FAQ: Cisco Firepower Threat Defense for ISRs Cisco introduced deploying the FirePOWER Threat Defense for ISR at Berlin CiscoLive in 2016. And Cisco explained how it has integrated FirePOWER Services on ISR (G2 and 4K routers) on the UCS-E blade. What the Cisco Firepower Threat Defense for ISR can do for you? It extends enterprise-level threat protection to individual ISR routers, protecting devices and hosts regardless of their location, whether it’s a branch office or other remote site. Adding FirePOWER Threat Defense to your ISR will let you capitalize on the cost savings and user experience benefits of enabling DIA in the branch, while giving you state-of-the-art protection against the most advanced Internet threats. Cisco FirePOWER Threat Defense for ISR can protect your branches from Internet threats across the entire attack continuum—before, during, and after attacks—so you can get the benefits of DIA without compromising security. This session will look at use cases and detailed steps involved to successfully deploy the solution on your ISR. Why You Need the Cisco Firepower Threat Defense for ISRs? Read the general questions about the Cisco Firepower Threat Defense for ISRs, which tell you that which ISR models can run Firepower Threat Defense, what the elements of Cisco Firepower Threat Defense for ISR are… Cisco FirePOWER Threat Defense for ISR is a component of the Cisco “security everywhere” strategy. The goal is to give you the continuous visibility and control you need to defeat advanced threats across your environment. A integrated set of security features work together to help keep your remote operations secure: • FirePOWER Next-Generation Intrusion Prevention System (NGIPS) sets the standard for advanced threat protection, integrating realtime contextual awareness, intelligent security automation, and industryleading threat prevention. • Application Visibility and Control shrinks the potential attack surface through precise control of thousands of applications and by enforcing mobile app, social media app, and acceptable use policies. • Advanced Malware Protection (AMP) for Networks protects against highly sophisticated, targeted, zero-day attacks and persistent advanced malware threats.
• Reputation-based URL Filtering mitigates sophisticated client-side attacks by controlling access to more than 280 million URLs in more than 80 categories, minimizing risks associated with suspicious and unacceptable domains. • FireSIGHT Management Center provides centralized event and policy management along with visibility into the devices, operating systems, applications, and users running in your network. FAQ: Cisco Firepower Threat Defense for ISRs Q. What is Cisco Firepower Threat Defense for ISRs? A. Cisco Firepower Threat Defense for ISRs extends industry-leading Cisco threat protection beyond the network edge and data center to an additional platform in branch offices: the Cisco Integrated Services Router (ISR).
Q. Why would I want or need it? A. You can now capitalize on the cost savings and improved user experiences of direct Internet access (DIA) in branch sites while better protecting devices and hosts, wherever they reside, against advanced threats. Q. What are the elements of Cisco Firepower Threat Defense for ISR? A. There are five components: ● Firepower Next-Generation Intrusion Prevention System (NGIPS) sets the standard in advanced threat protection, integrating realtime contextual awareness, intelligent security automation, and industryleading threat prevention effectiveness.
● Application Visibility and Control (AVC) reduces the potential surface area of attacks through detailed control of thousands of applications and by enforcing mobile app, social media app, and acceptable-use policies. ● Advanced Malware Protection (AMP) for Networks protects against highly sophisticated, targeted, zero-day attacks, and advanced persistent malware threats. It continuously analyzes files and network traffic for threats that evade first lines of defense, provides deep visibility into the activity and behavior of a threat, and then lets you quickly scope the impact of an active attack and contain it with a few clicks. ● Reputation-based URL Filtering mitigates sophisticated client-side attacks - and improves employee productivity - by controlling access to more than 280 million URLs in more than 80 categories and reducing the risk from suspicious or unacceptable domains. ● Cisco FirepowerManagement Center is the centralized point for event and policy management for all of the Firepower Threat Defense for ISR components.
It provides visibility into everything on the customer’s network: physical and virtual hosts, operating systems, applications, services, protocols, users, geolocation information, content, network behavior, network attacks, and malware. It also reduces customer costs by streamlining
operations and automating many recurring security analysis and management tasks. Q. Which ISR models can run Firepower Threat Defense? A. The capability is available on both the ISR G2 and ISR 4000 Series platforms. Specifically: ● Cisco ISR G2 Series ◦ 1921 ISR ◦ 1941 ISR ◦ 2901 ISR ◦ 2911 ISR ◦ 2921 ISR ◦ 2951 ISR ◦ 3925 ISR ◦ 3945 ISR ◦ 3925E ISR ◦ 3945E ISR ● Cisco ISR 4000 Series ◦ 4321 ISR ◦ 4331 ISR ◦ 4351 ISR ◦ 4431 ISR ◦ 4451 ISR Q. How is Cisco Firepower Threat Defense for ISR managed? A. It is managed centrally through the Firepower Management Center. The management center is available in both appliance and virtual form factors. Q. Can the management center simultaneously manage Firepower NGIPS appliances, the threat-defense functions of Cisco ASA with Firepower Services (Cisco’s next-generation firewall), and Cisco Firepower Threat Defense for ISR?
