So, it had happened. Cisco has announced its new solution - FirePOWER for ASA, the result of the
integration of technology with Sourcefire's with it’s "native"
solutions Cisco, mainly with the
multifunctional defensive platform Cisco ASA 5500-X.
It should be noted that this it is not the first common product. Back in
the spring, after only six months from the date of acquisition of Sourcefire,
we integrated the system of detection and reflection malware Advanced Malware
Protection (AMP) in our controls and protect Internet access Cisco Web Security
(physical, virtual and cloud solution), and means of protection of electronic
mail Cisco Email Security (physical, virtual and cloud solution), thereby
extending the platform for malicious code, not only at the level of the network
or endpoint, but also at the application level.
A few months later, on the 16 of September, we announced the
following result of integration - our defensive Cisco ASA platform was enriched
with new features that allow:
- control
applications (function Next Generation Firewall)
- detect
and repel (function Next Generation IPS)
- control
access to the Internet (URL-filtering feature)
- detect
and neutralize malicious code (function Advanced Malware Protection).
And all of it is a addition to the existing ones on Cisco ASA 5500-X:
traditional firewall (feature stateful firewall) integration with Active
Directory to map security policies to user names rather than IP-addresses
(function Identity Firewall) , to subsystem interoffice VPN (function
Site-to-Site or IPSec VPN) , to subsystem secure remote access (Remote Access
function or SSL VPN) , to subsystem clustering and high availability.
Special Features
We have already wrote about and NGFW, and about NGIPS, and about the
AMP, which is the basis of the new solutions Cisco (descriptions of these
solutions are available in Russian and on our website). But I would like to
remind its key features.
First of all , Cisco ASA with FirePOWER has a capability of
correlation of security events. Who are familiar with their relative means of
Cisco's intrusion prevention (Cisco IPS), that is one who remembers that they
have such a mechanism as the Meta Event Generator, or the local correlation
mechanism, which can detect multi-vector threats to invade therefore uses
several methods of penetration. Each method can be characterized by events but
individually they are not show the interest and have the lowest priority.
However, in the aggregate, these events can indicate serious threat targeted.
Earlier detection of multi-vector threats required external systems correlation
and event management (SIEM), bypassing companies too expensive (in terms of
price and in terms of efforts to implement). In Cisco IPS, and then in the
Cisco ASA with FirePOWER this feature is built-in that allows you to detect and
prevent attacks before they reach the goal, and not after the analysis on SIEM.
Unlike the new solutions that use technology Sourcefire more information and
data sources for the correlation.
The second interesting feature of the Cisco ASA with FirePOWER is the
prioritization of threats, based on the criticality of the attacked sites. In
other words, we can use the context of committing attacks to separate the important
from the unimportant events, to prioritize the efforts of security experts to
counter threats. At Cisco IPS was a similar mechanism called Risk Rating, which
allows to assess each threat from a business point of view. In the Cisco ASA
with FirePOWER opportunity to prioritize further expanded and automated as much
as possible.
By the way, the automation – is another fad of Sourcefire
technologies and Cisco ASA with FirePOWER. In addition to the automation
settings of signatures and rules in the security policy (this is making on the
basis of analysis of network and application traffic and recognition used in
the network nodes, devices, protocols, applications, operating systems, etc..),
The politicians themselves can dynamically be adapted according to the changes
in the situation of network - the emergence of new services, sites,
users, and, of course, the same threats.
Continuing the theme of correlation, it is very important to mention about such
possibility Cisco ASA with FirePOWER as the usage of signs (indicators) of
compromitation, allowing to operate not only the events of means of
protection (for example, from sensor intrusion detection system), but the
events of diverse remedies scattered by the network. For example, network scan
detected IPS, can be "combined" with the fact of the interaction with
the command server of a botnet, certain firewall NGFW, and execution of
malicious code identified agent of reflection malware AMP. These three
disparate events can be a sign (indicator of compromise, IOC) that the against
company is preparing an attack or the network of the company has been
compromised by targeted threat.
Finally, the last on the list, but not least by importance, is the
function of a retrospective safety for tracking fact compromised nodes in the
network, which could occur due to bypass perimeter protection, unauthorized
installation of 3G / 4G-modem or access point, connect the infected flash
drives and other reasons. With the help of ex post facto analysis, we can
detect a fait accompli getting malware into the organization, we can
efficiently track and localize the infected nodes to trace the chain of
propagation of malicious code and analyze the causes of compromise (eg, a
vulnerability in Acrobat Reader or Firefox).
Here was shown a concept of "BEFORE - DURING - AFTER" which was
implemented in all of our decisions - Cisco Cyber Threat Defense, Cisco
ISE, Cisco ESA / WSA, Sourcefire NGIPS / NGFW / AMP, etc. Cisco ASA with
FirePOWER which continues this tradition.
Production
Since the new functionality Cisco ASA with FirePOWER runs all the model
number of Cisco ASA 5500-X - on the model of Cisco ASA 5512-X to the Cisco ASA
5585-X (including all intermediate - 5515, 5525, 5545 and 5555), then appears
the following question - what is the performance of this decision? It should be
noted that it depends on two parameters - the model used and the functionality
(NGFW, NGIPS, AMP - in various combinations). Minimum capacity - 100 Mbit / s
(for the Cisco ASA 5512-X), the maximum - 15 Gbit / s (for the Cisco ASA
5585-X). If it is needed great performance, it is better to focus on
separate physical devices Sourcefire 8300, running at speeds up to 60 Gbit /
sec in the NGIPS and up to 120 Gbit / sec in the NGFW.
ASA management with FirePOWER
The logical question - how Cisco ASA is controlled with FirePOWER? At
the moment, it requires only two solutions - ASDM (for a single device) or CSM
(for centralized management of multiple devices) and FireSIGHT Manager. ASDM /
CSM allow you to control the functionality of the traditional ITU Cisco ASA,
subsystems VPN, as well as allow you to configure the network functional safety
platform - clustering, multiple contexts, routing, etc.
FireSIGHT, described earlier by us , manages all newly acquired functionality
- NGFW, NGIPS, URL filtering and AMP. In the near future it is planned to
integrate two consoles in a single solution for managing Cisco ASA with
FirePOWER.
Summary
The decision itself is already available to
order and use. At the same time, for existing users Cisco ASA, just enough to
activate the license for the required new functionality (NGFW, NGIPS, AMP - in
any combination). There is no expectation of delivery of physical devices
(excluding module for older model Cisco ASA 5585-X - her FirePOWER hardware
module), no need to obtain additional permits for import. And with the testing
of the decision any particular problem –it is enough to have in your network
Cisco ASA 5500-X, and query the Cisco test key (for 45 days) in order to test
the full functionality described. In other words, we allow to preserve existing
investments in Cisco ASA 5500-X and use this platform to extend the protective
functionality.
Source: cisco.com
So, it had happened. Cisco has announced its new solution - FirePOWER for ASA, the result of the
integration of technology with Sourcefire's with it’s "native"
solutions Cisco, mainly with the
multifunctional defensive platform Cisco ASA 5500-X.
It should be noted that this it is not the first common product. Back in
the spring, after only six months from the date of acquisition of Sourcefire,
we integrated the system of detection and reflection malware Advanced Malware
Protection (AMP) in our controls and protect Internet access Cisco Web Security
(physical, virtual and cloud solution), and means of protection of electronic
mail Cisco Email Security (physical, virtual and cloud solution), thereby
extending the platform for malicious code, not only at the level of the network
or endpoint, but also at the application level.
A few months later, on the 16 of September, we announced the
following result of integration - our defensive Cisco ASA platform was enriched
with new features that allow:
- control
applications (function Next Generation Firewall)
- detect
and repel (function Next Generation IPS)
- control
access to the Internet (URL-filtering feature)
- detect
and neutralize malicious code (function Advanced Malware Protection).
And all of it is a addition to the existing ones on Cisco ASA 5500-X:
traditional firewall (feature stateful firewall) integration with Active
Directory to map security policies to user names rather than IP-addresses
(function Identity Firewall) , to subsystem interoffice VPN (function
Site-to-Site or IPSec VPN) , to subsystem secure remote access (Remote Access
function or SSL VPN) , to subsystem clustering and high availability.
Special Features
We have already wrote about and NGFW, and about NGIPS, and about the
AMP, which is the basis of the new solutions Cisco (descriptions of these
solutions are available in Russian and on our website). But I would like to
remind its key features.
First of all , Cisco ASA with FirePOWER has a capability of
correlation of security events. Who are familiar with their relative means of
Cisco's intrusion prevention (Cisco IPS), that is one who remembers that they
have such a mechanism as the Meta Event Generator, or the local correlation
mechanism, which can detect multi-vector threats to invade therefore uses
several methods of penetration. Each method can be characterized by events but
individually they are not show the interest and have the lowest priority.
However, in the aggregate, these events can indicate serious threat targeted.
Earlier detection of multi-vector threats required external systems correlation
and event management (SIEM), bypassing companies too expensive (in terms of
price and in terms of efforts to implement). In Cisco IPS, and then in the
Cisco ASA with FirePOWER this feature is built-in that allows you to detect and
prevent attacks before they reach the goal, and not after the analysis on SIEM.
