Firepower
Cisco Firepower License
After acquiring Sourcefire, Cisco began using Sourcefire technologies in its ASA firewall equipment and ISR routers. Cisco has created new hardware called Firepower 2100, Firepower 4100 and Firepower 9300. The use of the company’s Sourcefire technologies in Cisco products has led to Gartner ranking Cisco at the highest level in the field of IPS and IDS, i.e. intrusion detection and prevention systems.
Gartner is one of the largest companies that works in the field of research on the technologies of large companies and provides a report on their performance every year, so many companies and organizations pay attention to the reports of this company when purchasing products.
What is Firepower Threat Defense-FTD?
The FirePOWER service includes only the Next Generation IPS service. Cisco FTD includes all the capabilities of Sourcefire and Cisco ASA firewall capabilities and a number of other capabilities in a unified form in one software.
Geolocation database (GeoDB)
This database is used to store information related to geographical coordinates and the IP address related to those coordinates. For example, sometimes the Firepower system displays an attack in a graphical or GUI environment. You can see the name and country from which the attack originated. In the image below, you can see the types of software parts that exist in the Firepower system.
Vulnerability Databases (VDB)
A VDB is a database that stores vulnerability information about various programs and services and operating systems. Firepower uses Fingerprint to discover programs and services and operating systems that are running on the network. Then it compares and correlates this information with the vulnerability information it has in its database.
Snort/Sourcefire rules
Snort Engine has a set of Snort Rules to prevent attacks. Each rule has a set of conditions that if traffic matches the conditions of the rule in the sensor, an action will occur.
Software Patch and Hotfix
Cisco frequently provides software patches to fix Firepower vulnerabilities.
Firepower Core Software
In this section, there is a Snort Engine for IDS and IPS, a web server for the graphical GUI environment, a database for storing events, and a firmware for hardware. The Core part is different depending on the type of hardware.
All kinds of Firepower software parts
The Firepower system includes many security features compared to the Cisco firewall. In the following, we refer to these features:
Integration
You can integrate the Firepower system with all kinds of technologies available in the network, such as ISE or Active Directory, Syslog Server, etc. In this way, you can use other technologies to protect your network.
Local Malware Detection
If you have a Malware Detection license for Firepower, FTD can perform file virus detection operations. If malware is detected, it prevents it from spreading in the network. FTD uses ClamAV to analyze files locally. FMC should receive the latest signature related to viruses through Local Malware Detection Update.
Security Intelligence Feed
In Talos, there is a team called Security Intelligence, which is continuously finding Malicious IP, Domain Name and URL. It shares this information with this licensed solution users through Security Intelligence Feed. FMC downloads feed data directly from the Cloud.
URL Filtering Databases
The Firepower system can categorize websites based on Target Audience or Business goals and can control access to websites based on the type of websites and based on their Reputation and Risk Level. All this information is stored in the URL Filtering Database. This database must be updated through FMC with Cisco Cloud, so FMC must be connected to the Internet.
Components of the ASA FirePOWER module
Access control
Access control is a policy-based feature in the licensed Cisco Firepower that allows you to inspect and record incoming and outgoing network traffic. The access control policy determines how system traffic is managed on the network. The simplest access control policy controls all traffic using the default function.
You can set this default behavior to block all traffic without further inspection, consider it trusted, or inspect traffic for intrusion. A more sophisticated access control policy can check traffic based on blacklist information security data. It can also use access control rules to enforce fine-grained control over access and manage network traffic. These rules can be simple or complex and match and inspect traffic against multiple criteria.
You can filter traffic by security zone, network type or geographic location, port, application, and URL. More advanced access control options include preprocessing and performance. Each access control rule also has an action that determines whether to monitor, block, or allow traffic. When you authorize traffic, you can specify that the system first inspect it against defined policies to block any exploits, malware, or banned files before it enters or leaves the network.
Penetration detection and prevention
In the licensed Cisco Firepower, detection and prevention of penetration is the last line of defense of the system before the traffic reaches its destination. Intrusion policies in networks are a collection of intrusion detection and prevention configurations invoked by your access control policy. Using intrusion rules and other settings, these policies scan your network traffic for any security violations and can block or modify malicious traffic going through your network.
If system-provided policies do not fully address your organization’s security needs, custom policies can improve system performance to meet your needs and provide a centralized view of malicious traffic and policy violations occurring on the network. By creating and setting custom policies, you can configure how the system processes and inspects your network traffic to prevent intrusions.
