Cisco Blogs


Cisco Blog > Security

Threat-Focused NG-Firewall – Who Cares? Part 3

This is Part 3 of our blog series about NG-Firewalls. See Part 1 here.

Part 3: Challenges of the Typical NGFW

What good is a malicious verdict on something that had already penetrated the system?

There is no system in the world that can stop 100% of attacks/attackers 100% of the time, so infection is an inevitability that must be anticipated. Something WILL get through and when it does, the quality of your threat system and incident response plan will surely be tested. The Cisco Firepower Threat-focused NGFW is designed to understand what has happened through the entire life cycle and to be able to make immediate and automatic adjustments to contain the threat and provide the Practitioner with the forensic details necessary to manage and respond to the incident.

Typical NGFW solutions add on extra defense systems (malware sandboxes, URL gateways, etc.) in an attempt to avoid this altogether with the focus on point-in-time prevention. Whether a Typical NGFW or a Threat-focused one, all use technologies like Threat Intelligence cloud lookups of known malware signatures, or even sandboxing to allow the full progression of an ‘unknown’ to operate in a contained environment and ultimately determine if clean or malicious so it can be given an accurate disposition at the initial point-in-time. How they are used is the critical point. While a threat-focused firewall integrates these functions into its core, the Typical NGFW leverages less-integrated add-on components in order to go back to step 1 and try to deny what shouldn’t get through at first sight – attempting to prevent everything with that binary decision. Great idea, except for a few critical deficiencies: First, most modern malware is sandbox-aware and only used once. Therefore, if it runs in a sandbox it may not execute the same way as it would in the wild. Signatures are only good for the 2nd time malware is seen, so a cloud lookup isn’t, with or without sandboxing, enough to confirm an unknown that only ever has one instantiation.

Read More »

Tags: , , , ,

Threat-Focused NG-Firewall – Who Cares? Part 2

This is Part 2 of our blog series about NG-Firewalls. See Part 1 here.

Part 2: Enter Threat-Focused NG-Firewall

What does a Threat-focused NG-Firewall do differently? Just about everything. Let’s compare the most popular NGFW systems on the market (typical NGFW) with the Cisco Firepower NG-Firewall system, (a Threat-Focused NG-Firewall).

If you consider the typical NGFW available from your choice of vendors, you are staring at a system that was designed for, and normally sold to, Network-focused Admins that need more visibility into their policy and desire some additional depth of what they can choose to allow or deny. Typical policy has been circumvented by the ever-present danger of threats, and thus policy management that actually has any effect on protection has become extremely difficult. The limiting factor with the standard NGFW is that it can only accurately enforce permit or deny on what it understands. The classic example is the firewall that employs IDS/IPS signatures in the packet path to ‘detect’ what it understands and take an action – with an output event that something was seen and some basic information about who and what, along with the action taken.

A Threat-focused NG-Firewall system by contrast, looks at the world differently – with its foundation a set of detection engines that leverage both signature-based and signature-less technologies to hand out verdicts on data flows, files and other bits of information. How well this is done depends on the intelligence built into the verdict engines – not only allowing detection and dispositions of point-in-time events, like many other vendors do, but also detection beyond the event horizon, which is the Cisco Firepower NG-Firewall’s most obvious differentiator. The event horizon is the point-in-time where a system first sees something good, bad or unknown and issues a verdict or disposition.

Point-in-time analysis, used by every NGFW that you can buy today

Figure 1a – Point-in-time analysis, used by every NGFW that you can buy today

Read More »

Tags: , , , , ,

Threat-Focused NG-Firewall – Who Cares? Part 1

Part 1: Rude Awakening

Let us begin with some context in the form of a story.

I live in a very bad part of town and I am always worried that my car is going to get stolen or broken into. So, I just invested over a thousand bucks in this awesome vehicle alarm and security system. You know, one of those ultra-advanced systems that connects to an app on your smartphone, includes an ignition kill switch, vehicle tracker, cameras, motion detection, as well as all of the typical features you would expect. If someone enters the vehicle without my key fob, it calls my phone, and even takes pictures of the inside of the vehicle. I now feel so much better about parking my car outside. The company that sold me the alarm made me feel like my car was ‘un-steal-able’ and even if it was, I would have pictures of who did it and would be able to find it easily. Perfect. I feel protected. I can sleep at night.

The other morning, I went outside and strangely, it was gone…the shock sensor and its cut-wires lying on the ground where the car once sat. I think I stood there for a solid minute with my mouth open before I thought to do anything. I checked my phone – no call. I looked at the app – no pictures or interior motion detected. All appeared normal. Darn! (actually other words, but keeping it clean here) How could this happen? That alarm company assured me this was impossible. Heck, they are the most popular system on the market – everyone loves these guys. They have all of the ‘best’ and innovative features and no one makes vehicle security easier than these guys. And, I bought the top-of-the-line model, with all of the bells and whistles, just short of the biometric entry system. Wow! How could this have happened?

I called the police to file a report and see if the tracker could be used to find my stolen car. “Sure we will look for it.” The tracker required a connection, which didn’t exist. The app was useless unless something triggered it and the company that sold it to me, of course, wasn’t much help. “Looks like someone really wanted your car” they said.  Long story short, the vehicle was found 26 days later on a burned-out flatbed in Mexico. What hadn’t been taken off of it was torched; no trace whatsoever.

Security Isn’t Easy

The moral of the story is two-fold. One, there is no such thing as easy security, at any price. As soon as you think you have achieved it, the unthinkable will certainly happen. Two: no amount of prevention or detection will ever overcome human motivation and ingenuity. Knowing that today’s attackers have the technology innovations of the entire industry at their fingertips when they attack us – ingenuity is boundless. Billions of dollars are made each year by attackers stealing our data. What better motivation than money. Considering much of what we are up against today is nation-state sponsored, everything becomes that much more complicated.

Read More »

Tags: , , , , ,

The Need To Solve for Time

Ponemon Institute called 2014 the year of the “Mega Breaches,” which will be remembered for its series of mega security breaches and attacks. These “Mega Breaches” are perfect examples of what is commonly known as Advanced Persistent Threats (APTs). The Ponemon Institute survey asked, among many questions, “When was the breach discovered?” Surprisingly, the results revealed that ONLY 2% of the respondents in the survey discovered their breach within one week of after the incident and a staggering 90% were six months or longer, if at all.

Tom Houge 1

Read More »

Tags: , , , ,

Like Chalk and Cheese: Cisco ASA 5506-X with Release 9.4.1 – Policy Based Routing

Cisco ASA 5506-XEarlier this Year, Cisco introduced the Cisco ASA 5506-X with FirePOWER Services. This Model should replace the successful and smallest Security Solution, the ASA 5505. Designed for the Small Business and a new era of threat and advanced malware protection Cisco ASA with FirePOWER Services delivers an integrated threat defense for the entire attack continuum. BEFORE, DURING and AFTER.

As Desktop version, the Cisco ASA 5506-X builds an easy entry for a:

 

Cisco ASA 5506-X 1

  •  Superior Multilayered Protection
    • Site-to-site and remote access VPN
    • Granular Application Visibility and Control (AVC)
    • Highly effective threat prevention and full contextual awareness
    • Reputation- and category-based URL filtering
    • AMP provides industry-leading breach detection effectiveness
  • Unprecedented Network Visbility
  • Reduced Costs and Complexity security Solution

Read More »

Tags: , , , , , , , , , , , , ,