Firewall Options

To protect your environment, every MacStadium private cloud deploys with a dedicated Cisco firewall that offers unmatched protection and enhanced security for your entire environment. MacStadium dedicated firewalls give your security teams root access to the firewall, the ability to configure settings to their specifications, and even the ability to lock MacStadium out so you maintain total control.

With Cisco firewalls, MacStadium customers can:

  • Filter any internet and internal traffic in real-time
  • Perform packet inspection, port blocking, and breach protection
  • Establish secure remote network or multi-site encrypted Virtual PrivateNetwork (VPN) tunnels to connect MacStadium infrastructure into a local environment or public cloud (e.g. AWS, Azure, or Google Cloud)
  • Leverage AnyConnect software client VPN for secure remote user access
  • Enable optional high-availability redundant failover configurations
  • Pass traffic from certain IP ranges (e.g., a Jenkins master) and block all other traffic

Depending on your needs, MacStadium offers both virtual and physical Cisco firewalls.

Cisco Adaptive Security Virtual Appliance (ASAv)

MacStadium offers virtual firewall solutions based on the best-selling Cisco Adaptive Security Appliance (ASA) protocol. The Cisco Adaptive Security Virtual Appliance (ASAv) runs the same software as physical Cisco ASAs, delivering full ASA firewall and VPN capabilities to cloud environments that help safeguard traffic and multitenant architectures. Optimized for data center deployments, the ASAv is designed to work as a virtual machine. The advantage for MacStadium customers of using a virtual firewall comes from faster deployments and easier upgrades. We recommend ASAv firewalls for all use cases that have sustained throughput demands of less than 500 Mbps (125 Mbps Encrypted) as it delivers exceptional security and performance at a great price.

With a Cisco ASAv protecting their MacStadium private cloud, customers can:

  • Implement uniform security across multiple physical and virtual domains
  • Accelerate provisioning with predetermined configurations
  • Simplify management by using representational state transfer (REST) APIs to manage the device, easily introduce Cisco ASAv into software-defined networking (SDN) environments, and incorporate ASAv into custom policy-orchestration systems

The virtual appliance supports the same site-to-site VPN, remote-access VPN, and clientless VPN functionalities that physical ASA devices do. Most of the features that are supported on a physical ASA by Cisco software are also supported on the virtual appliance, with the notable exceptions of Cisco not supporting clustering and multiple contexts support (i.e. having multiple separate (virtual) firewalls on the same hardware) on ASAv implementations.

Cisco Adaptive Security Appliance (ASA)

MacStadium also offers physical ASA hardware devices for customers who require those capabilities or need more throughput than a virtual firewall can handle. The standard appliance MacStadium offers is a Cisco ASA 5500 series firewall, and is for any customer who needs a dedicated, physical security appliance to protect their host environment.

When customers need even more power for inspection and protection, MacStadium also offers Cisco Firepower 2100 NGFW series appliances. The main difference between the two appliances is in an increase of 10 gigs per second in speed, connections and packets per second for the 2100 series.

Both the Cisco 5500 and 2100 series deliver:

  • Market-proven security capabilities that integrate multiple full-featured, high-performance security services, including application-aware firewall, SSL and IPsec VPN, IPS, antivirus, antispam, anti-phishing, and web filtering services.
  • Comprehensive management interfaces including the graphical Cisco Adaptive Security Device Manager (ASDM), a comprehensive command line interface (CLI), verbose syslog, and Simple Network Management Protocol (SNMP) support that round out a rich complement of management options.

For more information, please contact MacStadium Support or Sales.

Note: Hardware firewalls are not typically available during free trials or POC periods.

Other Options

There are several other firewall optionsfor customers who don’t want to leverage Cisco ASA technology.

Software Firewalls

By default, we give our customers maximum flexibility by leaving all ports open to the internet. Because of this,we highly recommend that if you forego the protection offered by our dedicated Cisco firewalls, you implement another form of defense.  You can find a comprehensive list of third party software firewalls, including feature and price comparisons, at Mac Security: Firewalls.

Please be advised that MacStadium does not offer support for third party software firewall solutions. Also, please take the time to understand the potential impacts of enabling a third-party firewall. If errors exist in your configuration, you may unintentionally increase the risk of a breach of your data. Or, you may inadvertently lock yourself out of your environment and need the help of our support agents to get your server back online.  As always, please take care to store your credentials in case problems arise.

mac OS X Firewall

Apple also includes a serviceable firewall with OSX.  Information on its capabilities and how to enable it can be found at OS X: About the application firewall.

Customized and Hybrid Deployments

We understand that many customers have unique security requirements and may wish to host their own firewalls in our data centers. Our engineering team has detailed experience with many other security appliances and can assist your team in implementing your best possible network security configuration.

Firewall add-ons like these are accessible within your customer dashboard under the Add-Ons tab within the details of your subscription(s).

Please contact Sales for more information and to confirm if your needs can be supported.

Resources

Cisco ASAv Data Sheet

Cisco 5500 Series ASA Data Sheet

Cisco Firepower 2100 Series Data Sheet

ASDM Data Sheet

The Difference Between Hardware and Software Firewalls