Feature Story

What's unique about Cisco's latest next-generation firewall?

by Laurence Cruz

What's unique about Cisco's latest next-generation firewall?

And what you can learn about it from HBO's mega-hit TV series "Game of Thrones"

To the uninitiated, firewall talk can sound like a foreign language. That's why we're going to break it down with a little help from Game of Thrones—the massively popular TV series, now prepping a seventh season on the HBO network.

First off, let's get the description right. Cisco recently released its latest firewall—the Firepower 2100 Series NGFW—a fully integrated, threat-focused next-generation firewall built for the midsize business.

Why fully integrated and threat-focused? What do these mean?

To help understand these terms in a firewall context, let's look at another wall—"The Wall" in Game of Thrones. For those not familiar with the fantasy show, The Wall is a massive barrier of mostly ice that stretches 300 miles across the northern border of the Seven Kingdoms. Over 700 feet tall, it's the main defense against the wildlings—a race of people that live in the wild lands to the north-and the dreaded White Walker ice zombies. The Wall is patrolled by an order of guards known as the Nights Watch who control access—deciding who gets into and out of the Seven Kingdoms, and who doesn't—via a massive door in The Wall.

The Wall is a good analogy for a firewall, which is defined as a network security device that monitors incoming and outgoing network traffic. A firewall decides whether to allow or block specific traffic based on a defined set of security rules.

Why threat-centric security?

In NSS Labs' 2017 testing, Cisco Firepower NGFW leads again – outperforming eight competitors in security effectiveness, blocking 100% of evasions, and besting several vendors by over 50 points.Most of Cisco's competitors in the firewall space have a firewall-centric history and mindset. That is, they are focused on trying to make their firewall incrementally better. This is the equivalent, in Game of Thrones terms, to the Nights Watch focusing exclusively on maintaining and reinforcing The Wall.

"That has never been a very plausible, deep security inspection device," says Jason Wright, senior manager of global field product management at Cisco, in an interview last year.

The remedy is adding a Next-Generation Intrusion Prevention System (NGIPS) that is entirely threat-focused. That means focused not on access control (the firewall), but on deeply inspecting the traffic that does come through the firewall in order to have a clear idea of what is on the network. This is also known as network visibility. In Game of Thrones terms, it means not focusing on improving The Wall, but on inspecting those who are granted access—a band of wanderers, for example—and making sure there are no wildlings among them.

See also: Start navigating your digital journey with Cisco DNA

"That is what will keep you out of the news," says Wright. "And that's why we harp on threat-centric security and a threat-focused next-generation firewall."

Network visibility and Time to Detection

In NSS Labs' 2017 testing, Cisco Firepower NGFW leads again – outperforming eight competitors in security effectiveness, blocking 100% of evasions, and besting several vendors by over 50 points.

Visibility is a major advantage for Cisco's NGFW—especially in terms of visibility into the network, traffic, applications and users. Furthermore, in a recent test, Cisco's "time to detection" (TTD) of threats was faster than that of competitors; it found 100 percent of threats, and 90 percent of them in the first five minutes (versus hours or more for competitive offerings).

See also: Cisco 2017 annual cybersecurity report

"Real-time network visibility is a very big benefit of going with the Cisco firewall," says John Damon, senior manager with Cisco's security group. "You can only protect what you can see, otherwise you're flying blind."

‘Context' provides the ability to ‘see' and determine if a threat will be impactful—and then take quick action, Damon explains. "And being able to quickly detect any threats that do evade our defenses is important as well, because reducing that time to detection prevents hackers having time to access and exfiltrate your data," he says.

And in Game of Thrones terms? Let's say a couple of disguised wildlings did slip through The Wall, hidden among a band of wanderers. A rapid time to detection means the Nights Watch would apprehend them quickly, hopefully before they could enact any malicious plans.

Fully integrated?

Cisco's latest firewall is described as fully integrated because it includes several technologies working together known as Firepower Threat Defense. These include the stateful firewall plus Cisco's Advanced Malware Protection (AMP), NGIPS along with URL filtering and Application Visibility and Control (AVC).

All of these are integrated into a single platform at the code level versus consisting of multiple engines in separate spaces. And instead of separate management interfaces for firewall and threat applications, management is unified from a single pane with either the on-box Firepower Device Manager or Firepower Management center for centralized management.

See also: How to navigate your path to a digital ready network

"Most competitors do a decent job of firewall but not a very good job of Intrusion Prevention and not a good job of AMP," Wright says.

Before, during and after protection

Finally, Cisco's latest firewall offers protection before, during and after an attack. Your firewall policy is the "before" phase—in Game of Thrones terms, the deadbolt on the giant door in The Wall. Intrusion Prevention is the "during" phase—in Game of Thrones terms, what does get through The Wall gets a deeper inspection. Cisco's Security Intelligence Team, Talos, constantly reviews and classifies millions of these ‘intruders' on a daily basis so that only the right files, or wildlings, get into your network.

There's also an "after" phase that allows you to go back and fix a problem after an attack—such as a zero-day attack or an attack of an unknown nature—has penetrated the firewall. In Game of Thrones terms, if the Nights Watch learns that a nefarious wildling has snuck through The Wall, they're able to apprehend the intruder and stop his planned attack.

"Something may be benign at the point it enters the network but can turn malicious later," Wright says. "But we can watch it and if we change our mind, we can go back and do something about it, so we actually have a recourse and a way to fix our mistakes."

This can be done via AMP and its unique feature: Retrospective Analysis. It can find the entry point of the malware and retrace its steps throughout your network, identifying all the machines that may be been affected. It then stops, isolates and removes that malware.

This is unique to Cisco's latest firewall. Cisco's competitors, by contrast, can only wish they'd caught the problem sooner. Or, in Game of Thrones terms, the Nights Watch can only watch as the intruding wildlings wreak their havoc on the Seven Kingdoms.

Learn more about Cisco next-generation firewalls: http://www.cisco.com/c/en/us/products/security/firewalls/index.html


The contents or opinions in this feature are independent and may not necessarily represent the views of Cisco. They are offered in an effort to encourage continuing conversations on a broad range of innovative technology subjects. We welcome your comments and engagement.

We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.