Chapter 7: Cisco Secure Firewall PDF

Summary

This chapter details Cisco Secure Firewalls, discussing topics like network security solutions, deployment modes, and high availability. It also includes a self-assessment quiz to gauge understanding of covered concepts. The aim of the quiz is to determine if the document needs to be read entirely.

Full Transcript

## CHAPTER 7
Cisco Secure Firewall

This chapter covers the following topics:

- Introduction to Cisco Secure Firewall
- Comparing Network Security Solutions That Provide Firewall Capabilities
- Deployment Modes of Network Security Solutions and Architectures That Provide Firewall Capabilities
- High Availability and Clustering
- Implementing Access Control
- Cisco Secure Firewall Intrusion Policies
- Cisco Secure Malware Defense
- Security Intelligence, Security Updates, and Keeping Firepower Software Up to Date

The following SCOR 350-701 exam objectives are covered in this chapter:

- Domain 2.0 Network Security
- 2.1 Compare network security solutions that provide intrusion prevention and firewall capabilities
- 2.2 Describe deployment models of network security solutions and architectures that provide intrusion prevention and firewall capabilities
- 2.5 Implement segmentation, access control policies, AVC, URL filtering, malware protection, and intrusion policies
- 2.6 Implement management options for network security solutions (single vs. multi-device manager, in-band vs. out-of-band, cloud vs. on-premises)

"Do I Know This Already?" Quiz

The "Do I Know This Already?" quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the "Exam Preparation Tasks" section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 7-1 lists the major headings in this chapter and their corresponding "Do I Know This Already?" quiz questions. You can find the answers in Appendix A, "Answers to the 'Do I Know This Already?' Quizzes and Q&A Sections."

| Foundation Topics Section | Questions |
|---|---|
| Introduction to Cisco Secure Firewalls | 1 |
| Comparing Network Security Solutions That Provide Firewall Capabilities | 2 |
| Deployment Modes of Network Security Solutions and Architectures That Provide Firewall Capabilities | 3-5 |
| High Availability and Clustering | 6 |
| Implementing Access Control | 7-8 |
| Cisco Secure Firewall Intrusion Policies | 9 |
| Cisco Secure Malware Defense | 10 |
| Security Intelligence, Security Updates, and Keeping Firepower Software Up to Date | |

**CAUTION** The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you incorrectly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following Cisco firewalls is designed for very large enterprises and service providers?
- a. Cisco Zone-Based Firewall (ZBFW)
- b. Cisco Firepower 9300 appliances
- c. Cisco Secure Firewall running Cisco Unified Computing System (UCS) E-Series blades installed on Cisco ISR routers
- d. Cisco Firepower 2140

2. Cisco IOS Zone-Based Firewall (ZBFW) can be deployed to provide firewall services in small and medium-sized organizations. Which of the following is not true about zone-based firewalls?
- a. With ZBFWs, an interface can be assigned to only one security zone.
- b. Zone-based firewalls cannot be implemented in an SD-WAN solution.
- c. ZBFWs support zone pairs, which are a container that associates a source zone with a destination zone and that applies a firewall policy to the traffic that flows between the two zones.
- d. ZBFWs support a security policy, similar to a localized security policy, that defines the conditions that the data traffic flow from the source zone must match to allow the flow to continue to the destination zone.

3. You were hired to deploy a Cisco ASA to provide separation of management and policies on a shared appliance. Which operational mode is best for this scenario?
- a. Routed mode
- b. Transparent mode

4. Which of the following statements is not true about firewalls deployed in Layer 3 (routed) mode?
- a. Routed firewalls do not provide a way to filter packets that traverse from one host to another in the same LAN segment.
- b. The Layer 3 firewalls require a new network segment to be created when they are inserted into a network, which requires quite a bit of planning, network downtime, and reconfiguration of network devices.
- c. Layer 3 firewalls support EtherType ACLS.
- d. In Cisco Secure Firewall deployments, ERSPAN interfaces are only supported in routed mode.

