What is our primary use case?
I am an IT administrator and my job is probably 80% security analyst. We are a HIPAA environment, so we're a regulated industry and my job is to keep us from being breached. It's extremely difficult and an ever-changing, evolving problem. As such, I spend a couple of hours a day just reading everything threat report from every source I can get.
We have a pair of 2110 models, with high availability set up.
There are multiple licenses that you can get with this firewall, and we subscribe to all three. A few months ago, we made the decision to do an enterprise agreement just because of the amount of security software we have. We subscribe to the threat, the URL, and the malware licensing. We use it for IPS, URL blocking, IP blocking, and domain blocking.
We've embraced the Cisco ecosystem primarily because I think they made some very intelligent acquisitions. We talk about security and depth and they've really done a good job of targeting their acquisition of OpenDNS Umbrella. It's all part of our ecosystem.
I take the firewall information and using SecureX, Cisco Threat Response, AMP for Endpoints, and Umbrella, I'm able to aggregate all that data with what I'm getting from the firewalls and from our email security, all into one location. From my perspective, being a medium-sized organization, threat hunting can be extremely difficult.
How has it helped my organization?
This product enriches all of the threat data, which I am able to see in one place.
There's nothing I personally have needed to do that I haven't been able to do with the firewall. It integrates so tightly into how I spend the majority of my day, which is threat response.
Much of this depends on any given organization's use case, but because I was an early adapter of Cisco Threat Response and was able to start pulling that data into it, and aggregate that with all of my other data. As I'm doing threat hunting, rather than jump into the firewall and look in the firewall at events, I'm able to pull that directly into Threat Response.
The ability to see the correlation of different event types in one place, these firewalls have definitely enriched that. You have Umbrella, but there are so many different attack types that it's good to have the DNS inspection at the firewall on the edge level too. So, the ability to take all of that firewall data and ingest it directly via SecureX and into our SIEM, where I have other threat feeds, including third-party thread feeds, gives our SIEM the ability to look at the firewall data as well. It lends to the whole concept of layering, where you don't have to have all of your eggs in one basket.
With our Rapid7 solution, I'm able to take the firewall data and dump it into our SIEM. The SIEM is using its threat feeds, as well as the threat feeds that are coming from Cisco Talos. In fact, I have other ones coming into the SIEM as well. So, I'm able to also make sure that something's not missed on the Talos side because it's getting dumped into our SIEM at the same time. All of this is easy to set up and in fact, I can automate it because I can get the threat data from the firewall.
In terms of its ability to future-proof our security strategy, every update they've done makes sense. We've been using one flavor or another of Cisco firewall products for a long time. Although I have friends that live and die by Fortinet or Palo Alto, I've never personally felt that I'm wanting for features.
What is most valuable?
We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest intelligence Security Intelligence Group outside of the government. My experience with Talos has been, they're pretty on top of things. Another driving factor towards Cisco: We get feeds every hour, automatically refreshed, and updated into the firewall.
If I had to rely on one security intelligence, which I wouldn't, but if I had to, I'm sure it would be Talos. The fact that it gets hourly updates from Talos gives me some peace of mind.
The real strength for the Cisco next-generation firewall is it'll do pretty much anything you want it to do, although it requires expertise and proper implementation. It's not an off-the-shelf product. For instance, there are some firewalls that may be easier to set up because they don't have the complexity, but at the same time, they don't have the feature set that the Cisco firewall has.
The firewall does DNS inspection, and you can create policies there.
The firewall integrates seamlessly and fully with our SIEM. We use a Rapid7 SIEM inside IDR and it now integrates seamlessly with that. Cisco's doing a lot more with APIs and automation, which we've been leveraging.
In terms of application visibility and control, I used the firewall and I also use Umbrella, but it depends on what it is that I'm seeing. One component that I use is network discovery. When you configure the policy properly, it'll go out and do network discovery so you're not loading up a bunch of rules you don't necessarily need. Instead, you're targeting rules that Cisco will say, "Hey, because of network discovery, we found that with this bind to whichever version server, we recommend you apply this ruleset." This is something that's been very helpful. You don't necessarily have to download every rule set, depending on your environment.
