Crucial Decisions for Legacy Cisco? Devices and Future Strategy

Introduction

One part of managing the life cycle of cyber security platforms is deciding what to do with equipment and software when they reach End-of-Support (EOS) and End-of-life (EOL). After each EOL milestone, vendors will no longer support or supply critical product and software updates.

In the past it was common to replace EOS/EOL equipment and software with like for like. Now there are a lot more aspects to consider, with the way that businesses are changing the way they work, and where they work, the move of workloads into public cloud, and of course the protection of data.

New vulnerabilities are no longer occurring solely with On-premise Infrastructure; businesses need to consider the threats associated with roaming users, Cloud platforms and 3rd Party vectors. These vulnerabilities present both the demand and the need for a converged and integrated security architecture.

In this White Paper I focus on Cisco? ASA and legacy Sourcefire devices, what will happen once they reach EOS and EOL, what considerations to make for existing business needs and their future strategy. I will also look at how to meet those requirements with the Cisco? next-generation security portfolio and the added benefits, including 50% faster performing hardware, TLS decryption up to 44% higher than the previous generation, all whilst saving 40% Total Cost of Ownership over previous models.

How To Assess the Impacts of EOS/EOL

Making considerations for lack of support and replacement services are straightforward; most of us have been in the situation in the middle of the night troubleshooting a failed Firewall/IDPS/VPN device and have had to request vendor support to restore the service.

The paramount consideration we need to make with lack of support would be - how would this impact our services behind those security devices if vendor support was not present and connectivity to those services could not be restored? Those services being unavailable could impact Service Level Agreements (SLAs), Operational Level Agreements (OLAs) and loss of revenue through staff being unable to work and unable to meet customer needs. This could in turn generate penalties due to lack of service.

When it comes to the impact of lack of critical security product updates, the main topic to understand is, what will happen to services if there is a new cyber threat and the security devices are not able to receive the product updates in order to protect against the threat. The lack of ability to pro-actively block, includes attacks based on IP address, Geo location and IDPS signatures. If a cyber attack occurs, the impacts could be loss of internal and customer data, loss of control and loss of availability of systems.

In terms of what to assess for any of the afore-mentioned impacts, for simple site/Data Centre deployment involving a small number of perimeter security devices, then it is the services that rely on those devices that are impacted. For larger deployments spanning multiple sites, the assessment becomes more involved, since there may be multiple collections of services deployed across multiple sites. I would like to assume that all critical internet facing services are protected by such a security device!

What To Consider For Existing and Future Requirements

Whilst only the end user organisation will know their technical and business requirements now and in the future, we can make some assumptions based on our experiences and which way the industry is moving:

1.      Firewalling

The main requirement to control who and what has access to services and assets within a Data Centre is at the foundation of any set of requirements, and will be for many years. This is typically achieved by Cisco? ASA firewalls controlling what traffic travels in and out of the network. Control is based on the identity of person, a geographical location and the type of application being used.

2.      Remote Access

In a recent Accordant post, “Security Without Stress”, the changing times with remote working was discussed, and how this has almost forced everyone to be talking about security. Most organisations are now in the situation where they are trying to support significant increases in remote working, with networks that no longer meet the capacity requirements, have already upgraded with additional hardware, or moved to the Cloud. Remote working is supported with a mixture of technologies including Virtual Private Networks (VPNs) terminating on Cisco? ASAs and Cloud-based workloads. The considerations are to support the increase remote working and secure data whilst it is in transit and at rest (i.e. not moving). Whilst a remote user connecting to a network is one common example for VPN use cases, VPNs are also used for expanding connectivity out to remote sites, 3rd party organisations for information sharing purposes, and cloud environments for accessing shared workloads.

