Cisco ASA with FirePOWER Explained
What is Cisco ASA with FirePOWER?
"FirePOWER" is Cisco's latest attempt to further strengthen their Security/Firewall platform. It has been argued for some time that Cisco have rested on their laurels of the ASA platform, allowing other vendors to sweep in and take the lead in the Next Generation Firewall (NGFW) race.
Companies quickly came to the realization that it is imperative to have visibility past traditional Layer 1 through Layer 4. The growth of the Internet and the ever growing features and applications that companies leverage on the Internet has grown to be commonplace and continues to grow as more "Cloud" based resources are adopted.
Traditional ASA brought about stateful packet inspection, and the ability to implement various modules (IPS, CSC-SSM) and was the standard bearer in edge security for some time. The PIX firewall was replaced and the ASA had arrived.
As of 2012 Cisco had introduced their first line of NGFW, Cisco ASA w/ CX brought about Context Awareness. The CX functionality provided companies with Application Visibility and Control (AVC) which allowed visibility into the upper layers (i.e., Application Layer or L7). Administrators could now permit or deny connections based on User ID, Application, and even at the micro application layer (i.e., Facebook could be identified and blocked, however administrators now had the ability to permit Facebook yet deny Facebook chat/email/messaging etc. and vice versa.)
Fast forward to present day, Cisco have made an exceptional acquisition in Sourcefire. Sourcefire has been the standard bearer in IDS/IPS technology. Sourcefire is based on Snort which is a free open source network intrusion prevention system (NIPS) that has the ability to perform real-time analysis of traffic thus providing protocol analysis, content searching and content matching. Snort can be used to detect probing and various attacks such as OS fingerprinting attempts, buffer overflows, server message block probes, and stealth based port scans.
Cisco + Sourcefire = Cisco FirePOWER
How do my customers make the transition from legacy ASA and IPS?
Cisco is providing multiple incentives and programs through bundles, pro-rating credits for unused SMARTnet subscription/s, and technology migration incentives.
What type of license subscriptions are available?
The are five (5) subscription packages to chose from. They can be purchased in 1yr and 3yr terms, AVC is a default offering and is included in SMARTnet.
URL Filtering
IPS
URL Filtering & IPS
AMP & IPS
URL Filtering, AMP, and IPS
What is the ordering structure for ASA with FirePOWER?
There are multiple structures to choose from:
New Appliance purchase or Upgrade
Security Subscriptions: One of the five license subscription packages
Management Systems: Cisco Virtual FireSIGHT Manager or FireSIGHT Appliance
What is the order of operations for packet processing?
How are ASA and FirePOWER features distributed?
The ASA will continue to process traffic, take action then redirect it over to FirePOWER services. i.e., The ASA will continue to perform TCP Normalization and IP fragmentation on received packets and the result is re-directed to FirePOWER. Once FirePOWER takes action based on configured policies, the ASA will then perform NAT, ACL, Routing and VPN services. The below screencap separates the two functions into quadrants
What are the Product ID's for Cisco ASA with FirePOWER?
All current SKU's are
Let us remember that in case of the Cisco 5585X model, FirePOWER comes in the form of a separate hardware module. The following is the list of SKU's for that platform
Note: A replacement for the ASA 5505 is expected to become available in February 2015 and will offer FirePOWER services. Let's keep an eye out for that, the 5505 has gone untouched for far too long so it is good to see it receive some attention.
How do I migrate from legacy IPS or CX?
The recommended steps an Administrator should take are
Backup your current IPS configuration via CLI/IDM/IME/CSM or if running CX via Prime Security Manager.
Shutdown the IPS/CX module
Uninstall the IPS or CX module
Reload the ASA
Install FirePOWER software module
Note: I have blogged about the process of migrating from IPX/CX to SourceFIRE, CLICK HERE to read more.
What Deployment methods are available for FirePOWER services?
The following deployment methods are supported
Active/Standby
Clustering
Multi-Context
Note: Transparent and Routed modes are supported.
What are my options if I have a standalone IPS solution in place and want to move to Cisco FirePOWER?
A standalone FirePOWER Appliance is available
A comparison of FirePOWER Appliances can be found at the following link
FirePOWER Models Comparison
Note: Currently Cisco ASA with FirePOWER does not have the ability to perform SSL decryption (CX had this ability). Let's hope they add this capability into FirePOWER but as it is now, a secondary appliance is required in order to decrypt SSL traffic and allow for granular inspection and provide application visibility and control.
"FirePOWER" is Cisco's latest attempt to further strengthen their Security/Firewall platform. It has been argued for some time that Cisco have rested on their laurels of the ASA platform, allowing other vendors to sweep in and take the lead in the Next Generation Firewall (NGFW) race.
