Cisco Sourcefire Firewalls Review

Detection engine and historical file analysis ease threat investigations


What is our primary use case?

Cisco next-generation firewalls are mainly used either for data center protection - north-south traffic - or internet traffic.

How has it helped my organization?

The application and user-visibility and control, along with very powerful IPS and malware protection, enables our clients to secure their data centers and internet perimeter in a much better way. It provides them with traffic visibility and reporting as well.

The main advantage is when you put it between users and servers internally or between different VLANs in the network. You have full visibility over the traffic, over all the internal applications. Usually, there's a lot of traffic that is not very clear and no one knows what is on their network. So, once deploy it internally, you have full visibility over the internal traffic, who's accessing what, which protocol. It can directly detect all kinds of malicious traffic, traffic that abuses bandwidth. 

It makes different kinds of internal behavior that is useful to a network admin. And for security of course: Any kind of file infection, any kind of internal scanning, internal attacks; it gives you full visibility.

Finally, you have communication of VLANs, internally, in the network, of course. So you have a granular access control based on user and application, instead of IP and port as you would have with a traditional firewall.

What is most valuable?

During the first phase of use, it was an extra module on standard Cisco ASA firewalls. It then became a standalone solution known as FTD, Firepower Threat Defense.

The Firepower IPS, based on Snort technology, has an amazing detection engine and historical analysis capability of files that eases threat investigations a lot.

I value the integration with other products (Cisco ISE, Cisco Endpoint AMP) which increases the protection intelligence within the enterprise by sharing security info between different products, which function on different layers. It furnishes fully connected security.

It also provides detection of the client operating system, which gives very good reporting and correlation with the signatures. It can relay the signature IP to the client operating system, to give a better correlation decision.

What needs improvement?

Some ASA known features are still missing, but are being added bit by bit in each new version release, such as:

  • Remote Access VPN (the last release only supported the 2100 series): The next firewall model version is expected to support Remote Access VPN in the next software release in July 2017.
  • Virtualization of the appliance (multiple contexts) is still missing.
  • You always need an external management system, the onboard one is not very good. You have to use FMC, FirePOWER Management Center, as external software. There's always an add-on, whereas all the competition has an onboard management interface.

I would like to see more integration with third-party devices in general. There is great integration with Cisco devices, but there's not much integration with third-party devices.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We did not encounter any issues with stability. Cisco Firepower FW is very stable in all of the deployments we have made.

What do I think about the scalability of the solution?

The scalability is very good. They have a clustering mechanism, so you can start with an appliance and then cluster, adding more bandwidth and nodes into your cluster. If you don't have a big budget you can start with a medium appliance and then cluster appliances. Or if you want to buy it all in one shot, there is a big range.

Although it allows scaling by adding multiple firewalls together (clustering), we have never used that, as all new hardware supports high-performance throughput and connections at a reasonable price.

How are customer service and technical support?

Technical support is perfect. Cisco is always known for its good technical support. We have never had any issues with them.

If you previously used a different solution, which one did you use and why did you switch?

As a Cisco Gold Partner, we always proposed Cisco firewalls for our clients.

How was the initial setup?

The setup was straightforward. A new Cisco FTD can be set up and running in a couple of hours. If you're used to firewalls you can quickly get along with it. There is nothing complicated.

The time deploy is short. But the time to tune and create the policies involves a learning phase. Traffic changes over time, so the tuning for firewall rules has to be as granular as possible takes a bit of time. But to deploy you can go live is fast.

The strategy is to start with high-level security policies and then monitor the traffic and the applications affected. Then on the detection logs, create more granular rules.

What's my experience with pricing, setup cost, and licensing?

It has a great performance-to-price value, compared to competitive solutions. Subscriptions are annual. The licensing fee and standard support are the only costs we pay for.

Which other solutions did I evaluate?

We did not evaluate any alternative solutions.

What other advice do I have?

Make sure you tune your rules very well, as some clients just leave the firewall as it is and don't maintain the access rules or tighten them to be more granular and efficient.

In terms of maintenance, you need one person for security analysis and one to create rules and for daily support.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Cisco Gold Partner.
Add a Comment
Guest

Sign Up with Email