Cisco Cisco ACE Application Control Engine Module Libro blanco
White Paper
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 6
Built-in Security
Cisco ACE application switches contain integrated firewall capabilities. Cisco ACE performs both
Layer 3 access-control filtering and Layer 7 deep-packet inspection (DPI) to identify anomalous
signatures that could cause denial of service (DoS). The Cisco ACE Layer 7 DPI feature prevents
zero-day attacks by identifying and blocking newly suspicious traffic for which no known malicious
signature has yet been identified and stored in a database to match.
This firewall integration alleviates the space, capital expense, management, and possible
performance implications associated with having to install a separate security device between data
center switches and servers to manage user access and to identify and control malware. Building
layers of security protection into all main network junctures is a security best practice that Cisco
recommends. One of these areas lies between data center backbone switches and application
server farms, because this segment of the network represents the last line of defense between
users and the hosted software that is often the target of malicious attacks.
A 2007 Infonetics study shows that large organizations lose an average of 2.2 percent of their
annual revenue, or more than US$30 million, to security attacks, and that a major problem for data
centers involves security breaches that corrupt applications. Cisco ACE controls user access and
can identify, and then block, anomalous signatures in network traffic targeted at server software
that might otherwise cause DoS. In this way, Cisco ACE protects against identity theft, data theft,
application disruption, and fraud.
Faster Application Deployment and Improved Scalability
Two compelling challenges faced by today’s data centers are how to speed up application
deployment cycles and reduce interdependency between IT organizations. Unlike other
application-switching solutions, Cisco ACE equipment can reduce the provisioning time required
for new applications by up to 70 percent
*
as well as lower ongoing management time and total cost
of ownership (TCO).
Cisco ACE application switches achieve these improvements through device virtualization and
role-based administration and a capability called software configuration rollback. Virtualization and
role-based administration reduce application deployment times by allowing a single device to
support multiple applications and application instances that can be used in parallel by multiple
departmental stakeholders. This architecture also reduces TCO by simplifying application
provisioning and ongoing management for IT teams, enabling multiple departments or
stakeholders to independently manage appropriate, role-assigned tasks.
Using software configuration rollback, the IT administrator can roll back any virtual device to a
previous configuration. This capability also allows the IT administrator to easily save an instance of
an application in service from one virtual device and gracefully reuse it as new instances of
existing applications are deployed in other virtual devices, all without affecting any other
applications serviced by the device.
For scalability, IT departments can use the Cisco ACE virtualization capabilities to simply create
additional virtual device instances on the existing Cisco ACE platform. IT administrators can do
this by simply copying and pasting application module images to a new instance on the device,
which can be done in a matter of minutes.
* Based on Cisco internal IT department usage.