The Cisco Firepower System is a collection of network security products and devices to manage traffic, where these products could be deployed either as hardware or software solutions.
In terms of deployment, one could have multiple devices for traffic-sensing purpose ( These are referred as managed devices) installed in network. These managed devices monitor network traffic for analysis purpose and later report to a managing device (This is referred as Firepower Management Center. Note- earlier it was known as Defense Center).
Another alternative deployment is inline mode deployment, where device is deployed in the band to traffic flow and can affect the flow of traffic.
The Firepower Management Center (FMC) gives you a centralized console to manage the devices from GUI. Using FMC you can perform administrative, management, analysis, and reporting tasks for multiple devices from single console.
One thing what you need to understand is that most of the managed devices what you deploy in the network do not have a Firepower System web interface, so you would have to use FMC to manage them. Though you can use a CLI to perform initial setup for managed devices. again once the managed devices are up and running, you can get back to FMC GUI to manage them.
However also make a note that, 7000 and 8000 Series devices( also referred as Series 3 Appliances) have a limited web interface that you can use to perform initial setup and basic analysis and configuration tasks.
Deployment Options for Managed Devices
As mentioned in the earlier section of this post the managed devices deployed in the network monitors traffic for analysis purpose.
You can use your FMC/ Defense Center as a central management point to manage Sourcefire-branded managed devices, including virtual devices and Sourcefire Software for X-Series platforms.
Part A - (Passively deployed)
When the managed device is deployed passively which means not inline to traffic flow. here the managed devices gather many useful information using FireSIGHT™ where FireSIGHT is Sourcefire’s discovery and awareness technology that collects information about hosts, operating systems, applications, users, files, networks, geo-location information, and vulnerabilities, and with this comes the capability of visibility to what is happening in your network.
You can use the FMC/Defense Center’s web interface to view and analyze data collected by FireSIGHT. Also understand that data gathered by FireSIGHT could be used for editing access control and modify intrusion rule states.
Apart from this, one can generate and track indications of compromise(IoC`s) on hosts available in your network. This is done by FMC/DC based on correlated event data for the hosts available.
Part B - (In-Line Deployed)
When a managed device is deployed inline, the Firepower system can affect the flow of traffic with the help of access control.
Access-Control allows you to define access policy, in a precise manner on how to handle the traffic either entering (based on Source or From), exiting (based on destination or TO), and traversing (Through traffic) your network. The data that is collect about the network traffic could be used to filter and control that traffic based on following -
-
easily identify OSI L3/L4 characteristics: source/destination IP, port, protocol
-
Context-Aware Information about network traffic - like reputation value, risk, business relevance, application used, clients used, website or URL visited
-
Identifying the Users related to a particular traffic or connection from Microsoft AD and LDAP Authentications
-
checking Characteristics of encrypted traffic by decrypting it to see if traffic contains
a prohibited file, detected malware, or intrusion event
You need to understand that Series 3 appliances that is 7000 and 8000 Series devices come with Network management features like NAT, Routing, switching, VPN support. Also these appliances support configuration for bypass interfaces, aggregated interfaces, fast-path rules, and strict TCP enforcement.
Overview of Managed Devices
Well in this section a small walk through the different devices that you would be managing using the FirePOWER Management Center/ Defense Center.
As mentioned in the earlier section of this post the managed devices deployed in the network monitors traffic for analysis purpose.
You can use your FMC/ Defense Center as a central management point to manage Sourcefire-branded managed devices, including virtual devices and Sourcefire Software for X-Series platforms.
Part A - (Passively deployed)
When the managed device is deployed passively which means not inline to traffic flow. here the managed devices gather many useful information using FireSIGHT™ where FireSIGHT is Sourcefire’s discovery and awareness technology that collects information about hosts, operating systems, applications, users, files, networks, geo-location information, and vulnerabilities, and with this comes the capability of visibility to what is happening in your network.
You can use the FMC/Defense Center’s web interface to view and analyze data collected by FireSIGHT. Also understand that data gathered by FireSIGHT could be used for editing access control and modify intrusion rule states.
Apart from this, one can generate and track indications of compromise(IoC`s) on hosts available in your network. This is done by FMC/DC based on correlated event data for the hosts available.
Part B - (In-Line Deployed)
When a managed device is deployed inline, the Firepower system can affect the flow of traffic with the help of access control.
Access-Control allows you to define access policy, in a precise manner on how to handle the traffic either entering (based on Source or From), exiting (based on destination or TO), and traversing (Through traffic) your network. The data that is collect about the network traffic could be used to filter and control that traffic based on following -
- easily identify OSI L3/L4 characteristics: source/destination IP, port, protocol
- Context-Aware Information about network traffic - like reputation value, risk, business relevance, application used, clients used, website or URL visited
- Identifying the Users related to a particular traffic or connection from Microsoft AD and LDAP Authentications
- checking Characteristics of encrypted traffic by decrypting it to see if traffic containsa prohibited file, detected malware, or intrusion event
You need to understand that Series 3 appliances that is 7000 and 8000 Series devices come with Network management features like NAT, Routing, switching, VPN support. Also these appliances support configuration for bypass interfaces, aggregated interfaces, fast-path rules, and strict TCP enforcement.
Overview of Managed Devices
Well in this section a small walk through the different devices that you would be managing using the FirePOWER Management Center/ Defense Center.
A) 7000 and 8000 Series Managed Devices
Cisco Firepower 7000 and 8000 Series appliances are physical devices. Different models of 7000 and 8000 Series devices are available with different range of throughput. Series 7000 and 8000 products come with more or less same capabilities. In general, 8000 Series devices are more powerful in terms of performance compare to 7000 Series; Also 8000 Series Appliances support additional features such as fast-path rules, link aggregation, and stacking.
