Tuesday, 23 September 2014

The new solution Cisco for the next Generation Security (NGFW + NGIPS + AMP)

So, it  had happened. Cisco has announced its new solution - FirePOWER for ASA, the result of the integration of technology with Sourcefire's with it’s "native" solutions Cisco, mainly with the multifunctional defensive platform Cisco ASA 5500-X.

It should be noted that this it is not the first common product. Back in the spring, after only six months from the date of acquisition of Sourcefire, we integrated the system of detection and reflection malware Advanced Malware Protection (AMP) in our controls and protect Internet access Cisco Web Security (physical, virtual and cloud solution), and means of protection of electronic mail Cisco Email Security (physical, virtual and cloud solution), thereby extending the platform for malicious code, not only at the level of the network or endpoint, but also at the application level.
A few months later, on  the 16 of  September, we announced the following result of integration - our defensive Cisco ASA platform was enriched with new features that allow:
  • control applications (function Next Generation Firewall)
  • detect and repel (function Next Generation IPS)
  • control access to the Internet (URL-filtering feature)
  • detect and neutralize malicious code (function Advanced Malware Protection).
And all  of it is a addition to the existing ones on Cisco ASA 5500-X: traditional firewall (feature stateful firewall) integration with Active Directory to map security policies to user names rather than IP-addresses (function Identity Firewall) , to subsystem interoffice VPN (function Site-to-Site or IPSec VPN) , to subsystem secure remote access (Remote Access function or SSL VPN) , to subsystem clustering and high availability.

Special Features
We have  already wrote about and NGFW, and about NGIPS, and about the AMP, which is the basis of the new solutions Cisco (descriptions of these solutions are available in Russian and on our website). But I would like to remind its key features.
First of all , Cisco ASA with FirePOWER has  a capability of correlation of security events. Who are familiar with their relative means of Cisco's intrusion prevention (Cisco IPS), that is one who remembers that they have such a mechanism as the Meta Event Generator, or the local correlation mechanism, which can detect multi-vector threats to invade therefore uses several methods of penetration. Each method can be characterized by events but individually they are not show the interest and have the lowest priority. However, in the aggregate, these events can indicate serious threat targeted. Earlier detection of multi-vector threats required external systems correlation and event management (SIEM), bypassing companies too expensive (in terms of price and in terms of efforts to implement). In Cisco IPS, and then in the Cisco ASA with FirePOWER this feature is built-in that allows you to detect and prevent attacks before they reach the goal, and not after the analysis on SIEM. Unlike the new solutions that use technology Sourcefire more information and data sources for the correlation.
            The second interesting feature of the Cisco ASA with FirePOWER is the prioritization of threats, based on the criticality of the attacked sites. In other words, we can use the context of committing attacks to separate the important from the unimportant events, to prioritize the efforts of security experts to counter threats. At Cisco IPS was a similar mechanism called Risk Rating, which allows to assess each threat from a business point of view. In the Cisco ASA with FirePOWER opportunity to prioritize further expanded and automated as much as possible.
            By the way, the automation – is  another fad  of Sourcefire technologies and Cisco ASA with FirePOWER. In addition to the automation settings of signatures and rules in the security policy (this is making on the basis of analysis of network and application traffic and recognition used in the network nodes, devices, protocols, applications, operating systems, etc..), The politicians themselves can dynamically be adapted according to the changes in the situation of  network - the emergence of new services, sites, users, and, of course, the same threats.
            Continuing the theme of correlation, it is very important to mention about such possibility Cisco ASA with FirePOWER as the usage of signs (indicators) of compromitation, allowing  to operate not only the events of means of protection (for example, from sensor intrusion detection system), but the events of diverse remedies scattered by the network. For example, network scan detected IPS, can be "combined" with the fact of the interaction with the command server of a botnet, certain firewall NGFW, and execution of malicious code identified agent of reflection malware AMP. These three disparate events can be a sign (indicator of compromise, IOC) that the against company is preparing an attack or the network of the company has been compromised by  targeted threat.
            Finally, the last on the list, but not least by  importance, is the function of a retrospective safety for tracking fact compromised nodes in the network, which could occur due to bypass perimeter protection, unauthorized installation of 3G / 4G-modem or access point, connect the infected flash drives and other reasons. With the help of ex post facto analysis, we can detect a fait accompli getting malware into the organization, we can efficiently track and localize the infected nodes to trace the chain of propagation of malicious code and analyze the causes of compromise (eg, a vulnerability in Acrobat Reader or Firefox).
Here was shown a concept of "BEFORE - DURING - AFTER" which was  implemented in all of our decisions - Cisco Cyber ​​Threat Defense, Cisco ISE, Cisco ESA / WSA, Sourcefire NGIPS / NGFW / AMP, etc. Cisco ASA with FirePOWER which continues this tradition.

Production
Since the new functionality Cisco ASA with FirePOWER runs all the model number of Cisco ASA 5500-X - on the model of Cisco ASA 5512-X to the Cisco ASA 5585-X (including all intermediate - 5515, 5525, 5545 and 5555), then appears the following question - what is the performance of this decision? It should be noted that it depends on two parameters - the model used and the functionality (NGFW, NGIPS, AMP - in various combinations). Minimum capacity - 100 Mbit / s (for the Cisco ASA 5512-X), the maximum - 15 Gbit / s (for the Cisco ASA 5585-X). If it is  needed great performance, it is better to focus on separate physical devices Sourcefire 8300, running at speeds up to 60 Gbit / sec in the NGIPS and up to 120 Gbit / sec in the NGFW.

ASA management with FirePOWER
The logical question - how  Cisco ASA is controlled with FirePOWER? At the moment, it requires only two solutions - ASDM (for a single device) or CSM (for centralized management of multiple devices) and FireSIGHT Manager. ASDM / CSM allow you to control the functionality of the traditional ITU Cisco ASA, subsystems VPN, as well as allow you to configure the network functional safety platform - clustering, multiple contexts, routing, etc.
FireSIGHT, described earlier by us , manages all newly acquired functionality - NGFW, NGIPS, URL filtering and AMP. In the near future it is planned to integrate two consoles in a single solution for managing Cisco ASA with FirePOWER.

Summary
           The decision itself is already available to order and use. At the same time, for existing users Cisco ASA, just enough to activate the license for the required new functionality (NGFW, NGIPS, AMP - in any combination). There is no expectation of delivery of physical devices (excluding module for older model Cisco ASA 5585-X - her FirePOWER hardware module), no need to obtain additional permits for import. And with the testing of the decision any particular problem –it is  enough to have in your network Cisco ASA 5500-X, and query the Cisco test key (for 45 days) in order to test the full functionality described. In other words, we allow to preserve existing investments in Cisco ASA 5500-X and use this platform to extend the protective functionality.

Source: cisco.com


No comments:

Post a Comment