5. Which of the following statements are true about the inline interface sets and passive interfaces in Cisco Secure Firewall deployments?
- a. Inline sets and passive interfaces are only supported on physical interfaces and EtherChannels.
- b. Inline sets cannot use redundant interfaces or VLANs.
- c. Inline sets and passive interfaces are supported in intra-chassis and inter-chassis clustering.
- d. All of these answers are correct.

6. Which of the following are requirements for failover configurations?
- a. The two participant devices must be configured in the same firewall mode (for example, routed or transparent).
- b. The two participant devices must be running the same software version.
- c. You can configure different Cisco Secure Firewall devices in groups (or domains) in the Cisco FMC. Devices configured for failover must be in the same domain or group on the Cisco FMC.
- d. All of these answers are correct.

7. In Cisco ASA deployments, an access control list (ACL) is a collection of security rules or policies that allows or denies packets after looking at the packet headers and other attributes. Each permit or deny statement in the ACL is referred to as an access control entry (ACE). These ACEs classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following?
- a. Layer 2 protocol information such as EtherTypes
- b. Layer 3 header information such as source and destination IP addresses
- c. Layer 4 header information such as source and destination TCP or UDP ports
- d. All of these answers are correct.

8. You were tasked to configure a Cisco ASA to permit SMTP traffic from hosts in 192.168.88.0/25 to an email server (10.2.2.2). Which of the following access control entries (ACEs) in an ACL will accomplish this task?
- a. access-list my-list extended permit eq 25 tcp 192.168.88.0 255.255.255.128 host 10.2.2.2
- b. access-list my-list extended permit tcp 192.168.88.0 255.255.255.192 host 10.2.2.2 eq 25
- c. access-list my-list extended permit tcp 192.168.88.0 255.255.255.128 host 10.2.2.2 eq 25
- d. access-list my-list extended permit tcp host 10.2.2.2 192.168.88.0 255.255.255.128 eq 25

9. Which of the following is true about Cisco Firepower Intrusion Policies?
- a. Both network analysis and intrusion policies are invoked by a parent access control policy, but at different times.
- b. As the system analyzes traffic, the network analysis (decoding and preprocessing) phase occurs before and separately from the intrusion prevention (additional preprocessing and intrusion rules) phase.
- c. The Cisco Secure Firewall has several similarly named network analysis and intrusion policies (for example, Balanced Security and Connectivity) that complement and work with each other.
- d. All of these answers are correct.

10. Which of the following sandboxing technologies provides a dynamic analysis that includes an external kernel monitor, dynamic disk analysis that illuminates any modifications to the physical disk (such as the master boot record), monitoring user interaction, video capture and playback, process information, artifacts, and network traffic?
- a. Cisco Secure Malware Analytics (formerly known as Threat Grid)
- b. Talos
- c. Cisco Threat Response (CTR)
- d. None of these answers are correct.

### Foundation Topics

#### Introduction to Cisco Secure Firewall

Cisco Secure Firewalls (formerly known as Cisco next-generation firewalls) are security products that provide protection throughout the attack continuum. In addition, you can detect, block, and defend against attacks that have already taken place with the integration of intrusion prevention and detection capabilities. These capabilities were ported from the Cisco next-generation intrusion prevention systems (NGIPSs).

#### Cisco Firewall History and Legacy

Cisco started in the firewall business with a legacy firewall called Centri Firewall. Through acquisitions it then released a very popular firewall called the PIX (Private Internet Exchange) Firewall. Cisco also purchased a company called WheelGroup, which introduced the Cisco legacy IDS and IPS systems. In the early 2000s, Cisco released the Cisco Adaptive Security Appliance (ASA), one of the most popular firewalls of all time.

You might have seen the terms FirePOWER and Firepower being used by Cisco in different instances. What is the difference between FirePOWER and Firepower? Cisco uses the term FirePOWER (uppercase POWER) when referring to the Cisco ASA FirePOWER Services module and uses Firepower (lowercase power) when referring to the FTD unified image and newer software.