Companies quickly came to the realization that it is imperative to have visibility past traditional Layer 1 through Layer 4. The growth of the Internet and the ever growing features and applications that companies leverage on the Internet has grown to be commonplace and continues to grow as more "Cloud" based resources are adopted.
Traditional ASA brought about stateful packet inspection, and the ability to implement various modules (IPS, CSC-SSM) and was the standard bearer in edge security for some time. The PIX firewall was replaced and the ASA had arrived.
As of 2012 Cisco had introduced their first line of NGFW, Cisco ASA w/ CX brought about Context Awareness. The CX functionality provided companies with Application Visibility and Control (AVC) which allowed visibility into the upper layers (i.e., Application Layer or L7). Administrators could now permit or deny connections based on User ID, Application, and even at the micro application layer (i.e., Facebook could be identified and blocked, however administrators now had the ability to permit Facebook yet deny Facebook chat/email/messaging etc. and vice versa.)
Fast forward to present day, Cisco have made an exceptional acquisition in Sourcefire. Sourcefire has been the standard bearer in IDS/IPS technology. Sourcefire is based on Snort which is a free open source network intrusion prevention system (NIPS) that has the ability to perform real-time analysis of traffic thus providing protocol analysis, content searching and content matching. Snort can be used to detect probing and various attacks such as OS fingerprinting attempts, buffer overflows, server message block probes, and stealth based port scans.
Cisco + Sourcefire = Cisco FirePOWER
How do my customers make the transition from legacy ASA and IPS?
Cisco is providing multiple incentives and programs through bundles, pro-rating credits for unused SMARTnet subscription/s, and technology migration incentives.
What type of license subscriptions are available?
The are five (5) subscription packages to chose from. They can be purchased in 1yr and 3yr terms, AVC is a default offering and is included in SMARTnet.
URL Filtering
IPS
URL Filtering & IPS
AMP & IPS
URL Filtering, AMP, and IPS
What is the ordering structure for ASA with FirePOWER?
There are multiple structures to choose from:
New Appliance purchase or Upgrade
Security Subscriptions: One of the five license subscription packages
Management Systems: Cisco Virtual FireSIGHT Manager or FireSIGHT Appliance
What is the order of operations for packet processing?
How are ASA and FirePOWER features distributed?
The ASA will continue to process traffic, take action then redirect it over to FirePOWER services. i.e., The ASA will continue to perform TCP Normalization and IP fragmentation on received packets and the result is re-directed to FirePOWER. Once FirePOWER takes action based on configured policies, the ASA will then perform NAT, ACL, Routing and VPN services. The below screencap separates the two functions into quadrants
What are the Product ID's for Cisco ASA with FirePOWER?
All current SKU's are
Let us remember that in case of the Cisco 5585X model, FirePOWER comes in the form of a separate hardware module. The following is the list of SKU's for that platform
Note: A replacement for the ASA 5505 is expected to become available in February 2015 and will offer FirePOWER services. Let's keep an eye out for that, the 5505 has gone untouched for far too long so it is good to see it receive some attention.
How do I migrate from legacy IPS or CX?
The recommended steps an Administrator should take are
Backup your current IPS configuration via CLI/IDM/IME/CSM or if running CX via Prime Security Manager.
Shutdown the IPS/CX module
Uninstall the IPS or CX module
Reload the ASA
Install FirePOWER software module
Note: I have blogged about the process of migrating from IPX/CX to SourceFIRE, CLICK HERE to read more.
What Deployment methods are available for FirePOWER services?
The following deployment methods are supported
Active/Standby
Clustering
Multi-Context
Note: Transparent and Routed modes are supported.
What are my options if I have a standalone IPS solution in place and want to move to Cisco FirePOWER?
A standalone FirePOWER Appliance is available
A comparison of FirePOWER Appliances can be found at the following link
FirePOWER Models Comparison
Note: Currently Cisco ASA with FirePOWER does not have the ability to perform SSL decryption (CX had this ability). Let's hope they add this capability into FirePOWER but as it is now, a secondary appliance is required in order to decrypt SSL traffic and allow for granular inspection and provide application visibility and control.
I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in sourcefire snort , kindly contact us http://www.maxmunus.com/contact
ReplyDeleteMaxMunus Offer World Class Virtual Instructor led training on sourcefire snort . We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Nitesh Kumar
MaxMunus
E-mail: nitesh@maxmunus.com
Skype id: nitesh_maxmunus
Ph:(+91) 8553912023
http://www.maxmunus.com/