Enable Digital Business with the Industry’s First Fully Integrated, Threat-Focused NGFW
Today’s world is undergoing digital disruption that will spark more connectivity than ever before, as consumers, businesses and governments leverage digitization to drive innovation forward. Yet, the more connected we become, the more opportunities we create for cybercriminals. In order for enterprises to operate effectively in today’s environment, they have to focus their security efforts on stopping advanced threats in the current dynamic threat landscape.
IT teams have been asked to manage security using a patchwork of siloed point products, starting with legacy next-generation firewalls (NGFW), which were created with a focus on application and bolted on best effort threat protection. As such, these legacy NGFWs are unable to provide an enterprise with the contextual information, automation, and prioritization that they need to handle today’s modern threats. Operators are thus unable to realize the promise of platform consolidation and complexity reduction with legacy NGFWs. Additionally, they are forced to deploy dedicated threat platforms or to take telemetry from the legacy NGFWs and push it into other systems for contextualization and non-real time analysis. This “franken-structure” approach to security, with disparate technology silos tied to a multitude of different consoles places undue pressure on budgets, propagates complexity, and ultimately leaves organizations vulnerable to attacks.
To address these challenges, today we unveil the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), the industry’s first fully integrated, threat-focused Next-Generation Firewall.
Cisco Firepower NGFW is built from the ground up to keep organizations safer. Firepower NGFW also keeps the cost and complexity that legacy NGFWs create in check by delivering fully integrated security – with a single interface to ease the management burden. We do not add to the number of appliances or consoles in the already sprawling security technology “stack” companies typically manage.
For starters, Firepower appliances are optimized for performance, deliver class-leading throughput of up to 80 Gbps in only one rack unit, delivering density not found in legacy NGFWs. Performance is vital for a truly threat-focused NGFW, and Firepower performance makes it suitable for the network edge and other high-performance environments.
Today’s dynamic threat landscape means the NGFW must evolve with a focus on enabling enterprises to stop, prioritize, understand, and automate responses to modern threats in real-time. Firepower NGFW is unique in its threat-focus, with a foundation of comprehensive network visibility, best-of-breed threat intelligence and highly-effective threat prevention to address both known and unknown threats. Firepower NGFW also enables retrospective security, through Advanced Malware Protection, that can “go back in time” to quickly find and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in time-to-detection (TTD) for Cisco customers compared to industry averages.
Cisco built Firepower NGFW upon the bedrock of the 
industry’s leading threat platform which we acquired via the Sourcefire acquisition in late 2013. We seamlessly combined that with best of the ASA firewall, the most battle-tested firewall the world has seen, delivering a single unified image and management console. The Firepower NGFW provides the best of breed industry leading stateful firewall with the best of breed threat capabilities such as next-generation intrusion prevention and Advanced Malware Protection, URL filtering, application control and even Radware DefensePro DDoS Protection. All of this is tied together with unified visibility and policy management in the Firepower Management Center that provides threat focused workflows and automation not seen in legacy NGFWs where advance threat protection is a bolt on.
Our approach doesn’t stop there. We address customers’ challenges with advanced threat protection that extends from the network out to the endpoints. And we have seamlessly integrated AMP for Endpoint, AMP Threat Grid, and Cisco Identity Services Engine (ISE) with the platform. This enables Cisco to extend the power and visibility of the Firepower NGFW across the network and directly to the endpoint. AMP for Endpoint is an industry leading next-generation endpoint security technology for protecting the endpoint against advanced malware that can feed its observations directly to Firepower NGFW. Likewise, ISE can provide its context directly to Firepower NGFW and Firepower NGFW can instruct ISE to automatically take action on the network on its behalf. A threat-centric NGFW must be more than yet another bump in the wire. It must be able to extend its visibility and control across the distributed network and endpoints, Modern threats are sophisticated and will easily defeat point in time bolted on threat protection.
Another crucial point when thinking about threats is that products are only as good as the threat research and intelligence behind them. Cisco Talos, the world’s leading threat research and intelligence team, powers the detections in Firepower and the rest of our security portfolio. The value of Talos is reflected in our leading security effectiveness scores in third party testing. Our NGFW, NGIPS and AMP lead their respective NSS Labs tests, proving that we stop more threats than any other corresponding security platform.
