Home > Articles > Introduction to and Design of Cisco ASA with FirePOWER Services

Introduction to and Design of Cisco ASA with FirePOWER Services

Chapter Description

In this chapter from Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP, authors Omar Santos, Panos Kampanakis, and Aaron Woland provide an introduction to the Cisco ASA with FirePOWER Services solution. It also provides design guidance and best practices for deploying Cisco ASA with FirePOWER Services.

This chapter provides an introduction to the Cisco ASA with FirePOWER Services solution. It also provides design guidance and best practices for deploying Cisco ASA with FirePOWER Services. This chapter covers the following topics:

  • Introduction to Cisco ASA FirePOWER Services

  • Inline versus promiscuous mode

  • Cisco ASA FirePOWER management options

  • Cisco ASA FirePOWER Services sizing

  • Cisco ASA FirePOWER Services licensing

  • Compatibility with other Cisco ASA features

  • Cisco ASA FirePOWER packet processing order of operations

  • Cisco ASA FirePOWER Services and failover

  • Cisco ASA FirePOWER Services and clustering

  • Deployment of the Cisco ASA FirePOWER Services in the Internet edge

  • Deployment of the Cisco ASA FirePOWER Services in VPN scenarios

  • Deployment of the Cisco ASA FirePOWER Services in the data center

Introduction to Cisco ASA FirePOWER Services

In Chapter 1, “Fundamentals of Cisco Next-Generation Security,” you learned about the different Cisco next-generation security products and technologies. You also learned that those security technologies and processes should not focus solely on detection but should also provide the ability to mitigate the impact of an attack. Organizations must maintain visibility and control across the extended network during the full attack continuum:

  1. Before an attack takes place

  2. During an active attack

  3. After an attacker starts to damage systems or steal information

The Cisco ASA with FirePOWER Services and Cisco’s Advanced Malware Protection (AMP) provide a security solution that helps you discover threats and enforce and harden policies before an attack takes place. These technologies and solutions can help you detect, block, and defend against attacks that have already taken place. In Chapter 1 you also learned that the Cisco ASA family has members in many shapes and sizes, and you learned about their uses in small, medium, and large organizations.

Cisco introduced the Cisco ASA FirePOWER Services as part of the integration of the SourceFire technology. Cisco ASA FirePOWER Services provides the following key capabilities:

  1. Access control: This policy-based capability allows a network security administrator to define, inspect, and log the traffic that traverses a firewall. Access control policies determine how traffic is permitted or denied in a network. For instance, you can configure a default action to inspect all traffic or to block or trust all traffic without further inspection. You can also achieve a more complete access control policy with enrichment data based on security threat intelligence. Whether you configure simple or complex rules, you can control traffic based on security zones, network or geographical locations, ports, applications, requested URLs, and per user.

  2. Intrusion detection and prevention: Intrusion detection and prevention help you detect attempts from an attacker to gain unauthorized access to a network or a host, create performance degradation, or steal information. You define intrusion detection and prevention policies based on your access control policies. You can create and tune custom policies at a very granular level to specify how traffic is inspected in a network.

  3. AMP and file control: You can detect, track, capture, analyze, and optionally block the transmission of files, including malware files and nested files inside archive files in network traffic. File control also enables you to detect and block users from sending or receiving files of different specified types over a multitude of application protocols. You can configure file control as part of the overall access control policies and application inspection.

  4. Application programming interfaces (APIs): Cisco ASA FirePOWER Services supports several ways to interact with the system using APIs.

The Cisco ASA FirePOWER module can be a hardware module on the ASA 5585-X only or a software module that runs in a solid state drive (SSD) in all other Cisco ASA 5500-X models.

2. Inline versus Promiscuous Mode | Next Section

There are currently no related articles. Please check back later.

Search Related Safari Books

Safari Books