Cisco Firepower vs. ASA

A Brief History of Firewalls

There was a time when network security was not even a thought. Internal networks existed before the internet was in widespread use. If you wanted to communicate with a company via your computer, you literally called that company from your computer. For example, if you wanted a driver for your IBM computer, you called IBM and they gave you another number to call from your computer modem. Good times!

As companies started offering internet access at work, security was still nowhere near as important as it is today. If you were one of the lucky few that was allowed internet access, you were given a real IP address and off you go. There were firewalls, but nothing like what exists today.

Then came the first generation of configurable and affordable firewalls. I would put Cisco PIX (the precursor to ASA) in this list. Many companies jumped on this bandwagon right away because it made sense to match your firewall vendor with your network equipment vendor. There were other vendors for switches, but Cisco pretty much had a monopoly on routers.

Next up was the Cisco ASA, which is still widely used today. It had similar features to the PIX but was easier to use and understand. This is when things kind of went off the rails. The ASA was an absolute workhorse, had very few problems, and virtually never went down.

However, there were other features the ASA did not cover, such as:

  • IPS (Intrusion Prevention System): If you need network security, you need an IPS. This feature was not supported on an ASA and required a separate appliance.
  • SSL Decryption: You cannot really have network security if all it takes to get around your policy is encryption.
  • Anti-Malware: Of course, detecting malware before it gets to your users is always a good thing.
  • Layer 7 Inspection: An ASA is a Layer 3 and Layer 4 device; it is not aware of any application. It did have rudimentary inspection options, but they were difficult to configure and did not work very well.
  • Users/Identity Mapping: IT and security managers started wondering “who” is sending traffic through the firewall. This was not supported and typically required a proxy solution with user authentication.
  • URL Filtering: It was then decided maybe we should not let end users visit certain types of websites.
  • Security Intelligence: If a website is cracked and begins distributing malware, an ASA would not know this is taking place.

During this period, these problems were solved with extremely complicated designs and many different appliances, support contracts, and vendors. Often these problems were not solved at all. Too many security appliances equate to risk of performance, operations, or bad user experience. Not to mention the finger-pointing when things go amiss. To get around the complexity, many customers put up their firewall alone and called it a win. Now, this is not an acceptable security posture.

The Solution: Cisco Firepower

The modern-day solution is called Cisco Firepower, a Next-Generation Firewall (NGFW), which wraps every service listed above into a single appliance. For those of you that still manage a full security stack with multiple appliances, you should be jumping up and down right now.

Let’s take a look at each function and discuss how Firepower solves the problem:

  • Intrusion Prevention System (IPS): An IPS monitors traffic on your network and blocks traffic that matches a known malicious traffic pattern. There are many IPS vendors, but the “Gold Standard” is really SNORT. SNORT was developed by Sourcefire in 1998, and the company was purchased by Cisco in 2013. Now the full SNORT v3 ruleset ships with Firepower and a dedicated appliance is no longer required or recommended.
  • SSL Decryption: Virtually all websites require SSL/TLS security, which was brought about when Google decided it was going to prefer SSL/TLS enabled websites. Most websites had little choice but to turn on this feature. This is great for internet security in general but posed a problem for firewall engineers. How do we log/track/monitor traffic we cannot see? Firepower solves this problem by allowing all outbound internet traffic to be decrypted at the ingress. The traffic flows through the various inspection engines (IPS, Anti-Malware, etc.) and gets re-encrypted before it leaves the egress interface. The result is all internet-bound traffic can now be secured, logged, and inspected. This entire process is 100% transparent to your end users. In addition, the same process can take place in reverse. If you have internet-facing websites, you can also configure Firepower to decrypt inbound TLS connections using the existing SSL/TLS certificate of your actual web server. This allows the same level of security for internet users coming into your network.
  • Anti-Malware: Anti-Malware at the network level is pretty much a must-have in a modern network. Cisco has this built into Firepower and offers extremely granular control of what is inspected, logged, and blocked. In addition, the anti-malware database comes directly from Cisco TALOS. This is significant as the company that sees the most malicious traffic is likely the one with the most robust database of threats. Cisco is obviously huge and sees an unthinkably high amount of malicious traffic every day. If a customer on the other side of the world sees Malware, chances are, Cisco will see it too. When this happens, the Firepower system will automatically protect you from the Malware before it ever touches your network.
  • Layer 7 Inspection: A Layer 7 Firewall matches traffic based on what the traffic is and has little to do with the destination protocol or port. In other words, on a L7 firewall you allow HTTPs traffic, not TCP/443. When the traffic hits the firewall, Firepower will inspect the actual packets and confirm it is in fact HTTPs and it conforms to what the HTTPS RFC says it should be. On a traditional firewall, you can send any type of traffic you want to TCP/443 and the firewall will let it right through with no further inspection. With a proper configuration, this is probably the single biggest advancement in Firewall technologies since they were invented! It dramatically shrinks your overall attack surface and the underlying tools (IPS, AM, etc.) do not have to work anywhere near as hard.
  • Users/Identity Mapping: While going through Firewall logs, you notice that last Tuesday, someone on IP 192.168.1.123 uploaded your entire customer database to a torrent site. Hmmm….
    • Who had 192.168.1.123 last Tuesday? Are you certain?
    • Did the IP change since then? Where are the DHCP logs?
    • How do you know who was logged into the computer that obtained that IP address?
    • Was it even an employee?
    • Were you part of a concerted effort to steal your database?