So let’s not lose sight of the value of a threat-focused NGFW – It stops more threats with the industry’s most effective threat protection so organizations stay safer. When we couple this with full integration and robust management, security can become an enabler for businesses to confidently take full and secure advantage of opportunities presented by the digital age.
In coming posts, we’ll examine how Firepower NGFW is fully integrated to cut cost and complexity while it enables greater focus and insight with robust management.
For more information on our new Firepower NGFW, watch our launch webcast or visit Cisco.com/go/ngfw or watch the latest techwise-tv episode:
Times are changing fast when “Next Generation” is already legacy … 😉
Looking forward to see this integrated approach to firewalling.
Good news and great enhancement.but is think there is some different approach in FP 4100/9300. it seems that there is new FW technology integrated in FP (Firepower Threat Defense Image) that is different from what we see as ASA(FW)+NGFW/NGIPS(Firepower service).is there still FP service that do NGFW/NGIPS and ASA as stateful firewall?
Yes, great question, and the good news is we provide superior investment protection. If you have invested in and/or prefer the ASA and Firepower Services you can continue to use that model as we will continue to add new features and capabilities to both the ASA and Firepower code base as well as their respective management consoles. If however you want to have a single image with a single unified management console, then FTD as you mention is what we would recommend.
Scott, where does Lancope fit in? When will it be a part of this threat solution?
I’m looking for a complete solution to detecting threats, tracing where they went (Lancope is great for this!), alerting support team, and most of all, acting on this threat. What I’m seeing from this new firewall is great as long as the threat is known. Talos and all the threat databases are great for keeping up with the latest signatures but I’m very interested in seeing the Lancope solution (or something similar) be able to tell the FW to actively shutdown a possible new threat. To me,…that is the ultimate goal here.
Hi Paul, Great points, Firepower NGFW has several ways of dealing with unknown threats. The best example is a technology called AMP (Advanced Malware Protection). We take the industries most comprehensive approach to dealing with advanced malware using AMP and are best in class in dealing with advanced malware as a result. We do this several ways: 1) by blocking as many malicious files as possible as they transit into the network via signature and signature-less methods 2) Recognizing that some small percentage of malicious files will elude this initial point in time detection. Therefore we track and record the trajectory of every file as it ingresses into the network to enable rapid understanding of the scope of any event if later the disposition of this file changes from good or unknown to bad based on its behavior anywhere in the world or based on our own extensive threat research 3) by watching the file’s behavior on the endpoint itself and correlating this with everything we have seen via the Firepower NGFW to quickly spot any malicious activity.
On your question regarding Firepower NGFW (or something similar) integration with Lancope, we are of committed to providing simpler security by reducing complexity via integration across our portfolio and with the industry’s overall ecosystem of security providers. You can see shipping examples of this commitment in the integration that we have already been done with Lancope and our ISE (Identity Services Engine) platform. This integration allows Lancope to tell the network (via ISE) to quarantine a user and allows ISE to share all of its context about users with Lancope. ISE also integrates with our Firepower NGFW enabling similar use cases. This ability to automate and share rich context across systems is critical for security systems that need to operate in real time and it can help automate as much of the threat workflow as possible.
Do we still need Firepower Management Center to manager 4100 Series NGFW?
Hi, Yes, Firepower Management Center (FMC) is the management console for the Firepower Threat Defense (FTD) image that is supported on the new Firepower 4100 series as well as the Firepower 9300. You can also choose to load the ASA code base on these platforms and manage the platforms via CLI or ASA management tools.
What is the difference between ASA with FirePOWER Services and Firepower 4100/9300? Does the Firepower 4100/9300 support both CLI and GUI, or just GUI?
Does Firepower 4100/9300 have the same functionality as ASA with Firepower Services, just different box? Can these products tie into ISE for threat detection?
Hi Joseph,
Many thanks for the questions!
