Cisco Firepower NGFW Review

Highlights and helps us catch Zero-day vulnerabilities traveling across our network


What is our primary use case?

We use them in multiple places on our network. We use them on the edge of our network, in more of the traditional sense for inbound and outbound filtering. We also use them as a center of our network between all of our users and servers, so that all user traffic going through our servers is IPS and IDS as well.

We have multiple Cisco 5000 Series firewalls and we also have a 4110 Series firewall, all running the FireSIGHT threat detection image. We keep that up to date within three months. If a new release comes out within three months, we're updating. The software deployment is on-prem.

How has it helped my organization?

We definitely feel that we're more secure now than we have been in the past. That goes back to those Zero-day vulnerabilities. An example would be some of the vulnerabilities with Adobe TIF files that were recognized. We run a document management system that wrote the extra, tailing zeros onto all the TIF files, and that was highly exploitable. The Cisco firewalls were able to catch that on the files traveling across our network and highlight it. Those are issues that, without the firewalls actually seeing the north-south traffic in our network, we just didn't have visibility into before. We were running blind and didn't even realize that we were vulnerable in those ways.

Cisco NGFW has excellent visibility through the constructs it has. New vulnerabilities come out and we have hit those multiple times thanks to their solution. We come in on a Monday and, all of a sudden, an application that was working on Friday isn't working. That's because a major vulnerability came out over the weekend. The firewalls, and being able to use the dashboards through FireSIGHT management, provide very good visibility into what's actually going on and why different items on the network are happening. Overall, I would say the visibility is very good.

In addition, among our multiple vendors for firewalls, etc., Cisco Talos really distinguishes Cisco from the Palo Altos and the Barracudas of the world. The work that they do to identify Zero-days and new threats out there, and then document all of that, is invaluable to our organization. I can't say enough about Cisco Talos.

What is most valuable?

The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things because we have some odd, custom-made products in our environment. What we've found through the IPS and IDS is that their vulnerability engines have caught things that are near-Zero-day items, inside of our network. Those items are capable being exploited although they were not actually being exploited. Being able to see what those exploits are, the potential for vulnerabilities and exploits, is critical for us.

What needs improvement?

Cisco firewalls provide us with some application visibility and control but that's one of those things that are involved in the continuous evolution of the next-generation firewalls. We have pretty good visibility into our applications. The issue that we run into is when it comes to some of the custom apps and unusual apps that we have. It doesn't give us quite the visibility that we're looking for, but we have other products then that fill that gap.

There would also be a little bit room for improvement on Cisco's automated policy application and enforcement. The worst part of the entire solution, and this is kind of trivial at times, is that management of the solution is difficult. You manage FireSIGHT through an internet browser. I've had Cisco tell me to manage it through Firefox because that's how they develop it. The problem is, depending on the page you're on, they don't function in the same way. The pages can be very buggy, or you can't resize columns in this one, or you can't do certain things in that one. It causes a headache in managing it. That's part of the reason that we don't do some of the policies, because management of it can be a little bit funky at times. There are other products that are a little cleaner when it comes to that.

For how long have I used the solution?

I've been using Cisco next-gen for at least four years.

What do I think about the stability of the solution?

Stability-wise, we haven't had too many issues. Before the next-generation firewalls, we used ASAs. In the 15-plus years that I've been using them I've only had one fail on me. Software-wise, we really haven't run into too many major bugs that we couldn't can get workarounds for by working with TAC. Overall the stability is excellent.

What do I think about the scalability of the solution?

Scalability is also excellent. I don't have any complaints about it. As long as you're willing to put the money forward, they are very scalable, but it's going to cost you.

Their ability to future-proof our security strategy is also very good. They continuously improve on and add items, functionalities, and features to their software.

User-wise, the government side of our organization doesn't have that many. There are maybe 1200 altogether. We had to upgrade our 5555s to 4110s and our 4110s are just about maxed out. We're pushing the max of the capabilities of all the equipment that we have. The 4110s average about eight gigabits a second all day long, for about 12 hours a day, through each of the devices. There are terabytes of traffic that go through those things a day.