Cisco Firepower 7000 and 8000 Series appliances are physical devices. Different models of 7000 and 8000 Series devices are available with different range of throughput. Series 7000 and 8000 products come with more or less same capabilities. In general, 8000 Series devices are more powerful in terms of performance compare to 7000 Series; Also 8000 Series Appliances support additional features such as fast-path rules, link aggregation, and stacking.
B) NGIPSv
NGIPSv is the Virtual appliance, specifically a 64-bit virtual device which can be deployed as an ESXi host) using the VMware vSphere Hypervisor or vCloud Director environment.
NGIPSv is the Virtual appliance, specifically a 64-bit virtual device which can be deployed as an ESXi host) using the VMware vSphere Hypervisor or vCloud Director environment.
C) Cisco ASA with FirePOWER Services
Cisco ASA with FirePOWER Services functions similarly to NGIPSv but here the FirePOWER services are not running in VM environment, rather runs on top of ASA.
In an ASA with FirePOWER services deployment, the packets are first inspected by ASA software which provides the first-line system policy and then passes traffic to the Firepower Software which is also running on the same ASA box for discovery and access control purpose.
Once again in this type of managed device, you must understand that regardless of the licenses installed and applied, ASA with FirePOWER Service running on top of it does not support any of the following Firepower features mentioned below:
- Like mentioned in case of NGIPSv, ASA with FirePOWER Services does not support ant hardware-enabled feature like- device high availability, stacking, switching, routing, VPN, NAT, and so on. However, the ASA platform does provide these features as a part of ASA software. So key point is that these features are available on ASA running FirePOWER service on top of it, but the features are not a part of FirePOWER software.
- FMC GUI cannot be used to configure ASA FirePOWER interfaces.
- FMC cannot be used to shut down, restart, or otherwise manage ASA FirePOWER processes.
So in short we got to focus on these 3 options under managed device which includes -
A) Firepower Series 3 appliances
B) Virtual NGIPS / NGIPSv
C) ASA with FirePOWER Services.
Now lets try to summarize the feature/ capability supported by these different device-
1) Supported By Series 3 appliances (7000 & 8000 Series Appliances) -
Device Stacking(8140,8200,8300 Models), High Availability, switching, routing, NAT, routed aggregate Interfaces,VPN, Firepower system GUI with limited capability, Link aggregation, CLI, External Authentication support, Strict TCP enforcement, fast-path rule feature which is supported only by 8000 series appliance.
2) Supported by NGIPSv and ASA with FirePOWER Services -
Here very first any feature which is hardware enabled or hardware based is not supported by NIPSv and ASA FirePOWER. Though while comparing ASA with FirePOWER services features with NGIPSv features - restricted CLI Access is supported on both , but ASA FirePOWEr gives capability to connect with eStreamer (Event streamer) Client which is not possible in NGIPSv. In this case Firepower device acts as Server and a custom developed client application can connect and stream the events related data from Firepower.
Cisco ASA with FirePOWER Services functions similarly to NGIPSv but here the FirePOWER services are not running in VM environment, rather runs on top of ASA.
In an ASA with FirePOWER services deployment, the packets are first inspected by ASA software which provides the first-line system policy and then passes traffic to the Firepower Software which is also running on the same ASA box for discovery and access control purpose.
Once again in this type of managed device, you must understand that regardless of the licenses installed and applied, ASA with FirePOWER Service running on top of it does not support any of the following Firepower features mentioned below:
In an ASA with FirePOWER services deployment, the packets are first inspected by ASA software which provides the first-line system policy and then passes traffic to the Firepower Software which is also running on the same ASA box for discovery and access control purpose.
Once again in this type of managed device, you must understand that regardless of the licenses installed and applied, ASA with FirePOWER Service running on top of it does not support any of the following Firepower features mentioned below:
- Like mentioned in case of NGIPSv, ASA with FirePOWER Services does not support ant hardware-enabled feature like- device high availability, stacking, switching, routing, VPN, NAT, and so on. However, the ASA platform does provide these features as a part of ASA software. So key point is that these features are available on ASA running FirePOWER service on top of it, but the features are not a part of FirePOWER software.
- FMC GUI cannot be used to configure ASA FirePOWER interfaces.
- FMC cannot be used to shut down, restart, or otherwise manage ASA FirePOWER processes.
So in short we got to focus on these 3 options under managed device which includes -
A) Firepower Series 3 appliances
B) Virtual NGIPS / NGIPSv
C) ASA with FirePOWER Services.
Now lets try to summarize the feature/ capability supported by these different device-
1) Supported By Series 3 appliances (7000 & 8000 Series Appliances) -
Device Stacking(8140,8200,8300 Models), High Availability, switching, routing, NAT, routed aggregate Interfaces,VPN, Firepower system GUI with limited capability, Link aggregation, CLI, External Authentication support, Strict TCP enforcement, fast-path rule feature which is supported only by 8000 series appliance.
2) Supported by NGIPSv and ASA with FirePOWER Services -
Here very first any feature which is hardware enabled or hardware based is not supported by NIPSv and ASA FirePOWER. Though while comparing ASA with FirePOWER services features with NGIPSv features - restricted CLI Access is supported on both , but ASA FirePOWEr gives capability to connect with eStreamer (Event streamer) Client which is not possible in NGIPSv. In this case Firepower device acts as Server and a custom developed client application can connect and stream the events related data from Firepower.
