Threat defense: Cisco ASA firewall with FirePOWER services

(Part 1: Introduction)

Cisco introduced its ASA firewall (adaptive security appliance) in May 2005 as a multifunction firewall and intrusion-prevention device. In the decade since then, Cisco ASA has become the go-to solution for small business network security.

This is the first of three articles that will cover the Cisco ASA Next-Generation firewall platforms and Cisco FirePOWER services. Today I will present a somewhat technical overview of the system, similar to discussions I have with CIOs and IT directors. The second blog will cover the deployment of Cisco FirePOWER and FireSIGHT on the network. In the final post I will review everything after we take it for a test drive.

Cisco ASA

So let’s get started….

Cisco ASA Firewall Hardware Upgrades

All interfaces on the Cisco ASA “X-Series” firewalls are now Gigabit Ethernet (vs. Fast Ethernet connections on legacy ASAs). The ASA X-Series next-gen firewalls now run on solid state drives (I probably have the attention of all the storage geeks now). So the storage components will perform better, last longer, have a lesser error rate, generate less heat, and in general outperform earlier-generation components. More RAM is part of the product improvement as well—anywhere from 4 GB on the 5512-X all the way up to a whopping 48 GB of RAM in the 5585-Xs.

It’s important to understand when sizing one of these new puppies that the IPS (intrusion prevention system) services will typically cut the total throughput of the firewall in half (~50% to 75%). Also keep in mind the necessary resources if you plan on running Advanced Malware Protection and/or any URL filtering.

Cisco ASA Firewall Software Platform

And with newly upgraded hardware, you’d better believe that the software is upgraded as well. The new ASA X-Series devices must run a minimum version of 9.2.2 in order to run FirePOWER services. When planning a migration from legacy ASAs to newer Cisco ASA X-Series firewalls, take the time to properly stage the code upgrades on each device. (Quite a bit has changed since the 8.2 and below days, BTW). This will not only help you reduce time and effort, but will help to ensure a more smooth cut-over once the time comes.

Check out the full hardware specs and data sheet.

Cisco FirePOWER and FireSIGHT

Cisco has earned quite a bit of buzz ever since it acquired SourceFIRE in the middle of 2013. Cisco has since pumped all of the SourceFIRE juices into the Cisco ASA firewalls, and voila, you have yourself one of the best next-gen firewalls on the block. And if you haven’t noticed Cisco’s new BUZZ-word let me introduce you to AVC.

Application Visibility and Control lets you see which data actually correlate to their applications. AVC helps answer the timeless question (and, in my opinion, the most important question out there), “What the heck does all this data mean?!?” With its widgets-a-plenty, you can tailor the FireSIGHT management console to display the most pertinent data about your network at any time. The FireSIGHT management system is deployed from a VMware template file in your virtual environment (no Hyper-V support just yet). The FirePOWER services consist of IPS, (AMP) (advanced malware protection), and URL filtering. All licensing services (IPS/AMP/URL) can be purchased individually or in any combination of the three feature sets (in one-, three-, or five-year subscriptions).

Here is the FirePOWER data sheet.

Cisco ASA Licensing Info

As with the base model ASA 5505, the 5512-X comes in two flavors: the Base license and the Security Plus license (ASA5512-SEC-PL). With Security Plus licensing added on, it enables/upgrades quite a few security features on the device, including: HA (high availability), load balancing, multiple security contexts, additional VLANs, and 250 SSL VPN peers.

The ASA 5512-X is the only device that comes with two licensing options that really “enable” software features. All of the other Cisco ASAs from the 5515-Xs and up can do HA, load balancing, and other features right out of the box without additional licensing.

AnyConnect SSL licensing is just about the same on the new model Cisco ASAs. The AnyConnect Essentials and (Premium licensing are still intact. One main difference now is the number of VPN peers (250 for 5512/5515-Xs on up to 5,000 on the 5555-Xs). Same as before, AnyConnect Premium licensing is still required to run clientless SSL VPN setups.

More details are available on the complete Cisco ASA licensing breakdown.

Labs and Demos

Cisco has done a great job of bringing some of the most difficult to acquire lab gear to you in a simple, clean, reliable demo environment that you can set up in no time. In the past, one of the biggest hassles about the old Cisco IPS setups was getting your hands on the hardware and licensing for the devices to set up a test lab.

That brings me to the Cisco dCloud environment. The best part about Cisco dCloud is that it is free with your Cisco CCO ID. Log in and about 15 minutes later you’ll have your very own Cisco ASA with FirePOWER services to play with. The labs aren’t limited to only ASA and FirePOWER resources. There are plenty of wireless, collaboration, and other data center products to sink your teeth into.

Check out Cisco dCloud.

Related Posts