The Advantages of Next-Generation Firewalls (NGFWs)

/in /von

By Don Meyer Network managers and security teams are facing a double-edged challenge: networks are growing far more complex and expanding across multiple perimeters just as threat vectors become increasingly difficult to detect and threats grow more sophisticated. The Next-Generation Firewall (NGFW) offers a solution. According to Cisco ASA reviews and Cisco Firepower NGFW reviews on IT Central Station, they enable greater visibility into the network and applications while improving threat mitigation.
Visibility into Traffic and the Application Layer
“Before Firepower, we didn’t have any visibility about what attack was happening or what’s going on from the inside to outside or the outside to inside,” explained Ali A., a Technical Manager who uses Cisco Firepower NGFW at a comms service provider with more than 1,000 employees. He added, “After Firepower and the reporting that Firepower generates, I can see what’s going on: which user visits the malicious website, or which user uploaded or downloaded malicious code, and what the name of the code is and from which country. This is very useful and helpful for me to detect what’s going on. It enables me to solve any problem.”
Burak Y., an IT System Administrator who uses Cisco ASA at a transportation company, is dealing with a dynamic IT landscape which requires, in his view, “Security policy, controls, and visibility to be better than ever.” Mohammad R., a Security Officer at a government agency, praised ASA because it “gives us visibility into potential outbreaks as well as malicious users trying to access the site.” Iz, an Assistant Manager (Infrastructure) who uses Cisco Firepower at a small business, commented, “It has improved the security posture and visibility of our traffic.”
Visibility into applications is a critical need for network and security managers. Applications are frequent targets of malicious actors because they present an effective way to gain unauthorized access to data. Hackers also like to disrupt organizations by crippling their apps. To prevent these potentialities, Cisco NGFWs must “support application visibility,” noted a Senior Data Scientist who uses Firepower at a tech services company. He praised Firepower because it can support “application visibility and control.”
Eduardo V., an IT Infrastructure Specialist who uses Cisco Firepower at a transportation company, further addressed this need by saying, “It provides us with application visibility and control. We can see, on the dashboard, all the applications that are most used and which are under some sort of risk or vulnerability.” This matters because, “It helps a lot when we need to check some situation or issue that could be related to any attack or any violation. We can see that there are one or two or three applications that are the top-consuming applications. We can use this information to analyze if there is a deviation or if it’s something that we need to consider as normal behavior and increase the bandwidth on the site.”
Policy Management
IT Central Station members describe the importance of policy management in their selection and use of an NGFW. In this regard, according to David S., owner of a small tech company, “Cisco has better application granularity, a more flexible means of policy creation, and easier to use controls and more powerful reports than its predecessors.” Tony P., a Business Development Executive who uses Cisco ASA, further noted, “The firewall and policy side are easy to use.” A Network & Security Administrator at a financial services firm uses Cisco ASA to enforce security policy.
For Joel S., a Senior Network Engineer who uses Cisco ASA at a retailer with more than 1,000 employees, “Policy rulesets are key. The majority of what I do is create rules and work with the customers to make sure that things are getting in and out of the environment. Eduardo V. shared, “It’s not just the visibility of things, but the management of application behavior is very important. If I see that, for example, Facebook is consuming too much bandwidth, I can make a policy on the console here and deploy it to our remote offices. So the application visibility feature is one of the key parts of the solution.”
Threat Detection and Mitigation
Security managers rely on NGFWs to be their first line of defense against incoming threats and malicious exfiltration of data. As Paul C., a Security Architect who uses Cisco Firepower at a comms service provider with over 10,000 employees, noted, “FTD’s ability to provide visibility into threats is very good, if the traffic is clear.” He added, “You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license.”
To this point, a Regional Manager of Pre Sales at a tech services company was pleased that Cisco ASA “helps us to identify key, persistent threats so we can set policies accordingly.” An IT Manager who uses Cisco ASA with FirePOWER at a construction company spoke to this issue as well, saying he valued it for Intrusion protection. He said, “We were able to determine when we are being attacked. We needed a way to monitor threat protection and not cause latency. The product has the ability to be a consumer of threat intelligence, and be a contributor showing the maturity in threat protection posture.”
To read more Cisco NGFW reviews from real, unbiased users, visit IT Central Station.
The post The Advantages of Next-Generation Firewalls (NGFWs) appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Fighting Cybercrime and Creating Jobs for Latin America

