Cisco going to widely adopt “virtual firewalls”

Cisco Systems introduced this summer a new feature for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers, thanks to the Firewall Services Module (FWSM) 2.2 able to provide virtual environments where create isolated rules and policies, called Security Contexts.

Quoting from official announcement:

A security context is a virtual firewall that has its own security policies and interfaces. When properly configured, security contexts enable the same capabilities as multiple independent firewalls, with fewer management headaches. In essence, these contexts provide completely independent security domains. ‘ FWSM version 2.2 allows any port on the switch to operate as a firewall port, integrating firewall security inside the network infrastructure. Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbit/s per chassis. Network administrators can use this infrastructure to create up to 100 separate security contexts per module (depending on the software license).

Security contexts are functionally similar to a collection of independent physical firewalls but are much easier to manage. Because they are virtual devices, it is easy to add or delete security contexts based on subscriber growth. This reduces management costs, because organizations do not need to deploy multiple devices, yet they can achieve the same capabilities and maintain complete control over the firewall infrastructure from one consolidated platform.

“FWSM provides many of the key firewall and networking features that security managers need to implement multiple security zones or contexts throughout a switched campus network or enterprise data center,” says Iqlas Ottamalika, technical lead, Cisco Security Appliance Group. “Instead of having hundreds of small firewalls spread around the network you can install one hardware platform that will manage everything. This can represent tremendous administrative savings.”‘

Some rumors report that upcoming PIX OS 7.0 (not even in beta) will introduce this feature for every Cisco PIX firewall device around.

More news as soon as possible.