ASAv)

INFO: Cisco ASAv is the default recommendation for infrastructures that require less than 500 Mbps (125 Mbps encrypted) sustained throughput. For infrastructures that require higher levels of throughput, see Cisco Adaptive Security Appliance (ASA) or contact MacStadium Support or Sales for an alternative solution.

Cisco ASAv runs the same software as physical Cisco ASAs and delivers full ASA firewall and VPN capabilities to the cloud. The ASAv is a data center-optimized solution with fast deployments and easy upgrades. The ASAv runs as a virtual machine inside a hypervisor in a virtual host.

With a Cisco ASAv protecting your MacStadium private cloud, you can:

  • Implement uniform security across multiple physical and virtual domains.
  • Use REST APIs for automation and integration tasks, such as appliance management, software-defined networking (SDN), and policy orchestration.
  • Leverage the site-to-site VPN, remote-access VPN, and clientless VPN capabilities of а physical Cisco ASA.

Compared to ASA, with Cisco ASAv you cannot:

  • Use clustering.
  • Run multiple separate virtual firewalls on the same hardware (multiple contexts support).

Cisco Adaptive Security Appliance (ASA)

Hardware firewalls are not available during trials and proof-of-concept periods.

INFO: Cisco ASA 2100 NGFW is also available for infrastructures that require even more speed, sustained throughput, and improved inspection and protection capabilities. For more information, contact MacStadium Support or Sales.

With a Cisco ASA 2100 series appliance protecting your MacStadium private cloud, you can:

  • Leverage market-proven security capabilities that integrate multiple full-featured, high-performance security services, including:
    application-aware firewall
    SSL and IPsec VPN
    IPS
    antivirus, antispam, anti-phishing
    * web filtering services.

  • Use comprehensive management interfaces including the graphical Cisco Adaptive Security Device Manager (ASDM), a comprehensive command-line interface (CLI), verbose syslog, and Simple Network Management Protocol (SNMP) support that round out a rich complement of management options.

Custom hardware or hybrid solutions

If you need to host your own firewall in a MacStadium data center, contact MacStadium Sales to discuss requirements, available options, and involvement from the MacStadium engineering team.

If you have any enabled firewall add-ons, you can access them from your customer dashboard under the Add-Ons tab in the details for your subscription(s).

Other options

Based on your requirements, you can choose to forgo the available Cisco ASAv and ASA options and implement another solution, such as the built-in OS X firewall or a third-party software firewall.

WARNING: MacStadium does not provide assistance with the setup, management, and troubleshooting of these solutions. MacStadium is not responsible for any security risks incurred by such implementations.