From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Cisco firepower ngips series migration options
1. Cisco Firepower NGIPS Series Migration Options
Strengthen Your Network Defenses
It’s no secret that today’s attackers have the resources, expertise, and persistence to
compromise any organization at any time. Traditional defenses are no longer
effective.
Many people think that with the adoption of a next-generation firewall
(NGFW), that they no longer need a stand-alone intrusion prevention
system (IPS).
That’s simply not true. A “true” NGIPS can provide visibility, threat detection,
threat response, and malware discovery. And it can do all that in areas of
your network that remain off-limits to firewall inspection and controls.
Safeguarding your network assets and data from today’s threats requires
detailed visibility into all your network layers and resources.
1. It requires comprehensive, and up-to-date security intelligence.
2. It requires a dynamic approach that uses awareness and automation to
adapt to new threats, new vulnerabilities, and everyday network changes.
3. It requires Cisco Firepower NGIPS (Next-Generation Intrusion
Prevention System) threat appliances.
The Cisco Firepower NGIPS threat appliance provides industry-leading
visibility and threat efficacy against both known and unknown threats.
Cisco Firepower NGIPS stops threats by using:
2. • More than 30,000 IPS rules that identify and block traffic trying to exploit a
vulnerability in your network
• Reputation-based IP, URL, and DNS security intelligence that can shrink the
attack surface by identifying malicious sites
• A tightly integrated defense against network-based advanced malware
attacks
• An integrated sandboxing technology that uses hundreds of behavioral
indicators to spot zero-day attacks
• An Indications of Compromise (IoC) feature that correlates events from
multiple sources to identify what may be compromised hosts
Upgrade your customers to Cisco Firepower NGIPS today to help them protect
their network, users, applications, and information assets.
It’s as easy as 1...2...3
1. Confirm your current IPS model and refresh needs.
2. Review the recommended migration path.
3. Contact your trusted Cisco Security account manager or partner to get
started.
Migration Recommendations for Cisco IPS and FirePOWER (former
Sourcefire) Customers
Cisco IDS/IPS 4000
Appliances
Recommendation Throughput
Performance
Improvement
Cisco IPS 4270-20 Firepower 4110 2X
Cisco IPS 4360 Firepower 4110 3.2X
Cisco IPS 4510 Firepower 4110 1.33X
Cisco IPS 4520 Firepower 4120 1.6X
Cisco IPS 4520-XL Firepower 4140 1X
3. FirePOWER
81xxAppliances
Recommendation Throughput
Performance
Improvement
FirePOWER 8120 Firepower 4110 2X
FirePOWER 8130 Firepower 4110 1X
FirePOWER 8140 Firepower 4120 1.33X
Firepower 8xxxx AMP
Appliances
Recommendation Throughput
Performance
Improvement
FirePOWER AMP 8050 Firepower 4110 AMP 1.5X
FirePOWER AMP 8150 Firepower 4120 AMP 1.2X
FirePOWER AMP 8150 Firepower 4140 AMP 2X
Learn More: Find the Right Cisco Firewall for your Needs
Why NGFW and NGIPS are needed in network security infrastructure?
Do you really need both a next-generation firewall (NGFW) and next-
generation intrusion prevention system (NGIPS) for my network
security infrastructure? The answer is YES!
What does a next-generation firewall do? The NGFW has its core
competencies and it includes:
1. Network address translation
2. Acting as a stateful firewall
3. VPN concentrator
4. Application visibility and control
5. And don’t forget, IPS inspection
A next-generation IPS has its core competencies and they include:
1. Inspect asymmetric traffic flows
2. Perform as a transparent bump-in-the wire inspection device
3. Provide visibility and protection by inspecting network traffic that
moves lateral to a perimeter firewall
Since the NGFW is a network device, it can operate lower in the OSI stack
and can act as a network boundary or create a network pinch-point perfect
for stateful firewalling, application identification, and deep packet inspection.
4. Using a NGIPS to perform deep packet inspection makes for a more
effective strategy against the would-be-adversary. Because an NGIPS
does not maintain a state table, it is less vulnerable to attacks that exploit
state table exhaustion and result in denial of service. This also gives it the
ability to inspect asymmetric data flows. The NGIPS is also a transparent
device, just a bump in the wire, allowing traffic to flow as if it is not even
there, even if it is deployed in the core, doing deep packet inspection or on
the network edge.
Did you know that traffic looks differently in the core vs. the edge of the
network? Advanced persistent threats are more easily detected by the NGIPS.
Because the NGIPS can be deployed where it will have of the lateral visibility
of the traffic, it gives you that advantage over a firewall. A traditional stateful
firewall cannot provide this. The lateral visibility it is perfect to identifying
machines on a network that have already been compromised and are being
used by a bad guy to collect and infiltrate sensitive or important data.
Visibility and the ability to secure a network at the perimeter and at the
network core should be essential for every organization that wants to
strengthen their overall security posture.
To learn more about Cisco Firepower NGIPS threat appliances, please visit
http://www.cisco.com/go/ngips.
To learn more about the Cisco Advanced Malware Protection capability, please
visit http://www.cisco.com/go/amp.
To learn more about Cisco’s Talos Security Intelligence and Research team,
please visit http://www.talosintelligence.com/.
Info from
https://www.cisco.com/c/dam/m/en_us/products/security/ngips/NGIPS_transi
tion_guide.pdf
More Related
Guide to the New Cisco Firepower 2100 Series
How to Deploy the Cisco ASA FirePOWER Services in the Internet Edge, VPN
Scenarios and Data Center?
The Most Common NGFW Deployment Scenarios
Cisco’s High-end Next Generation Firewalls-Firepower 4100 and 9300 Series
UTM vs. NGFW