Firepower on ASA, Firepower Threat Defense, what is what?

Yesterday (5 sept) Cisco finally released Firepower Threat Defense 6.2.2 Now is a new update not always a big thing but this specific release had me waiting for quite some time. Key to this release is the support of remote access VPN (e.g. anyconnect) in the FTD image. So FTD was already available on ASA5500-X platform, but if you used anyconnect on your ASA, you just had to wait for this release. But what now is the difference between Firepower on ASA and FTD..

First I’d like to share a bit of history with you, as it will reflect some of the major effort Cisco has put into the releases.
Cisco acquired SourceFire in november 2013. SourceFire was known for their anti-malware protection, their next-gen firewalls with a next-gen IPS. Already in June 2014, extended field trials were running with customers for running Firepower (Cisco rebranded SourceFire to FirePower) on the ASA platform, Cisco’s own firewall. And in August that year, Firepower on ASA became general available. I believe this is a genuine record for Cisco on the timeframe between acquisition and Cisco general availability.

With FirePower on ASA, you were able to run next gen firewalling, Anti-Malware Protection (AMP) for networks and next gen IPS on your existing ASA platform, which was awesome. And to be honest, also much easier to manage/operate then Cisco’s own next gen firewall module called ASA-CX.

How is Firepower on ASA operating?

The below schematic is a flow chart on how the ASA (image courtesy of Cisco Live presentations) is handling flows and packets through the firewall.

FirePower on ASA is in essence the service module in the diagram. Based on your class-map, the packet is either copied or redirected to the service-module where the FirePower software is doing its part. If a packet needs to be dropped, FirePower informs the ASA that the packet is to be dropped. The two modules run independently and need to be configured and managed by two separate management environments.

FXOS & FTD

In 2015 Cisco introduced the security everywhere paradigm, including the introduction of the FirePower appliances and a new Security Services Architecture. Those FirePower appliances run a special operating system that you can compare with a hypervisor for virtualization called FXOS. Within FXOS you can configure applications and so-called decorators and configure which interface is linked to which interface and if a decorator needs to be placed inside that application or not. Of course the ASA software is one of these applications, but also a newly introduced application called FirePower Threat Defense, or FTD for short.

The diagram below is an architectural schematic on how FXOS, FTD and decorators can work together in the Security Services Architecture. The number of available security modules is dependent of the FirePower Appliance platform or ASA platform.

FTD is in essence the unification of FirePower features like NextGen Firewall, AMP, Identity Based Access, IPS and unique key features of the ASA software platform like IPSEC VPN, Security Group Tagging (SGT), QoS and some other stuff.
The schema’s below is a schematical diagram of which features come from which originating platform.

As can be seen in the schema, FTD can only be managed by a FirePower Management Center or FirePower Device Manager (successor of ASDM).There is no real CLI for you to configure FTD, it has to be done via the manager. You have to remember this.

When you run FTD on an FXOS environment, the flow a packet traverses through the firewall is slightly different from the ASA. The diagrams below represent how SourceFire (Snort) and ASA features work together and how a packet traverses inside the FTD instance.

And as can be seen now, the ASA features are actually a service module inside the FTD environment! So the roles have been reversed but with the advantage of having a single management tool that configures all features. And that is a huge advantage, because with FMC you can create a single security policy to be deployed over multiple firepower enabled appliances/modules and have a single pane of view over these devices and connections.

Summary

So FTD in essence will be the next major firewall environment for Cisco and with this release Cisco has taken a huge step for those enterprises that use the ASA platform for their versatility. Time to get started on upgrading my environment and get some field experience on FTD 6.2.2..

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
27 + 4 =