3.      IDPS

One particular security tool which is popular in large environments is the Intrusion Detection Prevention System, or commonly referred to as Network IDPS. These devices block attacks based on known threat (signature-based) and abnormal connectivity (anomaly-based). The Cisco? legacy range of IDPS comes from their acquisition of Sourcefire back in 2013 and has become one of the most widely deployed IDPS globally. In general, the more unencrypted traffic the IDPS can see, the more attacks it can detect. As with all Sourcefire models now in the EOL process at varying stages, the future use of the tool as standalone deployment comes into consideration, due to the fact that at least 80% of all internet traffic is encrypted – I will focus in more detail on the challenges of encrypted traffic and how to successfully handle these in an upcoming post. However, there are still valid use cases which require dedicated IDPS.

4.      Anti-Malware

Cisco? Advanced Malware Prevention (AMP) system has been made part of the Sourcefire IPS range but was also available as a dedicated appliance. Whilst AMP is the one of the most resource intensive features to enable, businesses use this to block bad files based on retrospective analysis and shared intelligence from other organisations using AMP. As with IDPS, AMP is beneficial when dealing with unencrypted/decrypted traffic.

5.      Consolidated/Converged Devices

Maintaining a multi-layered approach for Security, known as Defence-in-Depth, has been the industry-norm for large organisations over the past 15 years. The industry is however changing, with workloads moving to the Cloud and diversifying investments, businesses are looking to optimise their physical network security estate and associated upfront and ongoing investments. The security tools in potential scopes for consolidation are Firewalls, VPN Concentrators, IDPS and Proxy. The target deployment model resembles the same scale, as smaller organisations, including SMEs, utilise this.

6.      Consolidated Management and Security Event Triaging

I have covered multiple security tools and controls in this post, however one of the least thought of aspects are the management capabilities that are used to configure, operate and manage the various security platforms. Whether it be the ASDM application for ASAs, or the Firepower Management Center for the Sourcefire IDPS, with every tool there is at least one management interface. The objective to consolidate and optimise management is the same as the security tools themselves – a consolidated set of interfaces to manage all tools and enable security events of interest to be ingested with the appropriate tools.

7.      People and Process

Together with an optimised platform, organisations are looking at optimising their processes to support multiple teams working on the same platform, automate management and security response, and adopt Agile ways of working into their Engineering and Operations. 

How the New FTD Technology Meets Requirements

1.      Support for Consolidated Devices

• The new Cisco? Firepower Threat Defense (FTD) device range provides the features from both ASA and Sourcefire as a single unified code base, so this is effectively an all-in-one, multi-functional appliance.
• The features of the FTD to meet existing and future requirements:
• Unified Pre-filter Access Control and Intrusion policy to deliver Firewalling and IDPS, controlling who has access to what devices and blocking known threats.
• Support for ASA Multi-context by using FTD Multi-instance.
• Security Intelligence Feeds - Utilising Cisco? TALOS Threat Intelligence to block connections both inbound and outbound involving known external malicious sources.
• Support remote connectivity with Site-to-site (S2S) VPNs and Anyconnect Secure Mobility Client supported, with the ability to add multiple peers to S2S VPNs with extranet sites and distributed networks (hub and spoke). Overall benefit to integrate security inspection for VPN traffic, this mitigates malicious traffic arriving over the VPN.
• Malware Prevention - the FTD can intercept and block malicious files based on known shared intelligence from other FTD users globally. This is beneficial since it would already mitigate against malicious files that the network would have never seen before. Also, if a file had already traversed FTD and was not known to be bad, it can look back in time and do retrospective detection to find all touch points where the file had traversed.
• SSL Decryption – the FTD can decrypt traffic to enable enhanced visibility. Using the TLS Server Identity Discovery feature, it can gain further visibility into the latest encrypted standard (TLSv1.3) traffic without having to decrypt the entire traffic stream.
• Integration - Integrate with ISE, Stealthwatch, AMP, Threatgrid and other tools, to allow for enhanced visibility into the network, and reduced time to respond to threats using automation.
• Where dedicated IPS devices are required; FTDs can be deployed as a Threat sensor only with fail-to-wire/bypass capable interfaces.