The members of the Cisco ASA family come in many shapes and sizes, but they all provide a similar set of features. Typically, smaller model numbers represent smaller capacity for throughput. The Cisco ASA also comes in a virtual form - the Cisco Adaptive Security Virtual Appliance (ASAv). For an up-to-date list of all the models available by Cisco, visit [https://www.cisco.com/c/en/us/products/security/firewalls/index.html](https://www.cisco.com/c/en/us/products/security/firewalls/index.html).

#### Introducing the Cisco ASA

The Cisco ASA family provides a very comprehensive set of features and next-generation security capabilities. For example, it provides capabilities such as simple packet filtering (normally configured with access control lists [ACLs]) and stateful inspection. The Cisco ASA family also provides support for application inspection/awareness. A Cisco ASA device can listen in on conversations between devices on one side of the firewall and devices on the other side. The benefit of listening in is that the firewall can pay attention to application layer information.

The Cisco ASA family also supports network address translation (NAT), the capability to act as a Dynamic Host Configuration Protocol (DHCP) server or client, or both. The Cisco ASA family supports most of the interior gateway routing protocols, including Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF). It also supports static routing. A Cisco ASA device also can be implemented as a traditional Layer 3 firewall, which has IP addresses assigned to each of its routable interfaces. The other option is to implement a firewall as a transparent (Layer 2) firewall, in which case the actual physical interfaces are not configured with individual IP addresses, but a pair of interfaces that operate like a bridge. Traffic that is going across this two-port bridge is still subject to the rules and inspection that can be implemented by the ASA. In addition, a Cisco ASA device is often used as a headend or remote-end device for VPN tunnels for both remote-access VPN users and site-to-site VPN tunnels. The Cisco ASA family supports IPsec and SSL-based remote-access VPNs. The SSL VPN capabilities include support for clientless SSL VPN and full AnyConnect SSL VPN tunnels.

The Cisco ASA family also provides a basic botnet traffic-filtering feature. A botnet is a collection of computers that have been compromised and are willing to follow the instructions of someone who is attempting to centrally control them (for example, 200,000 machines all commanded to send a flood of ping requests to the IP address by the person controlling these devices). Often, users of these computers have no idea that their computers are participating in a coordinated attack. An ASA device works with an external system at Cisco that provides information about the Botnet Traffic Filter Database and so can protect against such attacks.

#### The Cisco ASA FirePOWER Module

Cisco introduced the Cisco ASA FirePOWER module as part of the integration of the Sourcefire technology.

The Cisco ASA FirePOWER module can be managed by the Firewall Management Center (FMC), formerly known as the FireSIGHT Management Center. The Firewall Management Center and the Cisco ASA FirePOWER module require additional licenses. In all Cisco ASA models except the 5506-X, 5508-X, and 5516-X, the licenses are installed in the FirePOWER module. There are no additional licenses required in a Cisco ASA device. FirePOWER Services running on the Cisco ASA 5506-X, 5508-X, and 5516-X can be managed using Adaptive Security Device Manager (ASDM), and the licenses can be installed using ASDM. In all Cisco ASAs with FirePOWER Services managed by a Firewall Management Center, the license is installed on the Firewall Management Center and used by the module.

Adaptive Security Device Manager (ASDM), and the licenses can be installed using ASDM.
In all Cisco ASAs with FirePOWER Services managed by a Firewall Management Center, the
license is installed on the Firewall Management Center and used by the module.

#### Cisco Secure Firewall: Formerly known as Cisco Firepower Threat Defense (FTD)

Cisco FTD is unified software that includes Cisco ASA features, legacy FirePOWER Services, and new features. FTD can be deployed on Cisco Secure Firewalls 1000 Series, 2100 Series, 3100 Series, 4100 Series, 4200 Series, and 9300 Series appliances to provide advanced services.

In addition to being able to run on the Cisco Secure Firewalls appliances, FTD can also run natively on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. It is not supported in the ASA 5505 or the 5585-X.