The answer to all these questions is usually “I have no idea.” Cisco Firepower fixes this by working in concert with your existing active directory infrastructure or even better yet, with Cisco ISE. In addition to seeing the IP address send traffic through your firewall, you will also see the user that is logged into the computer. There are many use cases for this:

    • Who is hogging your bandwidth?
    • Who is accessing sensitive data on your network?
    • Who is logged into the network right now?
    • Which users are allowed to login to network equipment, regardless of IP address?
  • URL Filtering: Firepower comes with an extremely easy to use URL filtering engine that can eliminate many potential threats. Of course, you can simply blacklist any URL you do not want your employees or customers going to; however, you can do category and reputation-based filtering as well. There are many categories that are constantly updated by Cisco. The reputation filtering works by the overall reputation of the website in question and its category. An example would be something like Budweiser.com is most definitely an alcohol related website, but it also has an extremely good reputation. You may not care if your users go to Budweiser.com, but probably do not want them to go to buildyourownstillunderyourdeskatwork.com. A URL filtering rule would be, allow alcohol, but only if the reputation score is above x.
  • Security Intelligence: There is no company on the planet that knows everything about every threat. Security intelligence is the process of collecting data from many companies and building a unified ruleset that can be pushed out to everyone. Again, this is another huge advantage Cisco has as there is no one that sees more traffic than Cisco. Cisco or any one of their customers stumbles across a malicious website. Cisco Talos determines the site is bad, marks it as bad, and within minutes the new rules are pushed directly to your firewall. When your users try to hit the same website, access is denied. Problem solved!

With Firepower you can consolidate all of those appliances down to OneOne vendor, One support call, One maintenance contract, One fully redundant and highly available system to cover all previous security features and more!

While we are here, there is also one more benefit of consolidation. Simply, as ISPs continue offering faster internet access at lower costs, what is involved in upgrading? With the old way, you have an enormous project on your hands.

  • Does each appliance support the higher bandwidth?
  • Will there be a bottleneck that completely negates your bandwidth investment?
  • Do you require additional modules? Licenses?
  • Do you have to upgrade one or more appliances?
  • Do the existing support contract transfer to the new appliances?
  • Is your initial investment protected?

With the new way, bandwidth growth over time can be as easy as saying “yes” to your ISP.

Finally, the other major advantage to Firepower is the fact it can automatically integrate with Cisco’s and other vendors’ security products via a technology called pxGrid.

 

 

With Cisco ISE, for example, Firepower and ISE communicate with each other to allow you to create a unified security policy with the ability to quarantine devices in real-time. If Firepower picks up on a critical threat, virtually five seconds later the device can be booted off the network at the access layer switch port. Many products can drop the offending traffic, but Firepower & ISE can go a step further to quarantine the endpoint at the switchport level. The threat of malware spreading laterally is removed as the PC is now dropped from the network completely, has a restrictive ACL applied at the switchport, or is automatically moved into a quarantine VLAN for remediation.

 

Bottom Line

Cisco has effectively consolidated many different platforms and functions into a single chassis. This removes the complexity of a full security stack while simultaneously removing a ton of administrative overhead – upgrades, patches, support contracts, certificate updates, specialized skills, difficulty troubleshooting, etc. The list is endless!

So how can CDA help you improve network security with Cisco Firepower?

Members of our team are Cisco Certified Internetwork Expert (CCIE) certified and can help at any stage of the process: proof of concept, design, architecture, implementation, testing, & issue resolution. Want to learn more?