March 2, 2015
Security experts often throw around the term “next generation firewall,” but what does it mean exactly, and how is it different from a traditional firewall? In this blog, I will touch on the difference between the two firewall approaches and how Cisco ASA with FirePOWER services addresses the full attack continuum.
Traditional Firewall Scenario
A good way of explaining the difference between traditional and next generation firewalls is to talk about common ports used on the Internet. As you may know, HTTP port 80 is the protocol used by web browsers when we browse the Internet. Not only is this port well known to application developers, but it is also unfortunately widely known to the individuals who write malicious malware. Given that port 80 is always open outbound on your organization’s firewall, what impact does this have on your security policy?
Let’s take a typical use case of an end user who is browsing the Internet. We’ll call this person Jay, for simplicity sake. Jay works for your company and is looking at news websites, performing research, browsing Facebook, checking personal web email, streaming web music, accessing YouTube videos, and utilizing peer-to-peer file sharing sites such as Bit Torrent. The decision as to whether some of these activities are allowed within the walls of your company is important because each of these activities could expose your organization to potential malware and/or legal issues. For example, Jay may be grabbing illegal content that is pirated via Bit Torrent. Or perhaps his desktop is actually running a Trojan that is stealing information and sending that information out to people who could do harm to the company. Or worse, Jay’s desktop could be controlled by a BotNet (which is subsequently controlled by a BotMaster somewhere on the Internet) that causes the machine to act as a zombie and forces it to take part in a denial of service attack that stops critical business activities. Jay just thinks he is harmlessly browsing the internet, but as you can see from this use case, a lot of other things could be going on at the same time.
What’s important to realize is that all of the different activities on the Internet mentioned above (the legit and the not so legit) send traffic through the common HTTP port 80. This is because the application and malware writers know that that traffic will not be blocked over that particular port. Here in lies the conundrum. Firewall administrators have to choose either to completely block the port, thereby affecting legitimate business, or keep the port open and expose the business to risk. Unfortunately, traditional firewalls don’t have the ability to distinguish between legitimate traffic and non-legitimate traffic when riding over the common HTTP port 80. This is where Cisco’s next generation firewalls come into play, as they can specifically address these gaps.
Cisco’s Next Generation Firewalls
Next generation firewalls can filter the specific types of applications inside the common ports that have to be open for normal day-to-day business (i.e. Port 80). Cisco next generation firewalls can look at the traffic and determine which application is currently using that specific port and subsequently make filtering decisions based on the identity of the application. This gives firewall administrators the ability to make granular access control decisions and ensure that only the applications that the company approves are allowed and the other non-legitimate applications (i.e. P2P file sharing, etc.) are blocked.
Cisco ASA with FirePOWER
Cisco’s new ASA 5500-X firewalls with FirePOWER services include all of the next generation capabilities and much, much more. The majority of the existing security approaches are siloed, complex, and don’t really provide the complete visibility needed for today’s security threats. Cisco ASA with FirePOWER services gives you greater visibility and automation with superior response protection across the entire attack continuum. Cisco offers the industry’s first adaptive threat-focused next generation firewall which includes Sourcefire’s Next Generation Intrusion Prevention system (NGIPS) and Advanced Malware Capabilities.
Traditional architecture solutions often force customers to buy multiple disparate solutions (Firewall, IPS, Web Gateway, VPN Gateway, Malware Analysis System, etc.) just to get the multilayered protection that a company in today’s world requires. These pieces often don’t work well together and can be very complex to manage—trying to correlate the logs from multiple individual devices can be a nightmare. Cisco, on the other hand, addresses all of these issues with one physical appliance. The ASA with FirePOWER services provides Defense in Depth Protection and shares telemetry and intelligence protection across the entire attack continuum.
The Cisco solution also provides advanced malware protection safeguards against emerging and even unknown threats. These integrated layers of security work well together, so you are better able to spot and stop complex and emerging unknown threats that other solutions miss. Cisco correlates the threats and vulnerabilities to determine their impact or impact assessment. By subsequently scoring threats with their impact assessment, a security engineer only needs to focus on the impact assessments that have a score of 1—the only ones that really pose a risk to the business.
Traditional Security Solutions
Traditional security solutions are typically hampered by the lack of complete visibility with their solutions. What sets Cisco ASA with FirePOWER services apart is the FireSight Management Center. From the FireSight Management Center, a customer can see the complete picture, including client applications, operating systems, mobile devices, virtual machines, etc.
The majority of security solutions only provide protection at the point of entry into the network from the Internet. These solutions only scan the potentially malicious files once as they are coming into the network to determine if they are a threat. However, today’s advanced attacks don’t occur at a specific point in time—they have the ability to use techniques such as encrypted traffic, sleep techniques, and sandbox evasion to avoid being seen or detected. As a result, once this malicious file gets past the initial point of entry into the network, it can go completely undetected by point in time solutions. Security solutions need to be able to provide protection before an attack happens, during the time the attack is in progress, and even after it begins to wreak havoc within the network. Cisco ASA with FirePOWER services has the ability to grant complete protection even after the file gets past the perimeter edge.
Key Differentiators for Cisco ASA with FirePOWER services
The key differentiator of Cisco ASA with FirePOWER services is how it handles threats before, during, and after an attack. Cisco’s solution allows security engineers to provide retrospective security, thereby minimizing the impact of an attack. The fact is no security solution in the world can ever guarantee that it will be able to stop every attack, but what makes a security solution complete, is how it handles the situation after the attack has happened. Cisco’s ASA with FirePOWER Services can identify the exact point of entry, detail the scope of the damage it has done, isolate the damage completely so it can no longer spread, and resolve the situation completely. This type of visibility is extremely powerful, providing complete protection for organizations and enabling an organization’s IT department to sleep a little better at night.
Like what you read?
Contact us today to discuss Cisco ACA.
Mindsight, a Chicago IT consultancy and services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We’ve always prided ourselves in delivering the full spectrum of IT services and solutions, from design and implementation to support and management. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for a local business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
For Further Reading
Quick Overview of Cisco’s New Advanced Malware Protection for Endpoints