#### Cisco Secure Firewall

The Cisco Secure Firewall appliances are next-generation firewalls that run the Cisco FTD software and features designed for small business and home offices.

| Product Series | Designed For |
|---|---|
| 1000 Series | Smaller businesses and branch offices |
| 2100 Series | Larger branch offices and organizations |
| 3100 Series | Medium-sized enterprises, with the flexibility to grow in the future |
| 4100 Series | Large enterprises, campus, and data center environments |
| 4200 Series | Large enterprises and high-performance data centers |
| 9300 Series | Service providers and high-performance data centers |
| Secure Firewall Threat Defense | Virtual firewalls for consistent policies across environments |
| Virtual | Rugged design for manufacturing, industrial, and OT environments |
| Secure Firewall ISA3000 | Security-friendly and resilience for today's digital enterprise |
| Secure Firewall Cloud Native | Developer-friendly and Kubernetes-based for cloud-native security |
| Secure WAF and bot protection | Application security and resilience for today's digital enterprise |

Cisco often releases more models. For the most up-to-date list of models, visit [https://www.cisco.com/site/us/en/products/security/firewalls/index.html](https://www.cisco.com/site/us/en/products/security/firewalls/index.html).

#### Cisco Secure Firewall Migration Tool

The Cisco Secure Firewall Migration Tool allows you to transfer your firewall settings to the Cisco Secure Firewall Threat Defense. It doesn't matter how intricate your existing firewall policy is because the migration tool can convert configurations from any Cisco Adaptive Security Appliance (ASA) or Firewall Device Manager (FDM), as well as from third-party firewalls such as Check Point, Palo Alto Networks, and Fortinet. You can access additional information on how to use the tool at [https://www.cisco.com/c/en/us/products/security/secure-firewall-migration-tool/index.html](https://www.cisco.com/c/en/us/products/security/secure-firewall-migration-tool/index.html).

The migration tool can handle complex firewall policies and provides a smooth and efficient migration process. This tool is particularly useful to migrate Cisco ASA configurations. The Cisco Secure Firewall Migration Tool gathers ASA data, processes it, and transfers it to the Secure Firewall Management Center.

To better understand the mapping between the commonly used ASA features and their equivalent threat defense features, you can consult the Cisco ASA to Threat Defense Feature Mapping guide. The guide is available at [https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/asa-to-threat-defense-feature-mapping/asa-to-threat-defense-feature-mapping.html](https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/asa-to-threat-defense-feature-mapping/asa-to-threat-defense-feature-mapping.html).

#### Cisco Secure Firewall Threat Defense Virtual

A virtual firewall is a dynamic security solution that safeguards virtualized infrastructure within data center and cloud environments, which would otherwise be challenging to secure with a physical firewall. By operating in a virtualized environment, a virtual firewall provides greater flexibility and agility, allowing it to adapt to changing security threats and the evolving needs of the organization. It therefore is an essential component for organizations that require reliable and scalable security measures to protect their critical digital assets in a public or private cloud.

Today multi-cloud and modern application environments are prevalent. Ensuring the security of digital assets has become more complex than ever before. In the past, organizations typically relied on traditional security measures, such as firewalls and antivirus software, to protect their assets. However, with the advent of cloud computing and the growing popularity of modern application architectures, such as microservices and containers, the security paradigm has shifted to a more virtualized world.

These modern technologies have opened up new avenues for cyber threats to penetrate an organization's network, making it crucial to adopt a more holistic and dynamic approach to security. As a result, security solutions like virtual firewalls, cloud-based intrusion detection and prevention systems, and data-loss prevention (DLP) systems have become increasingly important.

Virtual firewalls, in particular, have emerged as essential tools for securing multi-cloud and modern application environments. By leveraging virtualization technology, the Cisco Secure Firewall Threat Defense Virtual firewalls can provide comprehensive security coverage across multiple cloud environments, allowing organizations to better manage security policies and respond quickly to threats. They can also provide granular control over network traffic, enabling organizations to ensure that only authorized users and applications can access critical resources.

**NOTE** The Cisco Secure Firewall Threat Defense Virtual was formerly called Firepower Threat Defense Virtual.

You can deploy the Cisco Secure Firewall Threat Defense Virtual in private clouds, and it can be integrated and deployed on Cisco HyperFlex and on third-party implementations such as Nutanix AHV. It can also be deployed in OpenStack, VMware, and KVM environments.

You can use Cisco virtual firewalls to accomplish many tasks. However, Cisco has also introduced a cloud-native firewall solution. We will discuss Cisco Secure Firewall Cloud Native in the next section.

**NOTE** You do not need to configure or deploy virtual firewalls for the SCOR exam. However, you will need to know how to do so for the firewall concentration exam and for the CCIE lab. As a reference only, you can access information about the deployment and configuration of the Cisco Secure Firewall Threat Defense Virtual on Cisco HyperFlex at [https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdy_gsg/ftdv-gsg/m-ftdv-hx-gsg.html](https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdy_gsg/ftdv-gsg/m-ftdv-hx-gsg.html). You can also obtain more information about the Cisco Secure Firewall Threat Defense Virtual integration with Nutanix AHV at [https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/nutanix/ftdv/ftdv-nutanix-gsg.html](https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/nutanix/ftdv/ftdv-nutanix-gsg.html).

| Cloud Provider | Marketplace Link |
|---|---|
| AWS | [https://aws.amazon.com/marketplace](https://aws.amazon.com/marketplace) |
| Microsoft Azure | [https://azuremarketplace.microsoft.com/en-US/](https://azuremarketplace.microsoft.com/en-US/) |
| Google Cloud | [https://console.cloud.google.com/marketplace](https://console.cloud.google.com/marketplace) |
| Oracle Cloud | [https://cloudmarketplace.oracle.com/](https://cloudmarketplace.oracle.com/) |

#### Cisco Secure Firewall Cloud Native

Before we go over the Cisco Secure Firewall Cloud Native solution, let's define a cloud-native application. A cloud-native application is designed and developed specifically to run on a cloud platform, leveraging the cloud's dynamic and scalable infrastructure. It is built using cloud-native technologies and principles, such as microservices architecture, containerization, and orchestration using tools like Kubernetes, to enable fast and efficient deployment, scaling, and management.

The Cisco Secure Firewall Cloud Native solution allows for seamless integration of Cisco's security capabilities into a cloud-native form factor, utilizing Kubernetes orchestration for scalability and management. Amazon Elastic Kubernetes Service (Amazon EKS) provides the flexibility to easily run and scale Kubernetes applications within the AWS cloud, automating essential tasks such as patching, node provisioning, and updating to ensure high availability and security.

The Cisco Secure Firewall Cloud Native solution includes various Kubernetes operators/controllers and the Cloud Native Firewall (CNFW), which can be configured using a plaintext file (YAML) that supports Infrastructure as Code (IaC) configuration management. Additionally, advanced levels of integration and programmability are possible through the use of the K8s REST APIs.

**TIP** To learn more about the deployment and configuration of the Cisco Secure Firewall Cloud Native solution, go to [https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/cloud-native/getting-started/secure-firewall-cloud-native-gsg.html](https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/cloud-native/getting-started/secure-firewall-cloud-native-gsg.html).

#### Cisco Secure Firewall ISA3000

Cisco's industrial security appliance is an essential element in safeguarding your IoT/OT infrastructure. It incorporates Cisco Secure Firewall's established security features with industrial protocol and application visibility and control from leading automation vendors like Omron, Rockwell, GE, Schneider, and Siemens. The ISA3000, a robust firewall, is ideally suited for partitioning industrial networks, protecting OT assets against potential threats, and ensuring compliance, enabling you to reap the rewards of your industrial digitization efforts.

The ISA3000 allows for the management of industrial network traffic, supporting OT protocols such as Distributed Network Protocol (DNP3), Common Industrial Protocol (CIP), Modbus, and IEC61850, among others.

DNP3 is a communication protocol used in Supervisory Control and Data Acquisition (SCADA) systems for communication between remote terminal units (RTUs) and control centers. It is designed for reliable and secure communication in harsh environments and supports multiple data types, including status, analog, and control commands.

CIP is an industrial Ethernet protocol that is widely used for communication among industrial devices and systems. It is designed to support a variety of device types and network topologies, and it offers features such as redundancy, security, and prioritized messaging.

Modbus is a serial communication protocol widely used in industrial control systems for communication between devices such as programmable logic controllers (PLCs) and other automation equipment. It is a simple and open protocol that supports a variety of data types and allows for easy integration with different types of devices.

IEC 61850 is a communication protocol used in electrical power systems for substation automation and control. It is designed to provide interoperability, flexibility, and scalability in power system automation, enabling real-time monitoring and control of power system equipment. It is based on Ethernet communication and uses object-oriented modeling to represent the functions and data of power system devices.

#### Cisco Secure WAF and Bot Protection

Web Application Firewalls (WAFs) provide protection for websites against application vulnerability exploits such as SQL injection, cross-site scripting (XSS), cross-site request forgery, session hijacking, and other web attacks. They often include basic bot mitigation capabilities that block bots based on IPs and fingerprinting; however, standard WAF solutions tend to fall short against advanced, automated threats. Advanced bots now mimic human behavior and can go undetected while exploiting open-source tools or creating multiple violations in various sessions. Hence, WAF solutions are often insufficient in protecting against these sophisticated threats. The Cisco Secure Web Application Firewall (WAF) and bot protection offers a more robust solution that provides superior protection for websites, applications, and APIs, ensuring they are always available and protected.

The Cisco Secure Web Application Firewall (WAF) and bot protection is designed to offer protection in a variety of environments, including
- Cloud WAF: It can be deployed in public cloud environments to continuously provide adaptive web application security.
- Kubernetes WAF: It can provide scalable application security for CI/CD environments, orchestrated by Kubernetes.
- On-premises: It offers protection for those in need of local corporate network support.

#### SD-WAN, Firewall Capabilities, and the Cisco Integrated Services Routers (ISRs)

Historically, Cisco FTD can run on Cisco Unified Computing System (UCS) E-Series blades installed on Cisco ISR routers. Both the FMC and FTD are deployed as virtual machines. There are two internal interfaces that connect a router to an UCS E-Series blade. On ISR G2, Slot0 is a Peripheral Component Interconnect Express (PCIe) internal interface, and UCS E-Series Slot1 is a switched interface connected to the backplane Multi Gigabit Fabric (MGF). In Cisco ISR 4000 Series routers, both internal interfaces are connected to the MGF. A hypervisor is installed on the UCS E-Series blade, and the Cisco FTD software runs as a virtual machine on it.

Legacy IPS were traditionally used in network infrastructures to protect against known security threats. Often, two concepts were used: IPS and intrusion detection systems (IDS). IDS mostly detect and generate alerts for various attacks or intrusion attempts, whereas IPS can also prevent and mitigate attacks. The remainder of this section focuses on IPS, but you should note that there are no significant differences between the methodologies used in IPS and IDS for attack detection.

The following Cisco routers are typically used by small, medium, and large enterprises and provide security capabilities:

- Cisco 800 Series Routers
- Cisco 900 Series Integrated Services Routers
- Cisco 1000 Series Integrated Services Routers
- Cisco 1800 Series Integrated Services Routers
- Cisco 4000 Series Integrated Services Routers
- Cisco Catalyst 8300 Series Edge Platforms
- Cisco Catalyst 8200 Series Edge Platforms
- Cisco Catalyst 8200 Series Edge uCPE

Cisco SD-WAN provides a range of security capabilities that help secure the network infrastructure. Cisco is continuously improving its SD-WAN solution with each release. Some of the security features that are available with this solution include:

- A high-speed logging Enterprise Firewall with Application Awareness.
- A Self zone policy for zone-based firewalls that leverages a default zone in the firewall associated with a VPN tunnel, enabling the creation of policies to control incoming and outgoing traffic.
- Secure Communication via IPsec Pairwise Keys.
- Intrusion prevention system capabilities.
- URL filtering.
- Secure Malware Defense.
- Integration with SD-WAN Umbrella.
- Single sign-on capabilities.

A stateful firewall maintains the context and state of connections and enforces policies accordingly. Cisco SD-WAN provides a stateful firewall that can be used to inspect and filter traffic based on source and destination IP addresses, ports, and protocols. Cisco SD-WAN can identify and filter traffic based on specific applications using deep packet inspection (DPI). This allows administrators to apply policies based on specific application types, such as video streaming, VoIP, or web traffic.

Cisco SD-WAN includes an IPS that can detect and prevent known and unknown threats. The IPS uses signature-based detection and machine learning algorithms to identify and block malicious traffic.

Cisco SD-WAN can block access to websites based on their URL or content category. This feature allows administrators to restrict access to certain websites, such as social media or gambling sites, to ensure compliance with organizational policies.

Cisco SD-WAN includes a solution that uses machine learning algorithms and behavioral analysis to detect and prevent advanced threats. The solution can identify and block malware, ransomware, and other types of advanced threats in real time.

#### Introduction to Cisco Secure Intrusion Prevention (NGIPS)

Legacy IPSs depend mostly on matching signature-based patterns to identify and potentially prevent malicious activity. These are some of the basic characteristics of legacy IPSs:

- They are sometimes deployed behind a firewall when providing IPS functionality (inline). Often, an IPS is also placed in the network without a firewall in front of it.
- They often look for attempts to exploit a vulnerability and not for the existence of a vulnerability.
- They often generate large amounts of event data that are difficult to correlate.
- They focus on individual indicators/events without focusing on contextual information to take action.
- Legacy IPSs require manual tuning for better efficacy

Thus, legacy IPSs suffer from certain shortcomings, including the following:

- They often need to be operated in conjunction with other products or tools (firewalls, analytics, and correlation tools).
- They are sometimes not very effective and may be ignored.
- Their operation costs and the operating resources they need are high.
- They can leave infrastructures imperfectly covered against attackers.

Next-Generation IPSs (NGIPSs) supplement legacy IPS functionality with more capabilities, such as the following:

- Application awareness and control: NGIPSs provide visibility into Layer 7 applications and can protect against Layer 7 threats.
- Content awareness of the information traversing the infrastructure: For example, knowledge about files transferred between two hosts can be used to identify viruses transferred and the trajectory of a virus infection in a system.
- Contextual awareness: Helps better understand alerts and automatically deduce comprehensive information about the events taking place, which makes the NGIPS less complex and means it requires less tuning.

- Host and user awareness: The infrastructure offers more conclusive information about the events taking place.
- Automated tuning and recommendations: This allows an administrator to follow recommendations and tune signatures specifically to his environment.
- Impact and vulnerability assessment of the events taking place: The impact of a security event identified by the system can be evaluated based on the information available for the environment. For example, a Windows system that is identified to secure a vulnerability cannot be severely impacted by an attempt to exploit the vulnerability against it.

Thus, it is clear that in the threat landscape of both today and in the future, NGIPS functionality has an important role in protecting and providing coverage against known attacks and new types of exploits. Modern networks constantly evolve, as do miscreants and their attack methods. People and machines that could misbehave reside inside and outside a network infrastructure. Devices are communicating in many different forms. The interconnected infrastructure with attackers that could be located anywhere is called the "any-to-any challenge." Almost all modern environments face this challenge. Cisco is a leader in NGIPS, offering Cisco Secure Intrusion Prevention System or NGIPS products that can provide protection against constantly evolving attack surfaces in these environments.

Modern security tools need to integrate directly into the network fabric in order to maximize performance and efficiency. Responses need to be comprehensive and simple. Protection must be continuous. Network controls should not be implemented disparately and individually. To abide by these modern security requirements, Cisco follows a new security model that looks at the actions needed before, during, and after attacks that apply to mobile devices, virtual machines, endpoints, or more. The Cisco Secure Intrusion Prevention NGIPS functionality operates mostly in the "during phase" of the attack continuum, but all phases are covered by the integrated capabilities of the Cisco Firepower product portfolio.

The Cisco Secure Intrusion Prevention NGIPS engine is based on well-defined open-source Snort. Snort, originally created by SourceFire, is an open-source IPS tool that is widely used in the industry. The Cisco Snort IPS rules are developed by the Cisco Talos team and are open for inspection. They are built based on collective security intelligence by Cisco Talos and a variety of other sources. The rule set offers broad product and threat coverage. In addition, third-party rules can be integrated and customized in the Cisco NGIPS.

The following are some of the most important capabilities of Cisco NGIPS:

- **Threat containment and remediation:** Cisco Secure Intrusion Prevention NGIPS provides protection against known and new threats. Its features include file analysis, packet- and flow-based inspection, and vulnerability assessment.
- **Application visibility:** Cisco Secure Intrusion Prevention NGIPS offers deep inspection and control of application-specific information for better efficacy.
- **Identity management:** NGIPS policies can be enforced by using contextual user information.
- **Security automation:** Cisco Secure Intrusion Prevention NGIPS includes automated event impact assessment and policy tuning.
- **Logging and traceability management:** This can be used in retrospective analysis.
- **High availability and stacking:** Cisco Secure Intrusion Prevention NGIPS provides redundancy and performance by leveraging multiple devices.
- **Network behavioral analysis:** Key behavioral indicators and threat scores help analysts prioritize and recover from attacks.
- **Access control and segmentation:** Access policies can be applied to separate traffic profiles in the network.
- **Real-time contextual awareness:** NGIPS discovers and provides information about applications, users, devices, operating systems, vulnerabilities, services, processes, files, and threat data related to IT environments.

#### Surveying the Cisco Secure Firewall Management Center (FMC)

Cisco Secure Firewall devices, Cisco Secure Intrusion Prevention NGIPS devices, and the Cisco ASA FirePOWER modules can be managed by the Firewall Management Center (FMC), formerly known as the Firepower Management Center and before that as the FireSIGHT Management Center. The Cisco FMC, Cisco FTD, and the Cisco ASA FirePOWER module require additional licenses.

**NOTE** In all Cisco ASA models except the 5506-X, 5508-X, and 5516-X, the licenses are installed in the FirePOWER module. There are no additional licenses required in a Cisco ASA device. FirePOWER Services running on the Cisco ASA 5506-X, 5508-X, and 5516-X can be managed using Adaptive Security Device Manager (ASDM), and the licenses can be installed using ASDM. In all Cisco ASAs with FirePOWER Services managed by a Firewall Management Center, the license is installed on the Firewall Management Center and used by the module.

When you add a managed device to the Cisco FMC, you must provide an IP address of the managed device along with a registration key for authentication. The Cisco FMC and the managed device use the registration key and a NAT ID (instead of IP address in the case that the device is behind NAT) to authenticate and authorize for initial registration. For instance, when you add a device to the Cisco FMC, and you do not know the device IP address (or the device is behind a NAT/PAT device), you specify only the NAT ID and the registration key on the FMC and leave the IP address blank.

You typically use the NAT ID for NAT environments; however, you can also use the NAT ID to simplify adding many devices to the Cisco FMC. On the other hand, the NAT ID must be unique per device.

The Cisco FMC provides very detailed analytics and statistics of what's happening in your network. You can select from many prebuilt dashboards or create your own. Figure 7-2 shows the Cisco FMC Summary Dashboard. In the Summary Dashboard, statistics and data about the top attackers, top targets, intrusion events, events by application protocols, and other elements are displayed. You can customize all dashboards in the Cisco FMC.

#### Comparing Network Security Solutions That Provide Firewall Capabilities

There are different Cisco solutions that provide intrusion prevention and firewall capabilities. You already learned a few details about the Cisco ASA and the Cisco Firepower next-generation firewalls (NGFW). Next-generation firewalls also provide intrusion prevention capabilities. On the other hand, there is one more firewall solution: Cisco IOS Zone-Based Firewall (ZBFW). The Cisco IOS Zone-Based Firewall is a stateful firewall used in Cisco IOS devices. ZBFW is the successor of the legacy IOS firewall or the Context-Based Access Control (CBAC) feature.

Cisco ASA and FTD devices are considered dedicated firewall devices; however,