We're always increasing the usage of these devices. They are the core of our network. We use them as our core routers and all traffic goes through them. They are the integral part, the center of our network. They're everything for us.

We have three people on our network team who maintain the entire network, including those devices. 

How are customer service and technical support?

Cisco's technical support is very good, overall. I've only run into one or two instances in the last 20 years where I came away with a negative experience. Those were generally unknown bugs but I didn't appreciate the way they handled some of those situations. But overall, Cisco's technical support is better than most companies'.

How was the initial setup?

We used the Cisco partner for implementation, but overall it seemed pretty straightforward. The deployment has been an ongoing thing. I'd say that we're never done with deploying our firewalls because of that constant state of change of the network. But the original deployment took four to five weeks.

For the ongoing deployment, the amount of time somethings takes depends on what we're doing. We had some 5555 firewalls and all of a sudden they were no longer capable of handling the traffic that we send through. We had to operate those with 4110s. It all depends on what's going through them and what the scope of the project is. But most deployments take less than a week.

There is also the fact that when you upgrade FireSIGHT to the next version and there are new features, you have to go through all the firewalls and make sure that they're utilizing all those features. That's one of the reasons it's always ongoing. It depends on what's released, what's new, what's old, and keeping up on that.

What about the implementation team?

The partner that we utilized was Heartland Business Solutions, in Wisconsin.

Our experience with them, overall, has been pretty good. When it comes to the Cisco world, our organization's mix of experience comes in. There are items that we can do outside of the partner because we have some very talented individuals that work for us, some Cisco Certified individuals.

One issue is that, in their business, Heartland is always trying to upsell. They are an intermediary, they play that middle guy all the time, but there are items that we're capable of doing that they push. They don't really allow us to just run with it because they want to get the engineer time and the tech time. They want to make revenue off of some items that we're capable of doing. That would be one issue with them.

Another item that is frustrating has to do with the way they manage our Cisco licenses and Smart Nets for us. I'll give an example. We have Cisco firewalls across our entire network. Every year we have to buy the subscriptions for malware, and URL filtering, etc., to get full utilization out of them. All of our firewalls are subscribed to the max when it comes to IPS, IDS, and file inspection. To get the licenses, they have to know how many firewalls etc. we have. We have an issue where one of our firewalls went down — it's in an HA so we're still up and functional — but it's still in a down state and we're working through it right now. We contacted them because all of a sudden we found out, hey, we don't have Smart Net. We pay them to manage our Smart Net contracts because it can be quite a hassle.

The question is, how can we not have Smart Net on a product that we know that we own. To get the subscription they know that we have X number of firewalls. When they renewed Smart Net they should know that there are that X number of firewalls in there, but there weren't. We run into a lot of that. We buy subscriptions for this, or there are yearly costs associated with that, but then when we match it up to Smart Net, we find out we don't have Smart Net on it or vice-versa. They have the numbers for subscriptions so they should be able to take those numbers and make sure that the Smart Net numbers match up with them. Or, they have the numbers for Smart Net and should be able to make sure we have the proper subscriptions lined up with it as well. That's been a frustrating point for us.

Other than those couple items, we had really good luck with them and they've been really good to us.

What was our ROI?

We have absolutely seen return on our investment. For example, before Cisco started doing the AMP for Endpoints, just as an example of Cisco security overall, we had Norton Antivirus on all of our workstations and we ran McAfee across all our servers. Our helpdesk and support staff were cleaning up anywhere from six to 13 malware-infested PCs a week. It was a full-time job for two individuals going around and continuously cleaning these, even though we had McAfee and Norton, which are supposedly some of the better ones out there.

After deploying AMP, we might have one incident every three months that our helpdesk or support has to deal with. We freed up two full-time individuals. AMP definitely has a cost, but then you look at the cost to end-users of not being able to use their PCs, or of the payroll department not being able to run their reports for payroll because the PC is too slow because it's infected with malware. 

So not only was there the cost of the two IT resources we gained, but other departments also gained hours back by not losing their PCs and devices.

