How is a Stateful Firewall like a Vintage Porsche?
“Dad, I love your vintage Porsche! But is it safe?” This is the conversation my 90-year old neighbor recently had with his adult children. The Porsche he inherited from his late father-in-law is a thing of beauty – sleek, classic body, and driven once or twice a week. The low-mileage 911 has been maintained meticulously over its 47 years of service. It still exudes the chic sports car styling and handling but guess what? It has no seat belts! No airbags, no back-up camera, and no collision avoidance systems! However, over those 40+ years, automobile designers have not only designed faster and more stylish sports cars, they are now extraordinarily safer.
I can immediately see the parallel in the security industry. I can’t tell you how many IT managers I’ve run into lately who say: “Why should I replace my firewall, it still works?” My neighbor’s beautiful old Porsche and the IT manager’s aging stateful firewall still perform to what was the state of the art at the time they were introduced, in the case of firewalls, 20+ years ago. Like the sports car safety innovations, firewalls have added advanced inspection and analysis capabilities. As cyber threats have gotten more sophisticated, stateful firewalls have been reinforced with new next-generation security technologies that integrate across your network to keep the bad guys at bay and keep you safe.
Enter the Next-Generation Security Architecture
What modern capabilities have been added to Cisco’s stateful firewall that has 23-years of experience protecting Cisco networks? Today’s Cisco Firepower Next-Generation Firewall starts with the same, trusted inspection technology that allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection.
The NGFW’s Collision Avoidance Systems: AVC, NGIPS and AMP
We’ve added robust application visibility and control (AVC) capability. Applications, both on premise and in the cloud, are a leading vector for bad guys, and we’ve integrated application awareness and controls to see and block access to known risky applications. This is a must-have for any NGFW as more than 80% of all new malware and intrusion attempts exploit weaknesses or un-patched vulnerabilities in applications.
Next-Generation Intrusion Prevention (NGIPS)
NGIPS is the cornerstone of modern next-generation firewalls and Cisco continues to be ranked industry leader by NSS Labs testing year after year. How do we provide the best intrusion prevention? Cisco NGIPS inspects network traffic against known attack signatures. We update our signature database constantly with up-to-the-minute intelligence gathered by Cisco’s worldwide threat visibility and analysis organization, Talos. Their efforts result in more than 35,000 vulnerability-focused IPS rules, advanced malware detections, and embedded IP-based, URL-based, and DNS-based security intelligence ensuring that our customers have the best protection on the planet. And that is only the beginning!
Advanced Malware Protection (AMP)
You might have noticed that the three technologies I’ve outlined so far address known threats. What about the new ones that we don’t know about yet? Cyber criminals are constantly innovating fiendish new attack vectors, it is inevitable that some are going to get past perimeter defenses. That is where Advanced Malware Protection comes in. Not only does AMP maintain a database of known malware to block, it records network traffic and the movement of files that have entered the network, whether the user was behind the firewall or on a device at a local coffee shop. Suspicious files can be immediately quarantined and detonated in a safe sandbox environment before they do damage. And in the event that an innocent looking file becomes malicious we can roll back the clock to understand the extent of infection it caused and begin the clean-up effort. You can rest assured knowing that Cisco AMP was named a leader in breach detection by NSS Labs for 3 years running! In fact, the industry average to detect a breach is 100 days, ours is just 3.5 hours.
Routing out Stealthy Malware
And now you might be thinking: how do you detect malware when it becomes active? Bad guys infiltrate networks for a wide range of lucrative reasons: theft of identity data is the top target, be that customer’s personal information such as social security information, credit card numbers, financial institution passwords. If this type of theft is underway, data will start moving in uncharacteristic patterns within and out of your network. The same could apply to classified design data for your next tech product, medical record information, or customer databases that your competitors are salivating to get their hands on. The ways in which criminals can ruin your business and reputation are endless.
Security Cameras of the Network: ISE, TrustSec, and Stealthwatch
Our aim is to detect and stop malware or bad actors from stealing valuable data. First, by segmenting your network and defining who belongs where, you take the first step towards limiting access to sensitive information and detecting when unauthorized access is made. Then, by monitoring network traffic and detecting any anomalies, you can contain data loss.
So, how do we do that?
Identity Services Engine (ISE) enables you to gain deep visibility into the users, devices, and applications accessing your network resources. It gives you the control to make sure that only the right people with trusted devices get the right level of access to network services. ISE works hand in hand with Cisco TrustSec technology to construct network segmentation policy that is shared with firewall management to contain any infected endpoints for observation, remediation, or removal.
And when you are thinking about Cisco, who on earth is better to defend the network? We know how your network works. We establish a baseline of known good traffic patterns, using Cisco Stealthwatch in your network, and when any deviations from the norm are detected, such as malware accessing your customer database, you are able to pinpoint the source and begin remediation.
So, you see, like today’s hi-tech sports cars, the evolved stateful firewall exists within a hi-tech Network Security Architecture that provides greater protection to enable your digital business. Protection that extends beyond the network perimeter to the endpoint, cloud and across your entire network.
Be sure to check out this cool video to see a Cisco NGFW in action.