Cisco ASA with FirePOWER Explained

What is Cisco ASA with FirePOWER?

"FirePOWER" is Cisco's latest attempt to further strengthen their Security/Firewall platform. It has been argued for some time that Cisco have rested on their laurels of the ASA platform, allowing other vendors to sweep in and take the lead in the Next Generation Firewall (NGFW) race.

Companies quickly came to the realization that it is imperative to have visibility past traditional Layer 1 through Layer 4. The growth of the Internet and the ever growing features and applications that companies leverage on the Internet has grown to be commonplace and continues to grow as more "Cloud" based resources are adopted.

Traditional ASA brought about stateful packet inspection, and the ability to implement various modules (IPS, CSC-SSM) and was the standard bearer in edge security for some time. The PIX firewall was replaced and the ASA had arrived.

As of 2012 Cisco had introduced their first line of NGFW, Cisco ASA w/ CX brought about Context Awareness. The CX functionality provided companies with Application Visibility and Control (AVC) which allowed visibility into the upper layers (i.e., Application Layer or L7). Administrators could now permit or deny connections based on User ID, Application, and even at the micro application layer (i.e., Facebook could be identified and blocked, however administrators now had the ability to permit Facebook yet deny Facebook chat/email/messaging etc. and vice versa.)

Fast forward to present day, Cisco have made an exceptional acquisition in Sourcefire. Sourcefire has been the standard bearer in IDS/IPS technology. Sourcefire is based on Snort which is a free open source network intrusion prevention system (NIPS) that has the ability to perform real-time analysis of traffic thus providing protocol analysis, content searching and content matching. Snort can be used to detect probing and various attacks such as OS fingerprinting attempts, buffer overflows, server message block probes, and stealth based port scans.

Cisco + Sourcefire = Cisco FirePOWER

How do my customers make the transition from legacy ASA and IPS?

Cisco is providing multiple incentives and programs through bundles, pro-rating credits for unused SMARTnet subscription/s, and technology migration incentives.

What type of license subscriptions are available?

The are five (5) subscription packages to chose from. They can be purchased in 1yr and 3yr terms, AVC is a default offering and is included in SMARTnet.

URL Filtering
IPS
URL Filtering & IPS
AMP & IPS
URL Filtering, AMP, and IPS

What is the ordering structure for ASA with FirePOWER?

There are multiple structures to choose from:

New Appliance purchase or Upgrade
Security Subscriptions: One of the five license subscription packages
Management Systems: Cisco Virtual FireSIGHT Manager or FireSIGHT Appliance

What is the order of operations for packet processing?



How are ASA and FirePOWER features distributed?

The ASA will continue to process traffic, take action then redirect it over to FirePOWER services. i.e., The ASA will continue to perform TCP Normalization and IP fragmentation on received packets and the result is re-directed to FirePOWER. Once FirePOWER takes action based on configured policies, the ASA will then perform NAT, ACL, Routing and VPN services. The below screencap separates the two functions into quadrants



What are the Product ID's for Cisco ASA with FirePOWER?

All current SKU's are


Let us remember that in case of the Cisco 5585X model, FirePOWER comes in the form of a separate hardware module. The following is the list of SKU's for that platform



Note: A replacement for the ASA 5505 is expected to become available in February 2015 and will offer FirePOWER services. Let's keep an eye out for that, the 5505 has gone untouched for far too long so it is good to see it receive some attention.


How do I migrate from legacy IPS or CX?

The recommended steps an Administrator should take are

Backup your current IPS configuration via CLI/IDM/IME/CSM or if running CX via Prime Security Manager.

Shutdown the IPS/CX module

Uninstall the IPS or CX module

Reload the ASA

Install FirePOWER software module

Note: I have blogged about the process of migrating from IPX/CX to SourceFIRE, CLICK HERE to read more.


What Deployment methods are available for FirePOWER services?

The following deployment methods are supported

Active/Standby
Clustering
Multi-Context

Note: Transparent and Routed modes are supported.


What are my options if I have a standalone IPS solution in place and want to move to Cisco FirePOWER?

A standalone FirePOWER Appliance is available

A comparison of FirePOWER Appliances can be found at the following link

FirePOWER Models Comparison




Note: Currently Cisco ASA with FirePOWER does not have the ability to perform SSL decryption (CX had this ability). Let's hope they add this capability into FirePOWER but as it is now, a secondary appliance is required in order to decrypt SSL traffic and allow for granular inspection and provide application visibility and control.












Comments

  1. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in sourcefire snort , kindly contact us http://www.maxmunus.com/contact
    MaxMunus Offer World Class Virtual Instructor led training on sourcefire snort . We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Nitesh Kumar
    MaxMunus
    E-mail: nitesh@maxmunus.com
    Skype id: nitesh_maxmunus
    Ph:(+91) 8553912023
    http://www.maxmunus.com/


    ReplyDelete

Post a Comment

Popular posts from this blog

SSL Decryption with Palo Alto NGFW

SSL Decryption with Cisco Firepower Management Center

Cisco Firepower Management Center v6.2 - Reference Guide