Avatar

We live in a time when lines in IT are blurring, and the line between security and network operations is just one example. When organizations are breached, their network is imperiled and business can suffer. Resiliency, performance, and threat defense are increasingly intertwined. No one understands this better than Cisco, with our decades of network leadership and our innovation in security.

Cisco is enabling our customers to maintain network performance while they keep their data safe. Our latest Firepower 2100 Series NGFWs are a testament to this, delivering business resiliency through superior threat defense and unmatched price-performance. With Firepower 2100 Series, enabling advanced threat functions does not mean compromised performance – you can maximize throughput while maintaining robust threat inspection.

Business resiliency is job one for network operations teams – but they can’t do their jobs if security is a choke point. On the Cisco Firepower 2100 Series, when you enable advanced threat functions, they won’t become a network bottleneck like competitors. Cisco’s innovative dual, multi-core CPU architecture and software optimizations maximize firewall, cryptographic, and threat inspection performance simultaneously.

From preliminary testing, we’re seeing minimal impact on large packet firewall throughput when enabling intrusion inspection. In fact, with IPS fully enabled, we see with large packets less than 1% throughput degradation to network traffic. Contrast that with the typical 50% or greater impact in competing designs. With Cisco’s design, you don’t have to choose between security and network performance – you get both!

A ‘No Compromises’ Security Architecture

Key to the performance sustaining abilities of the Firepower 2100 Series is a dual, multi-core CPU architecture and software optimization that enables:

  • Sustained throughput performance when threat functions are enabled vs. competing designs
  • Flexibility and future-proofing versus ASIC-based designs that inhibit the ability to add new defenses and functions
  • Fast path accelerates flows not requiring threat inspection, further enhancing performance through the appliance

 

By applying purpose-built processing for the tasks at hand, the Firepower 2100 Series NGFWs optimize performance and threat protection, without burdening network operators to architect around security bottlenecks. This reduces the need to overprovision and fosters deeper inspection levels than otherwise might be possible.

The design employs Intel multi-core CPUs for Layer 7 threat inspections (app visibility, intrusion detection, URL filtering, malware and file inspection, user identity, etc.) and a combination of merchant and a Network Processing Unit (NPU) for layer 2-4 traffic (stateful firewall, NAT, VPN-SSL encryption/decryption, and more.).

Traffic first traverses the NPU, and may be blocked based on access controls, obviating the need to inspect further. Flows requiring advanced inspection are copied and sent to the x86 complex – and flow handling is optimized regarding required inspection services, utilizing security group tags as one method to make this determination. In addition, a ‘fast path’ option allows intelligent re-routing of trusted traffic dynamically.

If it isn’t obvious by now, Cisco Firepower NGFW isn’t just another firewall. Across the entire family – and now the new 2100 Series – Cisco Firepower NGFW combines our effective security architecture with the power of the network for superior business resilience and protection.

Watch the video below, visit the Cisco Firepower 2100 Series NGFW product page, and take a virtual tour to learn more about the various form factors, speeds and feeds, and more.

 



Authors

David C. Stuart

Director, Network Security Product Marketing

Security Business Group