ASA 5500-X Series and Firepower Threat Defence

ASA 5500-X SERIES AND FIREPOWER THREAT DEFENCE

Friday October 28, 2016  

The History

In the old days, Cisco had a strong firewall offering, called the ASA. Unfortunately, they didn’t have a strong offering in the IPS market. To address this disparity, a few years ago Cisco aquired a company called SourceFire in 2013.

SourceFire had been in the IPS industry for a while, and had some great offerings. You may have heard of Snort, an open source IPS that has been around for years. This was originally written by Martin Roesch, the founder of SourceFire.

When Cisco bought SourceFire, they rebranded the IPS suite into a product line called FirePower. FirePower can be deployed on dedicated IPS hardware in the network, or interestengly it can be integrated with the ASA firewall.

The Deployment

There are two ways this integration can be done; One is with the FirePower 4100 series and FirePower 9300 series hardware. These are made for data centre deployments with high bandwidth, and can be a bit pricey. However, they are definitely a FirePower device with ASA functionality.

The second option is to run the FirePower code on an ASA firewall. This is the inverse of the previous option (this is running FirePower on an ASA appliance, rather than running an ASA on a FirePower appliance). This is called ASA with FirePower Services, and will work on any 5500-X series (must have the ‘X’ in the name) that has an SSD hard disk installed.

For many of us, the second option is more feasible due to cost. This is especially true when deploying a Firewall/IPS on the network edge, or in a small campus or SMB.

The Unification

Unfortunately, there is a downside to this deployment. The FirePower code runs as a separate module on the ASA (the 5585-X series runs this module in hardware, the rest of the models runs it in software). This means that the ASA and FirePower features are administered separately. It also results in packets being redirected from the ASA to the module and back again.

To solve this issue, Cisco have released a unified software image called FirePower Threat Defence. This is a single image with both firewall and IPS functionality rolled onto one.

While the ASA with FirePower Services is still available, supported, and will likely be around for some time yet, this unified option is an attractive one, as it allows the entire ASA appliance to be centrally managed by the FirePower Management Center (formerly FireSight). This is attractive, as even small deployments can use FMC, with a 2-node virtual license.

Even smaller deployments such as an SMB can use the FirePower Device Manager, which is a non-Java replacement for the ASDM. Yes, you heard me right, I said that it doesn’t use Java! That’s probably the best news you will read all day.

The Fine Print

The current release of FTD is version 6.1 (released in August 2016), and there are a few catches to be aware of. Firstly, there is no support for ASA clustering. This one disappoints me, as I really want to use clustering. There is still HA available, but it is the classic failover model of active/standby.

I have also not been able to find any support for multi-context mode, which severely limits its potential for use in multi-tenanted environments. I for one, hope this is added in a future release.

If you are using the 5585-X series, then this is also not for you. FTD is not supported on the 5585-X. The simple reason is that FirePower is implemented in a completely separate hardware module.

There is some good news though, and that is support for a virtual edition, similar to the ASAv. This is called NGFWv, and it is likely that it will replace the ASAv in future, as it has all the ASA features and more. This currently runs on VMWare, AWS, and KVM.

One interesting restriction is that FTD cannot be configured at the CLI… Yes, really. It can’t be configured at the CLI. There is a CLI, but it is only used for troubleshooting (show commands and such). All configuration is either in FDM locally on the appliance, or centrally via FMC.

The Conclusion

I am looking forward to using FirePower Threat Defence. I just need to wait until it supports multi-context mode, which apparently is coming (along with clustering) in version 6.3, slated for March/April 2017.

If you would like to know more, I would recommend watching BRKSEC-2050 ASA FirePower NGFW Typical Deployment Scenarios in the Cisco Live On-Demand library.

If you’re interested in SNORT, the IPS engine behind Firepower, check out Tim Keary’s SNORT Cheat Sheet.