I have used it for application control. Right now, we're in the midst of doing tighter integration with ISE and the integration is very good. This is something that we would expect, given that it's a Cisco product.
I use the automated policy application and enforcement every chance I get. Using an automation approach, I would rather have a machine isolated even if it's a false positive because that can happen much faster than I can get an alert and react to it. On my end, I'm trying to automate everything that I can, and I haven't experienced a false positive yet.
Anything that's machine learning-based with automation, that's where I'm focusing a fair amount of attention. Another advantage to having Cisco is that their installed base is so huge. With machine learning, you're benefiting from that large base because the bigger their reach is, the bigger and better the dataset is for machine learning.
At some point, you have to trust that the data set is good. What's impressed me about Cisco is with all of our Cisco products, whether it's AMP or whatever, they're really putting an emphasis on automation, including workflows. For someone like me, if I get an alert in the middle of the night and I see it at 6:00 AM, it is going to be a case of valuable time lost, so anything that I can do to make my life easier, I'll definitely do it.
What needs improvement?
It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it, which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible by any means. One thing about Cisco is whatever they're doing, it keeps getting better.
The speed of deploying policies could be improved, although it is not terrible by any means.
Another legitimate criticism of Cisco that comes to mind is that you need to make sure you've got your licensing straightened out. I haven't had any problems in a long time, but I know people that haven't used Cisco products sometimes can run into issues because they haven't figured out so-called smart licensing. Depending on the Cisco person you're working with, make sure you have all that stuff all set to go before you start the implementation.
That's an area that Cisco has been working on, I know. But licensing is a common complaint about Cisco. I suggest making sure that you have that stuff in place and you've got all your licenses all ready to go. It seems like a dumb thing, but my most common complaint about Cisco before we entered into our enterprise agreement was licensing. When it's working, it's great, but God help you if you've got a licensing problem.
What do I think about the stability of the solution?
They've been very reliable for us and we haven't had one fail, so we've never had to failover. That has been generally my experience with Cisco products, which is one reason that we tend to lean on Cisco hardware for switching, too. The reliability of the hardware over the years has been very good.
What do I think about the scalability of the solution?
We have integrated these firewalls with other products, such as Cisco ISE, and it hasn't been a problem. ISE is a Cisco product so it would make sense that it integrates well, but ISE integrates with other firewalls as well.
Everything that I've done with these firewalls has been pretty seamless. We've had no downtime with them at all. They've been very rugged as we expanded usage through integration.
How are customer service and technical support?
People knock Cisco TAC but in my experience, they have been very good. I've always found them to be extremely helpful. Friends that I have made from inside Cisco say, "Hey, you want me to look at this or that?", which is very helpful.
Which solution did I use previously and why did I switch?
The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.
Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.
If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.
How was the initial setup?
Cisco gives you lots of options, which means that it can be complicated to set up. You have to know what you're doing and it's good to have somebody double-check your work. But, on the other hand, it does everything from deep packet inspection and URL filtering to whatever you want it to do, with world-class integration. It integrates with Umbrella, AnyConnect, ISE, StealthWatch, and other products.
It is important to remember that a firewall is only as good as it's configured. Sometimes, people will forget to configure a policy, or they will create the rules but forget to apply them. It comes back to the fact that it's a professional product and it's only as good as the person who's using it.
I do some security consulting and I've seen many misconfigurations. People will write a Rule Set but forget to apply it to a policy, for example. There is no foolproof product and I think it is a challenge to say, "Wow, this firewall is better than that firewall." These things are complex, but Cisco has always, in my mind, set many kinds of standards. I don't know any serious security person that would argue that.
Especially AnyConnect with an Umbrella module attached, I think most people would argue it's state-of-the-art. I know that I would because it allows me to do a couple of things at once. It's not just the firewall; it's AnyConnect, and it's what you can do with AnyConnect given its functionality with Umbrella. It gets kind of complicated and it depends on the use case, and some people don't need that.
