ASA or Cisco Firepower
Is it time to upgrade your firewalls to Cisco Firepower?
Do I go with the tried, tested and trusted Cisco ASA appliances or the new Cisco Firepower Threat Defence (FTD) 1000, 2100, 4100 or 9300 series appliances known as Next-Generation Firewalls (NGFWs)? Let’s go through some of the pros and cons of both solutions.
The Cisco ASA has been the work horse of many organizations across the globe as Cisco’s go-to de-facto security platform for the last decade. It’s a “traditional” layer 3 and 4 stateful firewall, Site-to-site VPN and remote access. All of it was done on this platform. However the security landscape has changed. It is no longer enough to just filter traffic only based on layer 3 IP address, layer 4 protocols and ports. For example: Blocking web applications such as Facebook and Twitter that use port 80 (and more recently 443) generally lead to issues with the whole HTTP(s) protocols.
Next-Generation Firewalls (NGFWs) offer a deeper awareness and control over individual applications along with deeper inspection capabilities. Very granular allow and deny rules can be created for controlling access to specific websites and applications in the network. The Cisco Firepower Next-Generation Firewall is Cisco’s NGFW offering. Here are a few reasons and benefits of upgrading to Cisco Firepower NGFW.
Cisco Firepower goes beyond just access control
Cisco Firepower NGFW provides all the stateful firewall access control and traffic filtering that the Cisco ASA provided with the added benefits of having additional features. Those features include application visibility and control as well as deep visibility into threats using built-in advanced security capabilities like:
- Integrated NGIPS and advanced malware protection (AMP). These features can detect and eliminate threats which maybe masquerading as legitimate network traffic. You can see where the threat originated, where it has been and what it has been doing then automatically stop it.
- URL filtering prevent access to malicious sites to help prevent an attack before it happens. It is utilizing a dynamic database which categorizes websites based on web reputation scores.
- The Cisco Talos team of threat researchers provide constant intelligence updates via the Cisco threat grid integration. It works by blocking traffic to and from IP addresses, URLs, or domain names that have a known bad reputation. This means that you’re always protected against known, unknown and emerging threats such as (but not limited to) WannaCry and NotPetya.
Reliability and performance don’t degrade with advanced features
The Cisco ASA provided proven reliability and uptime. The Firepower builds on the ASA heritage to provide the required reliability and throughput demanded by organizations of today even when using advanced security features like NGIPS. The Cisco Firepower FTD appliances performances does not degrade when NGIPS functionality and other advanced security features are turned on.
Integrated Architecture of Cisco Firepower provides additional benefits
Cisco Firepower NGFW wasn’t just designed to work as a standalone product. It was built to interact with other Cisco security tools as part of Cisco’s Integrated Security Architecture. The importance of this is as follows:
- It provides more visibility across multiple attack vectors from edge to endpoint to stop the threats sooner. When a single security tool sees a threat in one place, every tool will instantly know about it and block it across the entire network
- It can share policy information with the Cisco Identity Services Engine (ISE). This allows ISE automatically enforce policy on network devices under its control. Cisco Advanced Malware Protection (AMP) for endpoints will notify the NGFW if it has quarantined a file on a specific device or multiple devices
In a time where more and more sophisticated threats are emerging these integrations and automation allow an organizations IT and security teams to be more strategic rather than reactive in their approach to threat mitigation and containment.
Deeper visibility allows stopping threats on the network
The Cisco ASA offers the peace of mind that comes from a track record over the last decade of proven reliability and stability but is now lacking in the features and tools that organizations require to tackle the ever emerging threat landscape.
Businesses are moving away from traditional “on-premise” applications to more internet hosted SaaS offerings such as Microsoft Office 365. Therefore it is becoming more imperative that organizations have deeper visibility into the traffic that is traversing their network. They need to be able to mitigate against threats as and when they occur. Cisco Firepower NGFW plays an important role in stopping these threats before they wreak havoc across the corporate network.