A. Yes. Up to 300 Firepower sensors (both virtual and physical) can be managed by a single management center instance. Q. If the Firepower Management Center does not have Internet access, can signature updates be uploaded offline by removable media such as flash drives and CD-ROMs? A. Yes. Product updates are available on our Software Download page. Q. For what situations is Cisco Firepower Threat Defense for ISR well suited? A. It’s particularly valuable to organizations with distributed branch offices or retail stores, where cloud applications, video, and bring-your-own-device (BYOD) policies are driving up bandwidth requirements and costs. Because of these increases, distributed enterprises face pressure from their branch offices for direct Internet access (DIA), an alternative to backhauling traffic through the data center. DIA provides cost savings but forfeits the inherent enterprise-level threat protection the data center provides. Cisco Firepower Threat Defense for ISR fixes that issue. Q. When should I deploy integrated threat defense capabilities in a router as opposed to a firewall? When should I deploy them in both? A. When all traffic from the branch will be backhauled to the data center for inspection and content filtering using a secure tunnel, a stateful firewall will meet the security requirements. If the branch’s traffic goes onto the Internet directly, then you need both stateful firewall and Firepower Threat Defense for ISR capabilities. Q. How can Firepower Threat Defense for ISR be deployed to inspect traffic from wireless devices? A. Firepower Threat Defense for ISR should be deployed just past the wireless network termination point. For added threat protection, there is a Cisco AMP for Endpoints version for mobile devices. Alerts from AMP for Endpoints are sent into the Firepower Management Center as well. Q. Where can I find technical configuration information about Cisco Firepower Threat Defense for ISR? A. While the following link does not yet include the “Cisco Firepower Threat Defense for ISR” branding, you can find more technical information here. Q. How do I order Cisco Firepower Threat Defense for ISR? A. Contact your Cisco account representative or Cisco partner representative, and they will be able to help you.
Q. Where can I go for more information on Firepower Threat Defense for ISR? A. You can get more information for this specific product here, and you can get more detailed information on the Firepower Threat Defense solution here.
The following Table shows the ISR platforms and Cisco Unified Computing System (Cisco UCS ) E-Series modules that Firepower Threat Defense currently supports. Support for ISR Platforms and Cisco UCS E-Series Modules Integrated Services Routers
Cisco UCS EN140N
Cisco UCS EN120E
Cisco UCS EN120S
Cisco UCS E140S
Cisco UCS E160D
Cisco UCS E180D
ISR 4000 Series 4321
Yes
No
No
No
No
No
4331
Yes
No
Yes
Yes
No
No
4351
Yes
No
Yes
Yes
Yes
Yes
4431
Yes
No
No
No
No
No
4451
Yes
No
Yes
Yes
Yes
Yes
1921
No
Yes
No
No
No
No
1941
No
Yes
No
No
No
No
2901
No
Yes
No
No
No
No
2911
No
Yes
Yes
Yes
No
No
2921
No
Yes
Yes
Yes
Yes
No
ISR G2 Series
Integrated Services Routers
Cisco UCS EN140N
Cisco UCS EN120E
Cisco UCS EN120S
Cisco UCS E140S
Cisco UCS E160D
Cisco UCS E180D
2951
No
Yes
Yes
Yes
Yes
No
3925
No
Yes
Yes
Yes
Yes
Yes
3925E
No
Yes
Yes
Yes
Yes
Yes
3945
No
Yes
Yes
Yes
Yes
Yes
3945E
No
Yes
Yes
Yes
Yes
Yes
Info from https://www.cisco.com/c/en/us/products/collateral/security/routersecurity/q-and-a-c67-734837.html More info https://www.cisco.com/c/en/us/products/collateral/security/routersecurity/datasheet-c78-735410.html
More Related… How to Deploy the Cisco ASA FirePOWER Services in the Internet Edge, VPN Scenarios and Data Center?