What's my experience with pricing, setup cost, and licensing?

Our subscription costs, just for the firewalls, is between $400,000 and $500,000 a year. In addition, there is Smart Net, but the subscription base is the most substantial. 

In an environment like ours where you're only looking at a little over 1,000 users, when you start figuring out it all, it's basically $400 a user per year to license our Cisco firewalls. Cisco is very good. From everything I've seen, I truly believe that they lead the industry in all of this, but you do pay for it.

Which other solutions did I evaluate?

There have been evaluations of other products over the years. We do layer some of them to filter things through multiple product vendors, so if there ever is a vulnerability with Cisco, hopefully one of these other ones would catch it, or vice-versa.

But we have never evaluated others with a view to potentially replacing Cisco in our network. That's because of Cisco's being the largest network company in the world. When you have Cisco, it's hard to go away from them for any reason.

When it comes with the firewall side, one of the major differences does have to do with Talos. I've been involved in networks where Palo Altos have been broken and owned by hackers. I've been brought in to work on networks that way. The solution in those cases has been to replace with Cisco, to get control of what's going on. A lot of that has to do with Talos and their frequency of updates and how well they do with all of the security items. That's probably one of the main reasons that we don't ever look at a replacement for Cisco. We'll use other products in conjunction with it, but never to replace it.

What other advice do I have?

My advice would be: Don't let the price scare you.

I would describe the maturity of our company's security implementation as "working on it." It is an evolving process. When it comes to the Cisco product line, we try to keep it as up to date as possible when they release new products. An example would be their DNA Center which we're looking at installing in the next year. From a product standpoint, we're pretty well off. From a policy and procedure standpoint, that is where we're somewhat lacking in our organization.

In terms of the number of security tools our organization uses, we have a lot of them. From a software standpoint, we use tools from eight to 12 vendors, but there is more than one tool from each. We have anywhere from 30 to 40 security suites that we run across our environment. When it comes to hardware manufacturers, Cisco isn't the only one that we use. We use products from three different hardware manufacturers and layer our security that way. The way this number of tools affects our security operations is that there's a lot of overlap. But there are different groups that look at and use each set of tools. It works because that way there are always the checks and balances of one group checking another group's work. Overall it works pretty well.

In terms of other products and services we use from Cisco, we're a Cisco shop. We have all of their routing and switching products, AMP for Endpoints for security, Cisco Prime Infrastructure. We also have their voice and whole collab system, their Contact Center. We have their CUCM as well as Unity Connection. A lot of our servers are Cisco UCSs, the Blade Servers are in our environment. We have Fabric Interconnects, fibre switches. Pretty well anything network related is Cisco, in our environment.

We do layer it. We do have some F5 firewalls deployed in front of the Ciscos. We have had Barracuda firewalls in line as well, along with spam filters, so that we get that layered security.

Cisco's cross-platform integration and data sharing between their products are very key. Cisco is really good at that. It's nice to be able to see the same data through multiple product sets and be able to view that data in different ways. Cisco-to-Cisco is really good. 

Cisco integration with other products depends on the product and what you're trying to get out of it. Most of it we have to send through different SIEMs to actually get usable data between the two product lines. It depends on what we're doing. Every scenario's a little different.

As for automated policy application and enforcement, we actually bought a couple of other tools to do that for us instead. We're getting into Tufin software to do automations, because it seems like they have a little bit better interface, once they pull the Cisco information in.

Overall — and I don't want to get too full of Cisco because everyone's vulnerable in a way— we've had very few issues, even when a lot of these Zero-days are attacking cities and organizations, and there are ransomware attacks as well. We've seen items like that hit our network, but not have any effect on it, due to a lot of the Cisco security that's in place. It has been very strong in helping us detect and prevent all of that. Overall, it's given us a certain comfort level, which is both good and bad. It's good because we haven't run into the issues, but it's bad in the sense that our organization, a lot of times, takes it for granted because we haven't run into issues. They tend to overlook security at times.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Guest
Sign Up with Email