Cisco integrated the threat detection and intrusion prevention technology it acquired with Sourcefire Inc. into its Adaptive Security Appliances, to create what it calls a threat-focused next-generation firewall.
The software that powers Sourcefire's FirePOWER network security appliances will now run as a service on Cisco's Adaptive Security Appliances (ASAs). As part of the Cisco-Sourcefire integration, the intrusion prevention (IPS) capabilities of FirePOWER will gradually replace the legacy Cisco IPS technology that ASA runs. Cisco will continue to support Cisco IPS for existing customers, but the company's long-term plan is to migrate all customers to FirePOWER, said Scott Harrell, vice president of product management for Cisco's security business.
The ASA firewall's existing application visibility and control can reduce the attack surface of an enterprise, Harrell said. But most enterprises have come to accept that breaches will happen, even with that reduced attack surface. With the Sourcefire integration, the firewall can now help enterprises respond to attacks that find their way through a next-generation firewall, he said.
"How do you detect an attack that's underway and automate your defenses as a result?" he asked. "With FirePOWER services on ASA, you get the ability to address this problem across the entire attack continuum with a single tool. You do that by integrating defense layers. You can not only enhance visibility, but you can also start to apply dynamic controls and some degree of automation in providing advanced threat protection."
Cisco-Sourcefire integration creates threat-aware firewall
Many firewall vendors have recognized that Internet traffic is changing and the signature-based protection provided by application-aware firewalls and IPS can't keep up with the threats hitting networks today, said John Grady, program manager for security products at IDC. Firewall vendors are adding advanced threat detection to their products to meet this challenge, he said.
Yet the degree of integration they offer varies, and vendors' ability to remediate detected threats varies too, Grady said.
"I think this market is still kind of feeling itself out in terms of advanced threats," Grady said. "But I've always felt that Sourcefire was pretty compelling. It's more focused on remediation and workflow. It's certainly more than just a sandbox. That being said, some users maybe just want the sandbox to know that they're not just leveraging signature-based security."
Cisco FirePOWER service on the ASA platforms can also interoperate with Sourcefire's Advanced Malware Protection (AMP) product, which extends a network security team's operation from network-based detection and response to endpoint detection and remediation.
"We can tell you what's going on with the endpoint and correlate that with what's detected by FirePOWER," Harrell said. "We can then drive the remediation cycle to that endpoint, all from a single management station -- FireSIGHT, which manages FirePOWER services on the ASA."
Cisco-Sourcefire integration addresses trend toward threat-aware firewall vendors
Threat detection and firewall vendors have recognized the necessity of extending their architectures to endpoint protection, Harrell said. For instance, FireEye Inc. and Palo Alto Networks Inc. both recently acquired endpoint security specialists, Mandiant and Cyvera, respectively. Cisco has an edge, claimed Harrell, because Sourcefire's endpoint security product has been integrated with its advanced threat protection for a long time.
Sourefire's advanced threat protection actually began as an endpoint product, Grady said, so Harrell has a point. "One of the key points we made a year ago was that there needs to be really strong integration between network and endpoint security, especially with mobility," Grady said. "It's been happening very quickly, with vendors getting on board."
More Cisco-Sourcefire integration to come
FirePOWER services initially will run as a software image hosted on the ASA software platform, Harrell said. "Over time, we're going to more tightly integrate the two software images. Initially, [FirePOWER] is a hosted image that is loosely coupled. That [is actually good] given the fact that we can go back and easily upgrade existing [ASA] platforms and provide investment protection."
The decoupled platforms also have the potential to slow down performance, something that customers will have to anticipate as they turn on the new services on the ASA.
"I would think that tighter integration would improve performance, but if [FirePOWER is] not hamstringing the box, it doesn't matter," Grady said. "As long as it's not creating a bottleneck, users won't care."
FirePOWER services will be available to current customers of ASA 5500-X and 5585-X Series firewalls as a license-enabled software upgrade, with an annual subscription rate that starts at $4,295. New ASA customers can purchase a one-year license bundle for ASA firewall and FirePOWER services for as little as $4,595.