Cisco sprinkles Sourcefire goodies on ASA firewalls
FirePOWER can be licensed into existing kit
Cisco has taken the next step in wrapping the technology it acquired along with Sourcefire, by putting its Adaptive Security Appliance (ASA) next-gen firewalls and the FirePOWER technology into the blender and giving it a good spin.
The idea is to run up a combination of firewall, application control, intrusion prevention and malware protection, for either new customers (buying the Cisco ASA 5500 Series firewall with FirePOWER services) or as a licence buy for existing 5500-X or 5585-X.
As Cisco's ANZ general manager of security Anthony Stitt explained to Vulture South, “there's a huge installed base of ASAs that can be software upgraded with this.”
Stitt told El Reg an important part of the integration of the IPS/firewall combination is that it's designed to thin out the usual flood of notifications and alarms presented to sysadmins. The combination, he said, lets the firewall automatically build a profile of the network and its hosts, from servers down to mobiles.
That's because rule-tuning is one of the hard jobs in running an IPS, he explained: “We're collecting information about the environment – we compare signatures, IP reputation, malware signatures, and we can compare that to the environment in which we're sitting.
“If we see a Windows attack against a system that we know is running a vulnerable version, then we create an impact flag we attach to the event to tell you which to focus on first, rather than the mass of events that you see in IPS.
“The other thing we use that data for is this: we can see, from what we know about your environment, is that you're running SCADA protocols, so these tools can be turned on; and you have no Unix, so that set of rules can be turned off.”
In regulated environments like banks' networks, Stitt noted, rule maintenance is a big thing: there will be teams devoted to writing, maintaining and auditing security rules, and making sure that obsolete rules are eliminated.
The ASA/FirePOWER combination is also designed to leverage Cisco's OpenAppID, which the company decided to open source earlier this year so that third parties could add their own application signatures into the system.
“The community has taken the application signatures from about 1,500 – that's what we started with – up to about 4,000. The community's jumping on the bandwagon with OpenApp ID,” he said.
Cisco's got more information about the ASA with FirePOWER here. ®