ASA with FirePOWER services utilized two images and two management planes matching the organizational set up of many of our customers who maintain separate network operations and security operations group. With the new Firepower NGFW we have converged this into a single image (Firepower Threat Defense (FTD)) and a single manager (Firepower Management Center (FMC)). To provide maximum flexibility for our customers we allow you to load either the ASA or FTD image on the 4100 or 9300. The ASA image supports CLI or GUI while the FTD image requires a GUI based management console (i.e., Firepower Management Center).
Firepower NGFW 4100/9300 integrate with ISE in several ways. Firepower NGFW can derive context from ISE which helps tremendously in threat detection and policy creation and use ISE to enforce remediation across the extended network which helps in threat response. Here is a recent link on the response side:
http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-735770.pdf
Hi, and it will be possible to run Firepower Threat Defense (FTD) per example on an ASA 5545-x With Firepower services, in stead of two images ?
Yes, we have tried to provide investment protection as broadly as possible and as such the ASA5545-X can be upgraded to FTD. Please work with your local account team or partner on the process.
even with url filtering and firepower services , is there still a requirement for a separate web proxy on the network?
It really depends on your network and design goals. A good example is that proxies typically offer deeper inspection of web content. Proxies look at every object of a web page (CNN typically has a 50+ objects per page) vs URL filtering which is done at the URL level. There are also sometimes regulatory compliance or corporate policy controls which are better done via a proxy due to the granularity of control it can provide.
That said, if you are going to move away from a proxy, I would strongly recommend using the extra budget dollars to provide better off-net protection with a technology like OpenDNS. It is all ports and all protocols (same as a NGFW), easy to deploy, and adds an extra layer of security over and above NGFWs even protecting users when they are off network.
we are using asa 5525-x with firepower services which we purchased last year, is there an upgrade process or would we have to purchase the new solution separately?
Yes there is a process to upgrade your existing 5525-X to FTD. Please work with your local account team or partner on this.
thank Scott for valuable info.i was digging in to the new FP 4100/9300 and find some good info on the Cisco live 2016 (Berlin).the sessions docs are BRKSEC-3010 , BRKSEC-2050.the good news is FTD image (Unified image) can run also on lower end ASA 5500-X but not ASA 5585-X.for me after 12 years deploy/manage of PIX/ASA it is hard to move on to new FTD that is differ from ASA (for example it seems the FTD is zone based FW while ASA not).in those years i become master of the ASA (with good docs from cisco/cisco live) and with FTD there is new learning curve to become master of the new technology .personally i think the future is FTD and Cisco will eventually EOL the ASA after they can back-port the ASA features like routing/vxlan/HA/clustering/vpn and too many well developed features.at the end i am really happy to see the Cisco back to the game and is really committed to security as they promised.
I am interested to see if Cisco plan to move away from the ASA with bolt on modules etc. For one, I would like to see the architecture behind the 4100, what does the flow look like etc.
I am wondering if there are any slides from Cisco Live Berlin, I will check but it would be nice to see single pass architecture as that is always brought up when it comes to ASA as it is today.
9300 debut last year at Live and now the 4100, the 4100 looks to be a contender for replacing the 5585X line as it gives us that 10-30GB of AVC+IPS
We want to buy a fire appliance, and we have been thinking of buying asa 5512-x, when we buy this device do we need to buy extra modules for it to work ? or its just a matter of paying for the license to make some features to work?
What does this mean for CSM management of ASA rulesets with FTD image?
Firepower management console (FMC) is the management center for FTD. We have taken the best of CSM and converged it with FMC.
hi,
Please share the few details about the hardware architecture of 4100 NGFW . Is it based on x86 architecture or different ?
Cisco competition in market generally specifies this as a weak point compare to their product.
Awaiting your response.
Great article and some great responses to the reader’s questions. Lots of good information here. Thanks for taking the time to post this as well as to respond to the commenters.
Will security contexts/virtual firewalls be supported on a FP 4100 running a FTD image?
Hi Dustin, This is currently targeted for a future software version of FTD.
Hi Scott,
Where i can find complete comparison between FP5100 and 5585-x
BCZ, i want to buy one ASAP.
BR
Sherif
Hi Sherif,
There is no external facing document comparing 4100 with 5585. However, both data sheets are published, and we used the same performance tables so should be easy to compare depending on what aspect you are evaluating:
4100 Datasheet
5585 Datasheet