fbpx

Cisco Remote Accessibility VPN architecture for Amazon Internet Services (AWS)

Today applications are usually moving and evolving to the general public cloud. Amazon Web Solutions (AWS) offers various kinds of services to sponsor these apps in the cloud. Clients are deciding on hybrid cloud services since it provides the the best architecture for application overall performance and hosting. This alter in cloud architecture introduces a large problem of providing a safe link with the remote workers.

Cisco offers a comprehensive option by providing Cisco Adaptive Security App (ASAv) and Cisco Next-Generation Firewall within the AWS market. These virtual devices can integrate with the Cisco protection portfolio and unmatched remote entry VPN architecture for AWS.


Figure 1: The different parts of the Cisco Secure Remote Worker

  • Cisco AnyConnect Secure Flexibility Client: Cisco AnyConnect Secure Flexibility Client empowers remote employees with frictionless, secure usage of the enterprise system from any gadget highly, at any period, in any place while protecting the business. It provides a frequent user experience across gadgets, both on and off-premises, without developing a headache for the IT teams. Simplify administration with an individual agent.
  • Cisco Duo: Cisco Duo is really a user-friendly, scalable solution to keep business before ever-changing safety threats by implementing the Zero Rely on security model. Multi-aspect authentication from Duo protects the system with a second way to obtain validation, like a telephone or token, to verify consumer identity before granting accessibility. Cisco Duo is manufactured to provide a straightforward, streamlined login encounter for every remote consumer. As a cloud-based alternative, it integrates together with your existing technology and administrative easily, visibility, and supervising.
  • Cisco Umbrella Roaming Safety Module: Cisco Umbrella Roaming Protection module for Cisco AnyConnect provides always-on protection on any system, anywhere, any right time — both on / off your business VPN. The Roaming Safety module enforces safety at the DNS level to prevent malware, phishing, and manage and order callbacks over any interface. Umbrella provides real-time presence into all internet action per hostname both on / off your VPN or system.
  • Cisco Advanced Malware Security (AMP) Enabler: Cisco AnyConnect AMP Enabler module can be used as a moderate for deploying Advanced Malware Defense (AMP) for Endpoints. It pushes the AMP for Endpoints software program to a subset of endpoints from the server hosted locally within the business and installs AMP providers to its existing consumer base. This process provides AnyConnect user bottom administrators having an additional security broker that detects possible malware threats taking place in the network, gets rid of those threats, and protects the business from compromise. It will save time and bandwidth taken up to download, requires no noticeable adjustments on the portal aspect, and can be achieved without authentication credentials getting delivered to the endpoint. AnyConnect AMP Enabler protects an individual both on / off the VPN or network.
  • Cisco Identity Providers Engines (ISE): Cisco AnyConnect Secure Flexibility Client supplies a VPN position module and an ISE position module. Both supply the Cisco AnyConnect Protected Mobility Client having the ability to assess an endpoint’s compliance for things such as antivirus, antispyware, and firewall software program installed on the web host. The administrator can restrict network access before endpoint is in compliance then.
  • Cisco Adaptive Security Software (Virtual Appliance): The Cisco Adaptive Security Appliance (ASA) is really a security appliance that shields business networks and data facilities. It offers users with secure usage of data and network sources &ndash highly; anytime, anyplace. The remote users may use Cisco AnyConnect Safe Mobility Customer on the endpoints to safely connect to the assets hosted in the info Middle or the Cloud.
  • Cisco Next-Era Firewall / Firepower Threat Protection (Virtual Appliance): The Cisco Firepower NGFW can help you prevent breaches, get presence to fast quit threats, and automate functions to save lots of time. A next-era firewall (NGFW) is really a network security gadget that delivers capabilities beyond a normal, stateful firewall with the addition of capabilities like application manage and visibility, Next-Era IPS, URL filtering, and Advanced Malware Safety (AMP).

Scalable and Resilient Remote VPN architecture for AWS (Single-VPC & Multi-AZ)

Because of layer-2 abstraction within the cloud, it extremely hard to provide native higher availability firewall, firewall clustering, and VPN clustering. AWS offers indigenous services like AWS path53, AWS path tables that enable DNS centered load balancing.

Figure 2: Cisco Remote Access VPN scalable design using AWS Route53

Traffic Flow:

  • The remote access VPN user initiates a VPN connection utilizing a hostname (illustration: answamivpn.com), and the DNS server returns a good IP address. AWS path53 monitors all of the firewalls making use of AWS route53 wellness checks
  • Remote user makes the bond to the firewall
  • Access the sources hosted in AWS

Suggestion for the architecture shown within figure 2:

  • Each availability zone (AZ) must have several firewalls (ASAv or NGFWv)
  • Each firewall must have a separate VPN pool (i.electronic. separate VPN swimming pool for each firewall)
  • VPN pool ought to be beyond VPC CIDR variety, avoid overlapping systems
  • Control traffic making use of AWS route desk
  • Enable weighted typical load balancing upon AWS route53
  • AWS route53 should track firewalls community IP/elastic IP making use of port 443
    • Cisco Duo: Multi-factor authentication
    • Cisco Umbrella Roaming Protection Module: DNS layer protection and IP enforcement
    • Cisco AMP enabler: File and Malware evaluation
    • Cisco ISE: Authentication and Position
    • SWC: Visibility

The architecture shown within figure 2, is really a resilient and scalable style for an individual VPC deployment. This architecture is founded on the basic principle of a distributed architecture. In the entire case of a several VPN architecture, we recommend deploying larger firewall instances (instance: C5.2xl 0r C5.4xl) within a centralized VPC.