Again, what makes it difficult to say something about a firewall is, the configuration possibilities are so varied and endless. How people license them is different. Some people think, "I prefer the IPS License," or whatever. But again, I think to get the strength of a Cisco firewall is just that.
I found our setup straightforward, but you don't go into it blind. You have to be clear on your requirements and you need to take the setup step-by-step. Whenever I deploy a firewall, I have a couple of people to double-check my work. These are people who only work on Cisco firewalls and they act as my proofreaders whenever I am doing a new deployment.
Cisco's documentation is very good and it's always very thorough. However, it's not for a novice, so you wouldn't want a novice setting up the firewall for an enterprise. Personally, I've never had any issues with policies not deploying properly or any other such problems.
Talking about how long it takes to deploy, it's a good weekend if it's a new deployment. It's not just clicking and you're done. I haven't installed a Fortinet product, but I can't imagine any of them are easy to install. Essentially, I found it straightforward, but it is involved. You've got to take your time with it.
You need to make sure anything you do with your networking, that you have it planned out well in advance. But once you do that, you go through the steps, which are well-documented by Cisco.
What's my experience with pricing, setup cost, and licensing?
Cisco is not for a small mom-and-pop shop because of the cost, but if you're in a regulated industry where a breach could cost you a million dollars, it's a bargain. That's the way I look at it.
Which other solutions did I evaluate?
We also use Cisco Umbrella, and I may use features from that product, depending on where I am.
What other advice do I have?
Every firewall has its pluses and minuses, but because we've taken such a layered approach and we're not relying on one thing to keep us safe, I've never really gone, "Oh, I've had it." I've heard some complaints about Cisco TAC, but generally speaking, I've been able to configure them and do whatever I need to with the Cisco firewall. There's nothing in my experience with Cisco that leads me to believe that that's going to stop.
I've always felt comfortable with every Cisco purchase we've made and every improvement they've made to it. I think they keep moving in a positive direction and they're pretty good with updates and fixes. You can have 10 people, networking people or security people, and they'll all have different takes on it. That said, I've always been very comfortable. I don't stay up at night and worry about our firewalls.
One thing to remember about Cisco is that whatever they're doing, it just keeps getting better. In my experience with Cisco, I have yet to have a product of theirs that they haven't improved over time. For example, we bought into OpenDNS Umbrella before Cisco acquired them. At the time, I was wondering whether they were going to improve it or what was going to happen with it, because you can never be sure. Again, Cisco has done nothing but improve it. It's a far more mature product than when we picked it up five or six years ago.
While not directly related to the NGFW, it speaks to Cisco's overarching vision for security, which again, I'm always looking at layers. If you're thinking that you're going to secure an environment by buying a firewall, yes, that's a really important piece of it, but it's only one piece of it.
Cisco is a company that is really open about vulnerabilities, which some people could see that as a negative but I see as a positive. I do security all the time, so I'm always going to be paranoid. That said, I've spent so much time doing this stuff that I've developed a lot of trust in Cisco. Again, I think there are other great products out there, but Cisco has made it really easy to integrate stuff into this ecosystem where you have multiple layers of not perfect, but state-of-the-art enterprise security.
My advice for anybody who is implementing this solution is, first of all, to know what you're doing. If you're not sure then get somebody that does. However, I would say that's probably true of any firewall. If your business relies on it, have all of your information ready beforehand, it's just all the straightforward stuff that any security person needs.
In summary, I think what I can say about them is there's nothing I needed to do that I haven't been able to do. I have incredible visibility into everything that's happening. We continue to leverage more features, to use it in different ways, and we haven't run into any limitations. I cannot say that the product is perfect, however, and I would deduct a mark for the interface loading. It's not terrible but sometimes, especially when you're doing the setup, it can chug away for a while. Considering what the device does, I think that it's a small complaint.
I would rate this solution a nine out of ten.
Which version of this solution are you currently using?