Cisco Defense Orchestrator Review

Makes it easier to manage firewalls, even for those without much experience

What is our primary use case?

We use it to manage our firewalls.

How has it helped my organization?

There are two main aspects. One is that it makes it easier to make sure that things are consistent and that there aren't too many mistakes being made through a more manual process.

The second aspect is that it makes it easier for people to learn how to manage firewalls, or at least it makes it easier for them to be able to make some changes without having a deep knowledge of the technical aspects of firewall management. It allows us to have more people taking part in managing firewalls, without requiring a lot of training.

The solution has made our security team more productive because it allows us to have more people do the same kind of work, and they take less time doing it. It catches what could have been mistakes on our part.

It also makes it easier to make changes across firewalls. Daily management is probably the main benefit that we were looking for with this product and that works. There are a lot of problems which I noted elsewhere in this review but, generally speaking, daily management of our firewalls was the point of having it and that aspect is successful.

It has increased the visibility of security quite a bit. It allows us to give read-only access to some people who are not supposed to be making changes, but who are helped a lot by being able to see what the security policies are. However, those people aren't making use of that ability very much. The solution only makes it marginally easier for management to take a look and see if they find something wrong.

What is most valuable?

The ability to do operations on multiple firewalls at once is valuable because it saves time and mental effort. The solution's ability to make bulk changes makes it very convenient to manage things at once on multiple targets.

Although the solution supports ASA, FTD, and Meraki MX devices, we don't have any FTD or Meraki. But for ASA, which is the only thing we use it for, that's where it saves time and mental energy in figuring out what needs to be done, or how to implement something that has been requested.

What needs improvement?

In terms of bulk changes, specifically for accessing policies, there is one limitation which is especially annoying and at least one bug which hasn't been fixed. In terms of bulk changes for image upgrades, that's nice, but I have found that it's not really useful in most cases, because of limitations of the product.

I've found dozens of bugs over the year we've been using it. The more I use it for different things, the more problems I find. Some of them get resolved pretty quickly. For others, I have to argue for a long time about why they are problematic and should be fixed. For some, they decide they're not going to fix them because they don't care.

By far, most of the problems have to do with the user interface. A lot of thought and work has gone into the back-end component to make the product do what it's intended to do, but the way it is presented for use hasn't gotten nearly as much thought to make it smart and bug-free. I wouldn't say that it's not user-friendly, but there are a lot of bugs or features that are not very adequate. It's kind of user-friendly but there are a number of display issues or ways of doing things that are not as comprehensive; they're more limited compared to what you can do on your own with other products.

In terms of auditing, we're worse off. It took away some of the capabilities that we had without the product because of a decision Cisco made on how to handle the history of changes. That's one example of a specific issue where we asked them to do things more intelligently, but they haven't. They kind-of agreed, but they haven't done it yet, and it's not going to be possible to make up for the past year of not having that in place. So auditing is definitely.

For how long have I used the solution?

We've been using Cisco Defense Orchestrator ( /products/cisco-defense-orchestrator-reviews ) for about a year.

What do I think about the stability of the solution?

There have been no interruptions or failures. It works all the time, as designed.

In terms of evolving, it's good that they've been continuously making changes as customers request features or, in my case, find bugs. They've stabilized it. They've been improving it continuously by fixing bugs or adding features which make it useful for more than one type of firewall.

As they make changes, it improves. The changes they're making are not breaking things, which is sometimes a problem with software. It happens with other companies, sometimes, that they release a new version that has a problem which wasn't a problem before. They end up breaking things and it's not a stable platform. 

In the case of CDO, that's not what's happening at all. They're always making changes that don't affect the reliability of the product at all. I consider that to be stable.

What do I think about the scalability of the solution?

We're on the small end of the scale in terms of environment size. We have four production firewalls and one test firewall, and there are no plans to expand on that. We could use it to manage more firewalls, but those other firewalls are managed by a different team which doesn't want to use the same products that our team uses to manage firewalls. We have the potential, the switches and other networking products, for even bigger savings or integration, but our internal structure prevents it from happening.