Scalable and Resilient Remote VPN architecture for AWS (Multi-VPC & Multi-AZ)

In the entire case of a multi-vpc architecture, we recommend deploying several cases of bigger firewalls in a centralized VPC (referred to as security-hub VPC) and the connect security-hub VPC to spoke VPCs using AWS Transit Gateway.

The AWS transit gateway might have the following forms of attachments:

  • VPC attachment (useful for VPC and AWS Direct Connect (DX) link)
  • VPN attachment (useful for IPsec online connectivity to DC)
  • Peering connection (useful for peering 2 AWS transit gateway – not really proven in this architecture)

Figure 3: Cisco Remote Access VPN for multi-vpc architecture

Traffic Flow:

  • The remote access VPN user initiates a VPN connection utilizing a hostname (illustration: answamivpn.com), and the DNS server returns a good IP address. AWS path53 monitors all of the firewalls making use of AWS route53 wellness checks.
  • Remote user makes the bond to the firewall.
  • Access the assets hosted within AWS.

Suggestion for the architecture shown within figure 3:

  • Each availability zone (AZ) must have several firewalls (ASAv or NGFWv)
  • Each firewall must have a separate VPN pool (i.electronic. separate VPN swimming pool for each firewall)
  • VPN pool ought to be beyond VPC CIDR variety, avoid overlapping systems
  • Control traffic making use of AWS route desk
  • Enable weighted typical load balancing upon AWS route53
  • Make use of AWS Transit Gateway for interconnecting VPC
  • For a hybrid cloud architecture, terminate VPN on the firewalls at the advantage in the secure hub vpc or use VPN attachment on the AWS transit gateway.
  • AWS route53 should track firewalls general public IP/elastic IP making use of port 443
    • Cisco Duo: Multi-factor authentication
    • Cisco Umbrella Roaming Safety Module: DNS layer safety and IP enforcement
    • Cisco AMP enabler: File and Malware evaluation
    • Cisco ISE: Authentication and Position
    • SWC: Visibility

Detailed info on the architecture described within figure3 can be acquired this video: https://www.youtube.com/watch?v=ReI6I0eWyKc

Protected Remote Worker Design Guidebook (Published – April 2020)

As well as the above information, we recommend looking into our Cisco Safe Remote Worker design guidebook that addresses a particular use situation of remote access VPN connection covered in the Secure Internet Edge Architecture Tutorial. The look for remote gain access to VPN connections contains the Cisco AnyConnect Protected Mobility Customer, Cisco Duo, Cisco Umbrella, and Cisco Advanced Malware Security (AMP) for Endpoints.

Design Guide: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-mobility/secure-remoteDe-worker-design-guide.pdf

Thanks,
Anubhav Swami (CCIEx2: 21208)
Security Options Architect
Cisco Techniques Inc.
Cisco Blog: https://blogs.cisco.com/author/anubhavswami
YouTube Channel: https://www.youtube.com/anubhavswami
Anubhav Swami

Reference hyperlinks:
Cisco SAFE design tutorial for AWS: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/secure-aws-design.pdf
Cisco Secure Cloud Architecture Guide: https://www.cisco.com/c/dam/en/us/solutions/collateral/design-zone/cisco-validated-profiles/safe-secure-cloud-architecture-guide.pdf
Cisco Secure secure remote worker:
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-mobility/secure-remote-worker-design-guide.pdf
Cisco Stealthwatch Cloud:
https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html
Cisco AMP for Endpoints:
https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html
Cisco Duo:
https://duo.com/
Cisco Umbrella:
https://umbrella.cisco.com/
Cisco ASA:
https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html
Cisco Next-Generation Firewall:
https://www.cisco.com/c/en/us/products/security/firewalls/index.html
Amazon Web Service:
https://aws.amazon.com/
Amazon Load Balancer:
https://aws.amazon.com/elasticloadbalancing/
Amazon Route53:
https://aws.amazon.com/route53/
Amazon Route Table:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html
Amazon Transit Gateway:
https://aws.amazon.com/transit-gateway/

Cisco Reside Sessions:
NGFWv and ASAv within AWS and Azure (BRKSEC-2064): https://www.ciscolive.com/global/on-demand-library.html?search=Anubhav%20Swami#/session/1542224327848001r3qI
Deploy ASAv and NGFWv within AWS and Azure (LTRSEC-3052): https://www.ciscolive.com/global/on-demand-library.html?search=Anubhav%20Swami#/session/1564527389250001ckvR
ARM yourself making use of NGFWv and ASAv within Azure (BRKSEC-3093): https://www.ciscolive.com/global/on-demand-library.html?search=Anubhav%20Swami#/session/1560880389440001ntSs

YouTube Movies:
YouTube Channel: https://www.youtube.com/anubhavswami

The post Cisco Remote Access VPN architecture for Amazon Web Services (AWS) appeared very first on Cisco Blogs.