Can your firewall do that?


March 12, 2019 - 1 Comment

Part 3: Save time and reduce complexity with better management, automated operations, and product integration

Networking and security teams are up against a lot. Hunting for cyberthreats is difficult. Policy management and enforcement across multiple devices is time-consuming and error-prone. Most teams are playing whack-a-mole with a deluge of false positives and hundreds of alerts per day, and they’re doing it across multiple security tools from different vendors. Yet most teams have limited resources, staff, and budgets. They’re overwhelmed.

In the final post of this three-part blog series (to catch up on prior publications, click part 1 or part 2), let’s explore how a Cisco Next-Generation Firewall (NGFW) can help you become less overwhelmed and more empowered. Let’s see how a Cisco NGFW can automate your networking and security operations to save time and reduce complexity.

Firewalls and firewall management for every type of organization

In the face of limited resources, staff, and budgets, you need security tools that are optimized to work the best for your team and your security and networking use case. For instance, the demands of a data center environment are very different than a distributed branch office environment. Having the right firewall, and the right firewall management system, is the first step to easing pressure on your team and streamlining your approach.

Cisco NGFWs come in many shapes and sizes to meet these different needs. A wide range of throughput options are available for small to medium businesses, enterprises, branch offices, internet edge environments, service providers, and data centers. Also, Cisco NGFWs can be deployed on-premise or in the cloud.

Different management options are also available. Perhaps you’re an enterprise that values a centralized manager that provides deep insights into threat activity – check out Firepower Management Center (FMC). Maybe you’re a small to medium-sized business that wants easy web-based management of network operations – Firepower Device Manager (FDM) might be a good choice. If you want a cloud-based management system for consistent policy management across a distributed enterprise, Cisco Defense Orchestrator (CDO) should be evaluated. At Cisco, we know that one size doesn’t fit all. Use the firewall manager that best aligns with your networking and security goals.

Automate your security and networking operations

Policy management and enforcement, while a very necessary task, can be error-prone, tedious, and time-consuming—especially for distributed enterprises that need to manage thousands of rules across multiple firewalls and branch locations. A team could spend a full day migrating policy from one firewall to another, or pruning IPS rule sets to maintain proper “firewall hygiene”.

Cisco Defense Orchestrator (CDO) can be used to centralize policy management across your entire networking ecosystem, whether you have dozens or thousands of locations. CDO gives you a consolidated view of all your access control policies across all your ASA firewalls. You can choose a specific policy, edit it, and it will propagate across all your firewalls with one-click. CDO will also automatically show you unused rules or shadow policies, and can remove them for you without manual intervention. Over time, firewalls can get bloated with excess rules. Manually auditing them can be a nightmare. But CDO can take action to clean them up, saving you space on the firewall and reducing the complexity of the configuration. The same applies for network objects. CDO can show you unused, duplicate, or inconsistent objects and automatically clean them up. See how.

Operating system upgrades are made easy as well. With a typical firewall upgrade, you must launch an FTP or TFTP server, change firewall rules to allow access, and for high-availability pairs, ensure that a secondary firewall is running while your primary firewall is being upgraded, and vice-versa when you upgrade the secondary. It’s a lot of manual work. With CDO, the process is automated. CDO looks at all your devices, filters by version, and can then upgrade. Images are pushed directly from the cloud.  CDO will automatically upgrade a secondary to maintain high availability while upgrading the primary firewall. A very manual process is now automated by CDO.

Cisco’s integrated security portfolio makes it easier

Gartner, Forrester, and many other analysts in the networking and security space have noticed a trend – organizations have too many security products deployed and they’re trying to consolidate. The deployment of more and more security tools results in more to manage, increased operational overhead, and complexity. Complexity can slow down response times and make you less secure.

However, if all of these tools worked together in concert, it would make management easier and allow your entire security ecosystem to uncover and stop threats faster. This is why Cisco NGFWs were designed to work together with the rest of Cisco’s integrated security tools so you can see more, detect faster, and automatically respond.

Cisco security tools share threat information, policy information, and event data as part of Cisco’s Integrated Security Portfolio. For instance, the Cisco NGFW shares policy information with ISE so that ISE can automatically enforce policy on devices. Cisco AMP for Endpoints will notify the Cisco NGFW if it has quarantined a file on a specific device or multiple devices. With integrations like these, you can get visibility across multiple attack vectors, from edge to endpoint, so that when you see a threat in one place, you can stop it everywhere.

Instead of having to learn and pivot between a multitude of disparate security tools (all from different vendors), Cisco’s security tools work together to make your life easier, sharing and correlating event data, contextual information, threat intelligence and policy information so you don’t have to.

Can your firewall streamline management and automate networking and security operations to save you time and reduce strain on your already resource-strapped team? A Cisco firewall can. See how we do it with a guided tour of automation and integration capabilities in this demo.

Also, to learn more about how Cisco Defense Orchestrator can help you streamline policy application and enforcement, and assist with your migration from ASA firewalls, watch this episode of ThreatwiseTV.

 


To learn more about Cisco NGFW capabilities, check out our previous publications from this three-part blog series below.

Part 1: Prevent breaches automatically to keep your business moving

Part 2: Visibility to detect and stop threats

 



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments

  1. Hi John,

    I went through all the 3 parts of your blog. I believe you have explained the key benefits of the FTD NGFW system in a very systematic and lucid manner . It was a very informative read .