Cisco Firepower NGIPS Series Migration Options Strengthen Your Network Defenses It’s no secret that today’s attackers have the resources, expertise, and persistence to compromise any organization at any time. Traditional defenses are no longer effective.
Many people think that with the adoption of a next-generation firewall (NGFW), that they no longer need a stand-alone intrusion prevention system (IPS). That’s simply not true. A “true” NGIPS can provide visibility, threat detection, threat response, and malware discovery. And it can do all that in areas of your network that remain off-limits to firewall inspection and controls. Safeguarding your network assets and data from today’s threats requires detailed visibility into all your network layers and resources. 1. It requires comprehensive, and up-to-date security intelligence. 2. It requires a dynamic approach that uses awareness and automation to adapt to new threats, new vulnerabilities, and everyday network changes. 3. It requires Cisco Firepower NGIPS (Next-Generation Intrusion Prevention System) threat appliances. The Cisco Firepower NGIPS threat appliance provides industry-leading visibility and threat efficacy against both known and unknown threats. Cisco Firepower NGIPS stops threats by using:
• More than 30,000 IPS rules that identify and block traffic trying to exploit a vulnerability in your network • Reputation-based IP, URL, and DNS security intelligence that can shrink the attack surface by identifying malicious sites • A tightly integrated defense against network-based advanced malware attacks • An integrated sandboxing technology that uses hundreds of behavioral indicators to spot zero-day attacks • An Indications of Compromise (IoC) feature that correlates events from multiple sources to identify what may be compromised hosts Upgrade your customers to Cisco Firepower NGIPS today to help them protect their network, users, applications, and information assets.
It’s as easy as 1...2...3 1. Confirm your current IPS model and refresh needs. 2. Review the recommended migration path. 3. Contact your trusted Cisco Security account manager or partner to get started.
Migration Recommendations for Cisco IPS and FirePOWER (former Sourcefire) Customers Cisco IDS/IPS 4000 Appliances
Recommendatio n
Cisco Cisco Cisco Cisco Cisco
Firepower 4110 Firepower 4110 Firepower 4110 Firepower 4120 Firepower 4140
IPS IPS IPS IPS IPS
4270-20 4360 4510 4520 4520-XL
Throughput Performance Improvement 2X 3.2X 1.33X 1.6X 1X
FirePOWER 81xxAppliances
Recommendation
FirePOWER 8120
Firepower 4110
Throughput Performance Improvement 2X
FirePOWER 8130
Firepower 4110
1X
FirePOWER 8140
Firepower 4120
1.33X
Firepower 8xxxx AMP Appliances
Recommendation
FirePOWER AMP 8050
Firepower 4110 AMP
Throughput Performance Improvement 1.5X
FirePOWER AMP 8150
Firepower 4120 AMP
1.2X
FirePOWER AMP 8150
Firepower 4140 AMP
2X
Learn More: Find the Right Cisco Firewall for your Needs Why NGFW and NGIPS are needed in network security infrastructure? Do you really need both a next-generation firewall (NGFW) and nextgeneration intrusion prevention system (NGIPS) for my network security infrastructure? The answer is YES! What does a next-generation firewall do? The NGFW has its core competencies and it includes: 1. Network address translation 2. Acting as a stateful firewall 3. VPN concentrator 4. Application visibility and control 5. And don’t forget, IPS inspection A next-generation IPS has its core competencies and they include: 1. Inspect asymmetric traffic flows 2. Perform as a transparent bump-in-the wire inspection device 3. Provide visibility and protection by inspecting network traffic that moves lateral to a perimeter firewall
Since the NGFW is a network device, it can operate lower in the OSI stack and can act as a network boundary or create a network pinch-point perfect for stateful firewalling, application identification, and deep packet inspection. Using a NGIPS to perform deep packet inspection makes for a more effective strategy against the would-be-adversary. Because an NGIPS does not maintain a state table, it is less vulnerable to attacks that exploit state table exhaustion and result in denial of service. This also gives it the ability to inspect asymmetric data flows. The NGIPS is also a transparent device, just a bump in the wire, allowing traffic to flow as if it is not even there, even if it is deployed in the core, doing deep packet inspection or on the network edge. Did you know that traffic looks differently in the core vs. the edge of the network? Advanced persistent threats are more easily detected by the NGIPS. Because the NGIPS can be deployed where it will have of the lateral visibility of the traffic, it gives you that advantage over a firewall. A traditional stateful firewall cannot provide this. The lateral visibility it is perfect to identifying machines on a network that have already been compromised and are being used by a bad guy to collect and infiltrate sensitive or important data. Visibility and the ability to secure a network at the perimeter and at the network core should be essential for every organization that wants to strengthen their overall security posture.
To learn more about Cisco Firepower NGIPS threat appliances, please visit http://www.cisco.com/go/ngips. To learn more about the Cisco Advanced Malware Protection capability, please visit http://www.cisco.com/go/amp. To learn more about Cisco’s Talos Security Intelligence and Research team, please visit http://www.talosintelligence.com/. Info from https://www.cisco.com/c/dam/m/en_us/products/security/ngips/NGIPS_transi tion_guide.pdf
More Related Guide to the New Cisco Firepower 2100 Series How to Deploy the Cisco ASA FirePOWER Services in the Internet Edge, VPN Scenarios and Data Center?
The Most Common NGFW Deployment Scenarios Cisco’s High-end Next Generation Firewalls-Firepower 4100 and 9300 Series UTM vs. NGFW