Today’s digital economy is growing at a phenomenal rate. All modes of commerce from entertainment to finance and retail have moved on-line. You name it; there is an on-line business for it. Not only does selling occur on-line, businesses run their operations online and virtually with cloud-based providers such as Microsoft Azure, Amazon Web Services, and others. With so much mission critical infrastructure outside of your network, how can you ensure that your business is secure?

We see in the press daily that global cyber crime is skyrocketing. A massive DDoS cyber attack on October 21st affected 6% of Fortune 500 companies proving how fragile the digital economy is.  Political hacktivism played a major role in this year’s presidential election. Ransomware is now a top concern for business of all types and sizes.  It’s no secret that cyber criminals have the resources, expertise, and persistence to infiltrate and disrupt our businesses at any time. As attackers become more sophisticated, they exploit new attack vectors where traditional defenses are no longer effective.

So what can you do?

Today’s complex networks demand a robust threat detection and containment approach. Safeguarding your network assets and data from today’s threats requires detailed visibility into all your network layers, content and resources no matter where they are deployed. It requires comprehensive and up-to-date security intelligence at the ready – combined with a dynamic approach that uses automation to quickly adapt to new threats, new vulnerabilities, and everyday network changes.

Prevailing Wisdom:

Security and IT professionals alike often unknowingly accept that with the widespread availability of next-generation firewalls, dedicated intrusion prevention systems are no longer necessary. The inclusion of IPS functionality in NGFWs has made them the simpler, go-to choice for many small to medium-sized organizations. But for more sophisticated organizations, the decision is not so clear-cut.

IPS functionality embedded in many firewalls and UTMs is not as comprehensive as best-of-breed IDS/IPS solutions. Instead, some firewalls incorporate a subset of capabilities lacking in efficacy, functionality and performance available with dedicated NGIPS solutions. Many organizations with stringent security requirements may find they are best served by deploying both a firewall and an NGIPS to meet their needs. We’ll explore these use cases in a future post, but first let’s learn more about what an NGIPS is and how it differs from typical NGFW capabilities.

The Solution: Dedicated NGIPS

There are a number of reasons to add a physical or virtual NGIPS appliance to your security architecture.

  • Performance; First and foremost, enabling IPS functions can impose considerable performance degradation on edge-deployed firewalls. This impact can be significant – as high as 90% – which likely is unacceptable to the business. An NGIPS is architected for deep packet inspection without disrupting traffic. An NGIPS can also typically sustain higher inspection throughput rates – what good is threat protection if it conks out when network demand is highest?
  • Placement: A well-designed NGIPS can provide visibility, threat detection and response, and malware discovery in areas of your network that remain unavailable to firewall inspection and controls. An NGIPS can be deployed easily throughout the network core, within virtualized data centers, and at the cloud. The more points of presence, the better the visibility and the earlier threats can be detected and stopped.
  • Organization: the team managing the firewall is often not responsible for the enterprise infrastructure that benefits most from NGIPS protection. And when organizations outsource firewall management or security event handling/triage to MSSPs, having a dedicated NGIPS provides a clean path to see threats and harden defenses.
  • Compliance: best practice and many regulations require network segmentation. This can often be done more easily and effectively with an NGIPS – without cumbersome ACL management that accompanies firewall deployment. An NGIPS can be set to fail open – so traffic will always flow. Business is not impacted by NGIPS failure – as it would be by firewall failure or misconfiguration.
  • Response Speed: Attackers move rapidly to exploit new unpatched vulnerabilities.  An NGIPS can provide a stop-gap for unpatched or un-patchable systems – since it is easy to automatically deploy a rule that detects exploits targeting a new vulnerability.  For threats that get in, quick detection is key – having file trajectory information can help rapidly assess the impacted host and determine root cause.

Cisco Firepower®NGIPS

The Cisco Firepower Intrusion Prevention System (NGIPS) threat appliance provides industry-leading visibility and threat efficacy against both known and unknown threats.  Threats are stopped by:

  • Over 30,000 IPS rules that identify and block network traffic attempting to exploit a vulnerability in your network
  • Vulnerability and anomaly-based inspection methods (built on the core open technology of Snort) to accurately alert you to malicious hosts, network malware attacks, file movement, and zero-day threats.
  • Reputation-based IP, URL and DNS security intelligence that can shrink your attack surface by identifying known malicious sites
  • Automatic updates from the Cisco Talos threat intelligence platform
  • A tightly integrated defense against network-based advanced malware attacks
  • Early detection into evasive and emerging malware threats, delivering industry-leading < 13 hour median time-to-detection (Source: Cisco Annual Security Report – Jan. 2016).
  • An integrated sandboxing technology that uses hundreds of behavioral indicators to identify zero-day attacks
  • Indications of Compromise (IoC) that correlate events from multiple sources to identify possibly compromised hosts

A range of purpose-built appliances provides the right throughput, flexibility, and scalability, so that organizations of all types and sizes achieve consistent security effectiveness while maintaining network performance. These appliances incorporate a low-latency, single-pass design and include configurable bypass (fail-to-wire) interfaces.

In today’s fast-moving digital economy, now is not the time to take shortcuts with your security architecture. Cyber criminals are working overtime to take down the digital infrastructure for profit, fame or political gain. It is time to double down and stop them in their tracks with Cisco best-of-breed security solutions. Learn more about protecting your organization with NGIPS in our webinar.



David C. Stuart

Director, Network Security Product Marketing

Security Business Group