What you need today, is an integrated, threat-centric next-generation firewall. One that not only delivers granular application control, but also provides effective security against the threats posed by sophisticated and evasive malware attacks.
The Cisco FirePOWER Next-Generation Firewall (NGFW) is the industry’s first fully integrated, threat-focused NGFW. It delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.
It can be deployed on Cisco FirePOWER 1000 Series, 2100 Series, 4100 Series, and 9300 appliances to provide a performance and density optimized NGFW security platform for Internet edge and other high-performance environments.
The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).
How does FirePOWER works with/within ASA?
-
FirePOWER module runs on an ASA device installed on network segments monitor traffic for analysis. BUT FirePOWER module runs as a separate application from the ASA. The module can be a hardware module (on the ASA 5585-X only) or a software module (all other models).
You can configure your FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment.
How the ASA FirePOWER Module Works with the ASA?
You can configure your FirePOWER module using one of the following deployment models:
You can configure your FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment. This guide only describes inline mode. See the ASA firewall configuration guide for information about inline tap and passive monitor-only modes.
In inline mode, traffic goes through the firewall checks before being forwarded to the FirePOWER module. When you identify traffic for FirePOWER inspection on the ASA, traffic flows through the ASA and the module as follows:
1. Traffic enters the ASA.
2. Incoming VPN traffic is decrypted.
3. Firewall policies are applied.
4. Traffic is sent to the FirePOWER module.
5. The FirePOWER module applies its security policy to the traffic, and takes appropriate actions.
6. Valid traffic is sent back to the ASA; the FirePOWER module might block some traffic according to its security policy, and that traffic is not passed on.
7. Outgoing VPN traffic is encrypted.
8. Traffic exits the ASA.
4-COMPONENTS OF FirePOWER
`
1. Access Control
Access control is a policy-based feature that allows you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network.
A Complex access control policy can blacklist traffic based on Security Intelligence data, as well as use access control rules to exert granular control over network traffic logging and handling. These rules can be simple or complex, matching and inspecting traffic using multiple criteria; you can control traffic by security zone, network or geographical location, port, application, requested URL, and user. Advanced access control options include preprocessing and performance.
Each access control rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic. When you allow traffic, you can specify that the system first inspect it with intrusion or file policies to block any exploits, malware, or prohibited files before they reach your assets or exit your network.
2. Intrusion Detection and Prevention
Intrusion detection and prevention is the system’s last line of defense before traffic is allowed to its destination. Intrusion policies are defined sets of intrusion detection and prevention configurations invoked by your access control policy. Using intrusion rules and other settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.
If the system-provided policies do not fully address the security needs of your organization, custom policies can improve the performance of the system in your environment and can provide a focused view of the malicious traffic and policy violations occurring on your network. By creating and tuning custom policies you can configure, at a very granular level, how the system processes and inspects the traffic on your network for intrusions.
3. Advanced Malware Protection and File Control
To help you identify and mitigate the effects of malware, the ASA FirePOWER module’s file control and advanced malware protection components can detect, track, capture, analyze, and optionally block the transmission of files (including malware files and nested files inside archive files) in network traffic.
-
File Control
File control allows devices to detect and block your users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. You configure file control as part of your overall access control configuration; file policies associated with access control rules inspect network traffic that meets rule conditions.
-
Network-Based Advanced Malware Protection (AMP)
Network-based advanced malware protection (AMP) allows the system to inspect network traffic for malware in several types of files. Regardless of whether you store a detected file, you can submit it to the Collective Security Intelligence Cloud for a simple known-disposition lookup using the file’s SHA-256 hash value. Using this contextual information, you can configure the system to block or allow specific files. You configure malware protection as part of your overall access control configuration; file policies associated with access control rules inspect network traffic that meets rule conditions.
4. Application Programming Interfaces
There are several ways to interact with the system using application programming interfaces (APIs). You configure the security policy on the ASA FirePOWER module using one of the following methods:
(a) Firepower Management Center—Can be hosted on a separate Firepower Management Center appliance or as a virtual appliance.
(b) Adaptive Security Device Manager (ASDM)—You can manage both the ASA and the module using the on-box ASDM.
Kindly note that the modules or components of FirePOWER will require separately licenses to choose from, apart from ASA License itself.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM