Cisco's next generation security solution (NGFW + NGIPS + AMP)
So, it happened. Cisco has announced its new solution - FirePOWER for ASA ( presentation in Russian ); the result of integrating Sourcefire’s technologies with Cisco’s native solutions, and more specifically with the Cisco ASA 5500-X multi-functional security platform.
')
It should be noted that this is not the first joint product. Even in the spring, just six months after the acquisition of Sourcefire, we integrated the Advanced Malware Protection (AMP) malicious code detection and reflection system into our Cisco Web Security (physical, virtual, and cloud) Internet access control and protection tools and email protection. Cisco Email Security (physical, virtual and cloud solution), thereby expanding the platform for detecting malicious code, not only at the network level or end devices, but also at the application level.
A few months later, on September 16, we announced the following integration result - our Cisco ASA security platform was replenished with new features that allow:
And all this in addition to those already existing on the Cisco ASA 5500-X:
We have already written about NGFW , about NGIPS , and about AMP , which are the basis of the new Cisco solution (descriptions of these solutions are available in Russian and on our website). But I would like to recall its key features.
First, Cisco ASA with FirePOWER has built-in ability to correlate security events. Anyone who is familiar with Cisco's native intrusion prevention tools (Cisco IPS) remembers that they have a mechanism such as the Meta Event Generator or a local correlation mechanism that allows you to detect multi-vector threats that use multiple intrusion methods at once. Each such method can be characterized by events that are individually not of interest and have the lowest priority. However, in aggregate, these events can mean a serious targeted threat. Previously, to detect such multivector threats, external correlation and event management systems (SIEM) were required, which were too expensive for companies (both in terms of price and in terms of implementation efforts). In Cisco IPS, and then in Cisco ASA with FirePOWER, this feature is built-in, which allows you to detect and prevent attacks before they reach their goal, and not after analyzing the SIEM. The difference between the new solution is that Sourcefire technologies use more information and data sources for correlation.
The second interesting feature of Cisco ASA with FirePOWER is the prioritization of threats, based on the criticality of the attacked nodes. In other words, we can use the context of the attack to separate important events from unimportant ones, to prioritize the efforts of security experts to repel threats. The Cisco IPS had a similar mechanism called the Risk Rating, allowing to evaluate every threat from a business point of view. In Cisco ASA with FirePOWER, the ability to prioritize is further expanded and automated as much as possible.
By the way, automation is another highlight of Sourcefire and Cisco ASA with FirePOWER technologies. In addition to automating settings of signatures and rules in the security policy (this is done based on the analysis of network and application traffic and recognition of nodes, devices, protocols, applications, operating systems used in the network), the policies themselves can dynamically adapt depending on the situation changes networks - the emergence of new services, sites, users and, of course, the same threats.
Continuing the topic of correlation, one cannot but mention the possibility of Cisco ASA with FirePOWER as the use of compromise signs (indicators), which allow to operate not only with events from a single protection tool (for example, from an intrusion detection system sensor), but with events from various protections scattered around network. For example, the network scan detected by IPS can be “combined” with the fact of interaction with the botnet command server defined by the NGFW firewall and the execution of the malicious code identified by the AMP reflection agent. These three disparate events may serve as a sign (indicator of compromise, IOC) that an attack is being prepared against the company or the company's network has already been compromised by a targeted threat.
Finally, the last in the list, but not the last in importance, is the retrospective security function, which allows you to track the fact of network nodes being compromised, which could occur due to circumvention of perimeter protection tools, unauthorized installation of a 3G / 4G modem or access point reasons. Using post factum analysis, we can detect already accomplished facts of malware getting inside the organization, we can quickly track and localize infected sites, trace the chain of distribution of malicious code and analyze the causes of compromise (for example, a vulnerability in Acrobat Reader or Firefox).
All of these features reflect the concept that formed the basis of Cisco security solutions after integration with Sourcefire. This concept involves the fight against threats at all stages of their life cycle:
The three-tier concept “BEFORE DURING AFTER” is implemented in all our solutions - Cisco Cyber Threat Defense, Cisco ISE, Cisco ESA / WSA, Sourcefire NGIPS / NGFW / AMP, etc. Cisco ASA with FirePOWER continues this tradition.