2.      Support for Consolidated Management

With the requirement to consolidate the number of management interfaces and optimise operational tasks, the Firepower Management Center (FMC) can be used to control all the features I have previously outlined. The FMC is available in On-premise physical and virtual offerings; the exact selection depends on the management use cases. It is also available in the Cloud should the business requirement be to have all management workloads away from the On-premise Data Centre.

Should the requirement exist at any point to consolidate management further beyond the FTD appliances, Cisco? Defense Orchestrator (CDO) is a cloud-based multi-device manager that can be used to manage ASA, FTD, Meraki and the FMC itself – limited functionality with FMC integration allows for onboarding and viewing of devices. The adoption of CDO allows for greater management consolidation and supports business objectives to move workloads to the Cloud.

3.      Support for Segmented Management

Consolidating the numbers and types of devices will mean multiple teams will be managing separate elements of the FTD via the same management interface. This will invariably create dependencies on each team to collaborate, such as Firewall and Security IPS teams. To help with this, the FMC now supports segmented policy deployment with customisable permissions. This means the Firewall team would only be able to deploy the Access Control Policy, and the Security team would only be able to deploy the IPS policy.

There are some occasions which mean both policies have a dependency on each other, resulting in both being deployed at the same time. This could be helped by designing and adopting a practical process to allow teams to highlight the technical dependencies.

4.      Securing Workloads in the Cloud

All the benefits of an On-premise FTD are available in the Cloud, with FTD now supported natively in AWS, Azure, GCP and Oracle Cloud.

5.      Unified Events View

Along with other Cisco? products, FTD integrates with Cisco? SecureX? which incorporates Cisco? Threat Response to provide a single-pane of glass for all security events; within seconds the source of a threat can be identified alongside the indications of compromise with context.

Roadmap Beyond Cisco? Firewalling

As workloads move to the Cloud, and the number of remote users increase dramatically, there is less dependency on the traditional Data Centre. When organisations have a requirement to maintain a reduced set of Data Centres, or completely remove them, the opportunity to consolidate Security and Connectivity, and move to a full SaaS model for security, becomes an interesting avenue to explore.

By extending the Internet edge into the Cloud, this allows both On-premise and Cloud environments, users and workloads, to utilise Cloud-based security control and adopt Software-Defined Wide Area Networks (SD-WAN). This concept is now becoming known as Secure Access Service Edge (SASE). Cisco? Umbrella meets these requirements through cloud convergence. Using the Umbrella Security Internet Gateway (SIG), a full Security Suite is available including:

• DNS layer security
• Full proxy for granular resource controls, SSL decryption and Malware prevention
• Cloud Access Security Broker
• Cloud-delivered Firewall to control who and what has access to resources and provide encrypted tunnels to route traffic securely to Cloud Infrastructure
• Integrated Threat Intelligence to provide enhanced protection against threats that continually occur
• Automated Reporting on each component to meet auditing/accounting requirements and help demonstrate the value of investment

I will look at SASE and Umbrella SIG in much more detail in a future article.

Closing Statement

I hope this article has been of interest, and most importantly, provoked thoughts about how your organisation handles the end-of-life process for your key Cisco? network security tools.

Get in touch if you would like to know more about the options available, and/or help to devise the most appropriate way forward for your business – protect your business with both appropriate and secure solutions, alongside robust financial investment decisions.

Checkout our Cisco Firewall and IPS Refresh Solution Brief: https://bit.ly/36QKlN4

Keep an out eye for future posts as I explore the new features of the Cisco? Firepower platform for On-premise and Cloud.

About Phil Hyde

Phil Hyde is a Cyber Security Consultant and Trainer, with over 7 years experience delivering Business and Technical value using Cisco? security products to the Telco, Service Provider, Defence/Military, Health and Outsourcing sectors.

About Accordant Solutions

Accordant Solutions are a UK-based consultancy with global reach. Helping customers of all sizes and across many industry sectors, Accordant’s ethos is simple - balancing Technical and Business aspects of people, process and technology. Accordant provide a range of services, from Professional/Consultation to Managed Services, under three pillars – Cyber Security, Service Delivery and Transformation Economics.