How are customer service and technical support?

With maybe one or two exceptions out of 20 or 30, so more than 90 percent of the time, technical support has been very responsive. For this product, they are very uncharacteristically interested in resolving whatever issue the customer reports. They're really attentive, and they address whatever we bring up as quickly as they can. That's been a very positive aspect of the product.

The flip side is that it's a fairly new product and they're still polishing it. So it's certainly logical that they would take into account whatever customers say because that allows them to improve the product. That makes the technical support an "intermediary" between the customers and the design team. They're still doing a lot of design, and technical support plays an important role in that.

As I've mentioned, I have found a lot of bugs. I have reported them to technical support and they have opened cases internally with the development team for the product. That team takes action as they have resources to do so. More than 90 percent of the time, they agree that what I have said should be done. It has been a very good experience with technical support.

If you previously used a different solution, which one did you use and why did you switch?

Before, we were using a completely manual process which is obviously less efficient, but also more controllable. We chose how to do things, which is something we can't do anymore because of product limitations or shortcomings that they may or may not fix eventually.

How was the initial setup?

The initial setup was very easy. We had to build one virtual machine on our infrastructure and then the process of adding firewalls to the system was very straightforward. It took almost no time to get going. The whole VM part took less than an hour and the adding of firewalls took about five minutes each.

We started seeing value as soon as we tested it, even before we purchased it and started using it for production work. The value was obvious from the beginning of getting to know the product.

What about the implementation team?

We did it ourselves.

Which other solutions did I evaluate?

Before settling on Defense Orchestrator, we evaluated two other similar products. One was another product from Cisco which turned out to be way too complex and lack some of the features that we wanted. It turned out not to be usable in practice. The other was a lot more straightforward and a lot cheaper, but it was missing key features. CDO was a middle ground between the bigger Cisco product in the same category and a much smaller, cheaper product from another company.

The one from Cisco that was a pain to deal with was Security Manager, and the other one was from SolarWinds and is called Network Configuration Management.

What other advice do I have?

Try it with realistic situations in your environment. Make sure that you're able to perform the tasks that you were doing before. In other words, make sure you don't lose capabilities because you're going to do everything exclusively through the product. Make sure you understand what it covers and what it doesn't. Do your homework before you buy.

We haven't learned any big lessons from using this solution, but we have learned that using a firewall management tool that is good enough will allow you to save time and staffing, but that applies to any product, not just this one. This product hasn't existed for a very long time, but the very general lesson is that we benefit from using a firewall management tool as opposed to not using one, and CDO happens to be the one that we chose. But the lesson of benefiting from using a tool isn't the result of CDO being what it is. It's the result of CDO being one of the products in that category.

In terms of the solution's security features around storing our firewall configuration in the cloud, we assume that it's handled in a very secure way, considering that it is a security management product. The one thing that we are not happy about is that it is storing passwords and similar secret strings in clear text in the user interface. So when we copy and paste from the website, we have to manually remove those values and replace them with stars to hide the secret information. That's just about the only security issue we're not happy about or feel is not secure.

As for users of CDO in our company, excluding the read-only users, we have three people who are using it to perform tasks that affect what the firewalls do. My role is not very well-defined - I do all kinds of things. The other two are information/computer security specialists. Their job involves all kinds of IT security stuff. We have different levels of experience, so what each of us does depends on the complexity of the deployment.

Once it's installed, there's no maintenance or other deployment required. Only one person at a time can do deployments.

Let's say that on the scale of one to ten, ten represents something where we can't think of anyone ever doing something better, anywhere in the world, and zero means we can't use it. I'm very harsh, in general, in my evaluations. I'm thinking of the ten most important aspects and how many of those it covers, and how many it comes up short on, and I end up rating CDO at eight out of ten. The solution is 75 percent of our ideal.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Sign Up with Email