Since the new Cisco ASA with FirePOWER functionality works on the entire Cisco ASA 5500-X model range — from the Cisco ASA 5512-X model to the Cisco ASA 5585-X (including all intermediate ones - 5515, 5525, 5545 and 5555), this is a natural question. and what is the performance of this solution? It should be noted that it depends on two parameters - the model itself and the functionality used (NGFW, NGIPS, AMP - in different combinations). The minimum performance is 100 Mb / s (for Cisco ASA 5512-X), the maximum is 15 Gbit / s (for Cisco ASA 5585-X). If you need greater performance, it is better to focus on dedicated physical devices Sourcefire 8300, operating at speeds up to 60 Gbps in NGIPS mode and up to 120 Gbps in NGFW mode.
The logical question is - how is Cisco ASA with FirePOWER managed? Currently, this requires only two solutions - ASDM (for managing one device) or CSM (for centralized management of several devices) and FireSIGHT Manager. ASDM / CSM allows you to manage the traditional ITU Cisco ASA functionality, VPN subsystems, and also allow you to configure the network functionality of the security platform — clustering, multiple contexts, routing, and so on.
FireSIGHT, already described by us earlier , controls all the newly acquired functionality - NGFW, NGIPS, URL filtering and AMP. In the near future, the integration of both consoles is planned in one Cisco ASA with FirePOWER management solution.
The solution itself is already available for order and use. At the same time, for existing Cisco ASA users, you just need to activate the license for the required new functionality (NGFW, NGIPS, AMP - in any combination). There is no waiting for the delivery of physical devices (excluding the module for the older Cisco ASA 5585-X model — the FirePOWER module is on it), nor the need for additional import permits. Yes, and with the testing of this solution, no special problems - it is enough to have a Cisco ASA 5500-X in your network and request a test key from Cisco (for 45 days) in order to test all the described functionality. In other words, we allow you to keep the already made investments in the Cisco ASA 5500-X and use this platform to extend the security functionality.
')
It should be noted that this is not the first joint product. Even in the spring, just six months after the acquisition of Sourcefire, we integrated the Advanced Malware Protection (AMP) malicious code detection and reflection system into our Cisco Web Security (physical, virtual, and cloud) Internet access control and protection tools and email protection. Cisco Email Security (physical, virtual and cloud solution), thereby expanding the platform for detecting malicious code, not only at the network level or end devices, but also at the application level.
A few months later, on September 16, we announced the following integration result - our Cisco ASA security platform was replenished with new features that allow:
- control applications ( Next Generation Firewall function)
- detect and repel attacks ( Next Generation IPS feature)
- control Internet access ( URL filtering function)
- Detect and neutralize malicious code ( Advanced Malware Protection feature).
And all this in addition to those already existing on the Cisco ASA 5500-X:
- traditional firewall (stateful firewall feature)
- Active Directory integration to associate security policies with user names, not IP addresses (Identity Firewall feature)
- inter-office VPN subsystem (Site-to-Site or IPSec VPN function)
- secure remote access subsystem (Remote Access function or SSL VPN)
- clustering and high availability subsystem.
Distinctive features
We have already written about NGFW , about NGIPS , and about AMP , which are the basis of the new Cisco solution (descriptions of these solutions are available in Russian and on our website). But I would like to recall its key features.
First, Cisco ASA with FirePOWER has built-in ability to correlate security events. Anyone who is familiar with Cisco's native intrusion prevention tools (Cisco IPS) remembers that they have a mechanism such as the Meta Event Generator or a local correlation mechanism that allows you to detect multi-vector threats that use multiple intrusion methods at once. Each such method can be characterized by events that are individually not of interest and have the lowest priority. However, in aggregate, these events can mean a serious targeted threat. Previously, to detect such multivector threats, external correlation and event management systems (SIEM) were required, which were too expensive for companies (both in terms of price and in terms of implementation efforts). In Cisco IPS, and then in Cisco ASA with FirePOWER, this feature is built-in, which allows you to detect and prevent attacks before they reach their goal, and not after analyzing the SIEM. The difference between the new solution is that Sourcefire technologies use more information and data sources for correlation.
The second interesting feature of Cisco ASA with FirePOWER is the prioritization of threats, based on the criticality of the attacked nodes. In other words, we can use the context of the attack to separate important events from unimportant ones, to prioritize the efforts of security experts to repel threats. The Cisco IPS had a similar mechanism called the Risk Rating, allowing to evaluate every threat from a business point of view. In Cisco ASA with FirePOWER, the ability to prioritize is further expanded and automated as much as possible.
By the way, automation is another highlight of Sourcefire and Cisco ASA with FirePOWER technologies. In addition to automating settings of signatures and rules in the security policy (this is done based on the analysis of network and application traffic and recognition of nodes, devices, protocols, applications, operating systems used in the network), the policies themselves can dynamically adapt depending on the situation changes networks - the emergence of new services, sites, users and, of course, the same threats.
Continuing the topic of correlation, one cannot but mention the possibility of Cisco ASA with FirePOWER as the use of compromise signs (indicators), which allow to operate not only with events from a single protection tool (for example, from an intrusion detection system sensor), but with events from various protections scattered around network. For example, the network scan detected by IPS can be “combined” with the fact of interaction with the botnet command server defined by the NGFW firewall and the execution of the malicious code identified by the AMP reflection agent. These three disparate events may serve as a sign (indicator of compromise, IOC) that an attack is being prepared against the company or the company's network has already been compromised by a targeted threat.
Finally, the last in the list, but not the last in importance, is the retrospective security function, which allows you to track the fact of network nodes being compromised, which could occur due to circumvention of perimeter protection tools, unauthorized installation of a 3G / 4G modem or access point reasons. Using post factum analysis, we can detect already accomplished facts of malware getting inside the organization, we can quickly track and localize infected sites, trace the chain of distribution of malicious code and analyze the causes of compromise (for example, a vulnerability in Acrobat Reader or Firefox).
All of these features reflect the concept that formed the basis of Cisco security solutions after integration with Sourcefire. This concept involves the fight against threats at all stages of their life cycle:
- Before their appearance on the perimeter of the network, this task is solved by the functionality of the firewall and URL filtering.
- In the process of attack - this task is solved by the subsystems of preventing intrusion and fighting with malicious code.
- After getting inside the network - this task is solved by the functionality of the retrospective analysis, correlation and work with signs of compromise.
The three-tier concept “BEFORE DURING AFTER” is implemented in all our solutions - Cisco Cyber Threat Defense, Cisco ISE, Cisco ESA / WSA, Sourcefire NGIPS / NGFW / AMP, etc. Cisco ASA with FirePOWER continues this tradition.
Performance
Since the new Cisco ASA with FirePOWER functionality works on the entire Cisco ASA 5500-X model range — from the Cisco ASA 5512-X model to the Cisco ASA 5585-X (including all intermediate ones - 5515, 5525, 5545 and 5555), this is a natural question. and what is the performance of this solution? It should be noted that it depends on two parameters - the model itself and the functionality used (NGFW, NGIPS, AMP - in different combinations). The minimum performance is 100 Mb / s (for Cisco ASA 5512-X), the maximum is 15 Gbit / s (for Cisco ASA 5585-X). If you need greater performance, it is better to focus on dedicated physical devices Sourcefire 8300, operating at speeds up to 60 Gbps in NGIPS mode and up to 120 Gbps in NGFW mode.
ASA with FirePOWER Control
The logical question is - how is Cisco ASA with FirePOWER managed? Currently, this requires only two solutions - ASDM (for managing one device) or CSM (for centralized management of several devices) and FireSIGHT Manager. ASDM / CSM allows you to manage the traditional ITU Cisco ASA functionality, VPN subsystems, and also allow you to configure the network functionality of the security platform — clustering, multiple contexts, routing, and so on.
FireSIGHT, already described by us earlier , controls all the newly acquired functionality - NGFW, NGIPS, URL filtering and AMP. In the near future, the integration of both consoles is planned in one Cisco ASA with FirePOWER management solution.
As a summary
The solution itself is already available for order and use. At the same time, for existing Cisco ASA users, you just need to activate the license for the required new functionality (NGFW, NGIPS, AMP - in any combination). There is no waiting for the delivery of physical devices (excluding the module for the older Cisco ASA 5585-X model — the FirePOWER module is on it), nor the need for additional import permits. Yes, and with the testing of this solution, no special problems - it is enough to have a Cisco ASA 5500-X in your network and request a test key from Cisco (for 45 days) in order to test all the described functionality. In other words, we allow you to keep the already made investments in the Cisco ASA 5500-X and use this platform to extend the security functionality.
Source: https://habr.com/ru/post/237759/
All Articles