Unlike the new solutions that use technology Sourcefire more information and
data sources for the correlation.
The second interesting feature of the Cisco ASA with FirePOWER is the
prioritization of threats, based on the criticality of the attacked sites. In
other words, we can use the context of committing attacks to separate the important
from the unimportant events, to prioritize the efforts of security experts to
counter threats. At Cisco IPS was a similar mechanism called Risk Rating, which
allows to assess each threat from a business point of view. In the Cisco ASA
with FirePOWER opportunity to prioritize further expanded and automated as much
as possible.
By the way, the automation – is another fad of Sourcefire
technologies and Cisco ASA with FirePOWER. In addition to the automation
settings of signatures and rules in the security policy (this is making on the
basis of analysis of network and application traffic and recognition used in
the network nodes, devices, protocols, applications, operating systems, etc..),
The politicians themselves can dynamically be adapted according to the changes
in the situation of network - the emergence of new services, sites,
users, and, of course, the same threats.
Continuing the theme of correlation, it is very important to mention about such
possibility Cisco ASA with FirePOWER as the usage of signs (indicators) of
compromitation, allowing to operate not only the events of means of
protection (for example, from sensor intrusion detection system), but the
events of diverse remedies scattered by the network. For example, network scan
detected IPS, can be "combined" with the fact of the interaction with
the command server of a botnet, certain firewall NGFW, and execution of
malicious code identified agent of reflection malware AMP. These three
disparate events can be a sign (indicator of compromise, IOC) that the against
company is preparing an attack or the network of the company has been
compromised by targeted threat.
Finally, the last on the list, but not least by importance, is the
function of a retrospective safety for tracking fact compromised nodes in the
network, which could occur due to bypass perimeter protection, unauthorized
installation of 3G / 4G-modem or access point, connect the infected flash
drives and other reasons. With the help of ex post facto analysis, we can
detect a fait accompli getting malware into the organization, we can
efficiently track and localize the infected nodes to trace the chain of
propagation of malicious code and analyze the causes of compromise (eg, a
vulnerability in Acrobat Reader or Firefox).
Here was shown a concept of "BEFORE - DURING - AFTER" which was
implemented in all of our decisions - Cisco Cyber Threat Defense, Cisco
ISE, Cisco ESA / WSA, Sourcefire NGIPS / NGFW / AMP, etc. Cisco ASA with
FirePOWER which continues this tradition.
Production
Since the new functionality Cisco ASA with FirePOWER runs all the model
number of Cisco ASA 5500-X - on the model of Cisco ASA 5512-X to the Cisco ASA
5585-X (including all intermediate - 5515, 5525, 5545 and 5555), then appears
the following question - what is the performance of this decision? It should be
noted that it depends on two parameters - the model used and the functionality
(NGFW, NGIPS, AMP - in various combinations). Minimum capacity - 100 Mbit / s
(for the Cisco ASA 5512-X), the maximum - 15 Gbit / s (for the Cisco ASA
5585-X). If it is needed great performance, it is better to focus on
separate physical devices Sourcefire 8300, running at speeds up to 60 Gbit /
sec in the NGIPS and up to 120 Gbit / sec in the NGFW.
ASA management with FirePOWER
The logical question - how Cisco ASA is controlled with FirePOWER? At
the moment, it requires only two solutions - ASDM (for a single device) or CSM
(for centralized management of multiple devices) and FireSIGHT Manager. ASDM /
CSM allow you to control the functionality of the traditional ITU Cisco ASA,
subsystems VPN, as well as allow you to configure the network functional safety
platform - clustering, multiple contexts, routing, etc.
FireSIGHT, described earlier by us , manages all newly acquired functionality
- NGFW, NGIPS, URL filtering and AMP. In the near future it is planned to
integrate two consoles in a single solution for managing Cisco ASA with
FirePOWER.
Summary
The decision itself is already available to
order and use. At the same time, for existing users Cisco ASA, just enough to
activate the license for the required new functionality (NGFW, NGIPS, AMP - in
any combination). There is no expectation of delivery of physical devices
(excluding module for older model Cisco ASA 5585-X - her FirePOWER hardware
module), no need to obtain additional permits for import. And with the testing
of the decision any particular problem –it is enough to have in your network
Cisco ASA 5500-X, and query the Cisco test key (for 45 days) in order to test
the full functionality described. In other words, we allow to preserve existing
investments in Cisco ASA 5500-X and use this platform to extend the protective
functionality.
Source: cisco.com
No comments:
Post a Comment