Recently the Cisco Firepower Next-Generation Firewall was released and according to Cisco, it’s the “first fully integrated, threat-focused next-gen firewall with unified management.” It’s capabilities include Application Visibility and Control (AVC), Firepower next-gen IPS (NGIPS), Cisco® Advanced Malware Protection (AMP), and URL Filtering. That’s a lot to roll into a single OS, especially when you consider the stateful firewall capability.
In the past we’ve seen Cisco package the FirePOWER services on a module that sits in the ASA. Using the MPF you can forward traffic to the module. The module is managed by the FirePOWER Management Center or by a local FMC that’s part of ASDM. It’s still separate from ASA policy. With the new Cisco Firepower NGFW it’s all managed in one place. This is a significant step in the right direction.
So the short answer is “Yes.” Yes you can put all that capability into one box. Cisco isn’t the first to do it. In fact, Cisco’s pretty late to the game on this one. Of course Cisco would likely contend that they have some special sauce baked into the Firepower NGFW. The new 4100 series hardware provides a platform for Firepower NGFW, Cisco AMP, and the traditional ASA (although I can’t imagine the traditional ASA stays around much longer.)
So now the question is, should we really care that Cisco has another firewall? Absolutely. The architecture of this devices allows Cisco and Third Party Vendors to quickly add security services as the network evolves.
Of particular interest to me is what a third-party vendor could run as a service on this platform. Could monitoring be an added service? A Correlation engine? There’s a lot to this architecture that’s interesting to me. The API access, OpenFlow, the orchestration layer. I think with modern developments in orchestration combined with this new architecture and some third-party services we can do some interesting things.
At this point I open it up to you.