/in /von

By Jordi Botifoll The digitization of the world has come a long way since 2016, when I wrote about how Cisco offers cybersecurity scholarships to increase the number of skilled cybersecurity specialists. And today, cybersecurity is more important than ever.
Our increasingly digital world is more and more vulnerable to cyberattacks. According to an article in Cybercrime Magazine, by 2021, cybercrime will cost $6 trillion every year in lost revenue, customers, opportunities, and out-of-pocket costs. That number is double what it was when I wrote that blog just three years ago.
Governments all over the world acknowledge that they cannot fight cybercrime alone — they need help from the private sector. Cisco and the Organization of American States (OAS) are dedicated to aiding in the efforts to close this gap. Recently, Cisco and the OAS launched a joint effort to create Cybersecurity Innovation Councils in the Latin American region.
This initiative will unite leaders and experts from the private and public sectors, NGOs, academia, and security technology vendors to work together to mitigate the risks of a digital world and democratize cybersecurity. Most importantly, Cisco and OAS will work together to leverage the benefits of digitization where it can have the most impact in Latin America.
Latin American countries are particularly vulnerable to cybercrime because there has historically been a disconnect between public and private industries, and there are few coordinated defense mechanisms to fight cybercrime. Public awareness about cybercrime is also low in Latin America, where, according to the Inter-American Development Bank, the annual cost of cybercrime is approximately $90 billion USD. By comparison, a 2018 report from the U.S. Council of Economic Advisers estimated that malicious cyberactivity cost the United States between $57 billion and $109 billion in 2016.
According to the WEF Report, Regional Risks for Doing Business 2019, “Failure of critical infrastructure” and “Data fraud or theft” are listed as the #5 and #9 risks that Latin America faces as a region. As countries across the region digitally transform, achieving their national priorities will depend on cybersecurity.
To effectively fight cybercrime, we need more cybersecurity experts. Many more. Every industry is experiencing an unprecedented demand for cybersecurity knowledge and skills. Fulfilling their mission to maintain digital safety and security, Cisco is preparing the workforce that will defend and protect our digital economy.
To accomplish that goal, Cisco and the OAS are leveraging the Cisco Networking Academy in Latin America to promote educational resources that can help close the professional skills gap in cybersecurity.
As part of our commitment to social responsibility, the Cisco Networking Academy offers a comprehensive range of cybersecurity courses, some of which are offered at no cost to educational institutions around the world. These cybersecurity courses provide four complete learning pathways for students, taking them from an entry-level understanding of online safety all the way to preparing them for a career in this thriving industry.
Practical, real-world learning experiences from qualified instructors increase the employability of students who wish to enter the digital workforce.
Further to this point, I recently participated in a Spanish-speaking interview on this topic at Cisco Live! in Cancun, Mexico with Cisco experts on Cybersecurity and the Networking Academy.
Working together, we can fight cybercrime. We can build a bridge between the Latin America cybersecurity challenges and a Latin American empowered digital society. Together, we can create a safer digital space for all Latin Americans.
The post Fighting Cybercrime and Creating Jobs for Latin America appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Configuring Cisco Security with Amazon VPC Ingress Routing

/in /von

By Anubhav Swami Today, Amazon Web Services (AWS) announced a new capability in Virtual Private Cloud (VPC) networking that is designed to make it easier and more efficient for Cisco Security customers to deploy advanced security controls in the cloud. This new capability is called Amazon VPC Ingress Routing. It allows users to specify routes for traffic flowing between a VPC and the internet or from a VPN connection, such as a private datacenter.
Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.
While the remainder of this post focuses on Cisco’s NGFWv and ASAv products, this capability can also be used to deploy a number of other network-based security solutions into the AWS traffic path. This includes services such as the following:
Firewall policy enforcement
Network traffic visibility
Malware detection
URL filtering
Intrusion Prevention
DNS security
This is a big win for Cisco customers deploying our security products in AWS, and we are pleased to have been an early adopter and Integration Partner with AWS on this launch.
How to Use Amazon VPC Ingress Routing with Cisco Firewalls
The configuration is achieved by creating a custom route table and associating subnet routes with the private Elastic Network Interface (ENI) of the security appliance, and then associating the public ENI with an IGW and VGW. A single firewall instance can protect multiple subnets; however, a separate instance is needed per VPC. Below are some details on the testing we performed as well as sample use cases and configuration guidance.
Use Cases / Deployment Scenarios
Cisco NGFWv/ASAv can be deployed in a VPC to protect the following traffic flows:
Traffic Traversing an Internet Gateway (IGW) To/From the Internet
Traffic Traversing a VPN Gateway (VGW) To/From a Remote VPN Peer
Benefits of Using Amazon VPC Ingress Routing with Cisco’s NGFWv and ASAv
Offload NAT from the firewall to AWS network address translation (NAT) gateway or instance
Simplify protection of multi-tier applications spanning subnets and VPCs
The scalable design makes it easy to add new subnets, and more of them
Enables bi-directional, threat-centric protection for traffic bound for private networks and the internet
POC Deployment Scenario
Enable outbound Internet connectivity and offload NAT function to AWS NAT gateway
In this scenario, the Cisco Firewall (NGFWv or ASAv) is deployed between internal services in the AWS VPC and the internet. The route table for the Internet Gateway (igw-rt) has a specific route for the Inside subnet which directs inbound traffic to the Cisco Firewall for inspection. Prior to this enhancement, the users had to NAT egress traffic on the firewall to bring back the reply packet to the same virtual appliance. This new configuration eliminates the need for an ENI on the firewall and removes the requirement to perform NAT on the firewall, thus improving performance.
Cisco NGFW/ASA with AWS IGW (routable attached to IGW) and AWS NGW to NAT outbound trafficCisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using IGW and Amazon VPC Ingress Routing
This topology expands on the previous​, demonstrating how multiple subnets can be protected by a single firewall. By utilizing the AWS NAT Gateway service, the number of protected subnets behind a single firewall can be scaled significantly beyond what was previously possible.
As with the previous architecture, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the IGW. Multiple routes are configured in the IGW’s route table to direct the traffic back to the appropriate subnet while the protected subnets forward their traffic to the internal firewall interface via the NAT gateway.
Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress RoutingCisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using VGW and Amazon VPC Ingress Routing
Cisco Firewalls can also be deployed in an Amazon VPC to inspect traffic flowing through a VPN tunnel. In this case, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the to a VGW. In this example, the local and remote networks are routable; therefore, the NAT gateway can be eliminated, further improving efficiency and reducing cost.
Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress RoutingIn Addition to Support for Amazon Ingress Routing, we are adding AWS Security Group management to Cisco Defense Orchestrator (CDO). We are also extending the existing ACI policy-based automation for L4-7 services insertion to the AWS cloud by leveraging Amazon VPC ingress routing. These integrations will make deploying L4-7 services in a hybrid cloud as well as Cisco Security at scale in AWS easier than ever.
For additional information, visit the resources below or contact your Cisco TSA or Cisco Partner.
Additional Resources
Cisco Next-Generation Firewall Cloud Solutions
Cisco NGFWv for AWS in AWS Marketplace
Cisco NGFWv for AWS Configuration Guide
Cisco ASAv for AWS in AWS Marketplace
Cisco ASAv for AWS Configuration Guide
Amazon VPC Ingress Routing
Cisco Cloud ACI
Cisco ACO Service Graph Designs
Cisco ACI MSO Configuration Guide
The post Configuring Cisco Security with Amazon VPC Ingress Routing appeared first on Cisco Blogs.

Source:: Cisco Security Notice