Softline Malaysia recognized as the winner of 2021 Microsoft Malaysia Partner of the Year
July 9, 2021
The Risk-Conscious, Security-Aware Culture: The Forgotten Critical Security Control
July 12, 2021

Building a scalable RAVPN architecture in Oracle Cloud Infrastructure using Cisco Secure Firewall

Oracle Cloud Infrastructure (OCI) provides a wide range of cloud-computing services, workloads, and applications to organizations globally. With Cisco Secure Firewall, organizations are able to build a scalable RAVPN architecture on OCI, providing employees secure remote access to their organization’s resources from any location or endpoint.

This scalable architecture brings together Cisco Security and OCI Infrastructure-as-a-service (IaaS) and extends remote access VPN capabilities with the combination of Cisco Duo, Cisco Umbrella, and AMP Enabler, also known as Cisco Secure Remote Worker. Extending this solution to your OCI environment protects multi-region, multi-availability domains.

  • Cisco AnyConnect Secure Mobility Client – Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.
  • Cisco Duo – Multi-factor authentication from Duo protects the network by using a second source of validation and authentication.
  • Cisco Umbrella Roaming Security Module – Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. It enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port.
  • Cisco AnyConnect AMP Enabler – Cisco AnyConnect AMP Enabler module protects against malware.

Organizations can deploy Cisco Secure Firewall Threat Defense Virtual (formerly FTDv/NGFWv) and Cisco Secure Firewall ASA Virtual (formerly ASAv) in the OCI environment to enable a secure connection back to the application in the cloud. Traditionally, firewalls scale using clustering but, in the cloud, due to abstraction of layer-2, it is not possible to implement native high-availability and native firewall clustering.

Architects can still design a scalable architecture using cloud components like Oracle’s Network Load Balancer (NLB) and DNS.

  • Design 1 – Load balance RAVPN sessions to multiple firewalls using OCI DNS service
  • Design 2 – Load balance RAVPN sessions to multiple Cisco Secure Firewalls using OCI network load balancer service
  • Design 3 – Load balance RAVPN sessions across multiple regions using OCI DNS and a network load balancer

Note: Each firewall uses a unique VPN pool, and the OCI route table points to the respective firewall for the VPN pool.

 

Load balance RAVPN sessions to multiple firewalls using OCI DNS service

 

In this architecture, we have deployed multiple firewalls in multi-availability domains. OCI DNS service provides a mechanism for RAVPN load balancing.

  • DNS provides an FQDN (example.vpn.com)
  • DNS has “A” record for each firewall
  • DNS monitors the health of each firewalls using probes
  • DNS receives DNS query for FQDN and replies with the public IP address of the Cisco Secure Firewall
  • The user connects directly to Cisco Secure Firewall
Figure1: Scalable RAVPN architecture using Cisco Secure Firewall and OCI DNS

 

Load balance RAVPN sessions to multiple Secure Firewall virtual appliances using OCI network load balancer service

 

In this architecture, we have deployed multiple firewalls in multi-availability domains. OCI NLB provides a mechanism for RAVPN load balancing.

  • The user uses the IP address of a load balancer as a VPN headend in AnyConnect client.
  • OCI NLB received an SSL VPN session request, and it load-balances the request using two tuple load hashing.
  • The user connects to Cisco Secure Firewall.
ravpn
Figure2: Scalable RAVPN architecture using Cisco Secure Firewall and OCI Load Balancer

 

Load balance RAVPN sessions across multiple regions using OCI DNS and a network load balancer

 

In this architecture, we have deployed multiple firewalls in multi-availability domains and multi-regions. OCI NLB and DNS provide a mechanism for RAVPN load balancing.

  • At the region level, OCI NLB load balances traffic using two tuple load balancing (same as Figure 2)
  • At the multi-region level, OCI DNS load balances traffic using DNS weighted average (same as Figure 1)
  • DNS provides an FQDN (example.vpn.com)
  • DNS has “A” record for each firewall
  • DNS monitors the health of OCI LB
  • DNS receives DNS query for FQDN and replies with the public IP address of OCI NLB
  • User connects to OCI NLB, NLB load balances SSL VPN session based on two tuple load balancing method.
RAVPN
Figure3: Multi-Region scalable RAVPN architecture using Cisco Secure Firewall, OCI Load Balancer and DNS

 

Additional resources

 

Cisco Secure Firewall Threat Defense Virtual data sheet

Cisco Secure Firewall ASA Virtual data sheet

Video: Scalable RAVPN architecture for Oracle Cloud using Cisco Secure Firewall


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn