Cisco ASA with FirePOWER Services vs Palo Alto Next-Generation Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everybody thank you for joining us in today's webcast I hope to shed light on the many benefits and shortcomings of both the Cisco AAS a with fire power services and the palo alto next-generation firewall my name is Justin Jett I'm marketing manager at clicksor and I have with me Michael Patterson who is one of the founders here I put together some great content for you today so let's dive right in first though a bit of housekeeping so here's our agenda the first thing I'm going to do is just have a short introduction followed by a brief description of what and who each you know company and solution is I'll then go over the key areas to look at when deciding on a solution now these are the things you should look at when determining your needs and I'll also go into detail about how each company fits into these areas there are seven areas I want to focus on today I'll go over six of them and Michael will cover the last one and here are the key areas so we have trusted security ease of use VPN support capacity gateway security content filtering and then finally advanced monitoring and reporting which will show you the net flow and IP fix exports from these solutions I'll then go over cost for each solution based on functionality and traffic volume so with that let's jump right in fireballs play a critical role in protecting an organization's network from a never-ending list of internet borne threats firewall selection often determines how easily remote locations connect to centralized systems to access essential resources or to complete important tasks with that in mind cliques are recently evaluated both the Cisco AAS a with fire power services and the palo alto next-generation firewall what we looked for were benefits that our customers were asking for from their vendors as well as the uniqueness of their flow exports by doing this we were able to learn what features were important to our customers and see how our customers could use these firewalls in their environments so let's start our discussion with the Cisco aasa with fire power services the a sa with source fires next-generation intrusion prevention system there in GIPS creates an industry-first adaptive threat focused next-generation firewall what we found interesting was that this system attempts to create a solution that removes the multiple pieces required in traditional architecture you know the one where you have firewalls and malware analysis systems and VPN gateways IPS etc and they do that by bringing together these pieces in one appliance with the integration of source fire the a sa also gains application control and URL filtering specifically URL filtering which I'll show you in a later slide the a sa also brings forth advanced malware protection with the integration of source fire Palo Alto is the maker of the Palo Alto next-generation firewall Palo Alto firewalls like the a sa with fire power services bring many solutions under one roof they market themselves as a company able to identify applications regardless of port protocol evasive tactic or encryption with multi gigabit low latency inline deployments for enterprise in addition Palo Alto has built-in anti-malware detection with its Wildfire subscription so now that we know a bit more about each company let's dive into the key areas to look for the first is trusted security when choosing a firewall be sure to select a well recognized and trusted platform Barracuda Cisco for Dannette Palo Alto SonicWALL and WatchGuard are among the brands having carved market share and they've earned that market share for good reason they deliver trusted security whichever brand you select confirmed that the firewall is ICS a certified which is the industry standard for packet inspection with that in mind let's have a look at the trust of Cisco and Palo Alto so Cisco Systems has been around since the beginning it is considered by many to be the largest networking company in the world and Cisco has products ranging from Network firewalls and routers to unified communication devices including voice over IP telephone systems and plates are believes that this is a company that certainly has trusted security Palo Alto Networks their newer to the scene and they arrived just in 2005 and while not as large as Cisco it has a large following of user communities and Palo Alto unlike Cisco has a very specific range of products working entirely in the network security space so currently they don't offer routing and switching solutions they offer next-generation firewalls virtualized firewalls and network security management and they too are a company that flicks or believes is certainly can be trusted the second thing to look for is ease of use so global multinational enterprises typically require excessive security controls but even those organizations that need tremendous protection don't have to limit themselves to clunky user interfaces for their configured equipment and many firewalls models deliver tight security and easy configuration options so when selecting a hardware based firewall consider the benefits of you know the approach ability and ease of use the easier a platform is to administer the easier it will be to locate professionals capable of installing maintaining and troubleshooting these platforms so with that in mind let's take a look at the interfaces of both solutions so you can see how each company provides ease of use so the Cisco a sa with fire power services is actually two things so as such there's there's two different configurations and management interfaces there's one for the a SA and the other for the fire site server so the Cisco a sa it's in sell to your flow collector while fire power services exports data to the fire site server which then in turn sends flows via II streamer to your flow collector these are two separate systems on the a SA and so they need to be configured separately Mike will go over this in his reporting slides but I think it's important in this conversation as well after the initial configuration of fire power and fire site management of the system is done either in a SDM or a web interface for the fire site details so here I can see I have a number of tabs indicating various parts of fire power in ASD m4 from various dashboards I can see information about applications top destinations etc and you can also manage fire power details via a web interface which I'll show you in a future slide the point I want to make is that the Cisco a sa and fire power are easily managed and offer great details of your data from within their interfaces much like the Cisco a sa the Palo Alto also uses a web-based interface for management and reporting from the dashboard I can see common information about my device including the IP address for management as well as you know the versions for various subscriptions on that firewall the dashboard can also show you other details like the top applications while this may be useful to you you actually can change these dashboards as well by simply clicking on the widgets drop down as with the aasa' the Palo Alto was really easy to use and it provided great insight with their built-in reports the third thing that I'd like you to consider is VPN support a good firewall also establishes and monitor secure channels enabling remote connectivity so you want to look for hardware based firewalls that support both SSL and IPSec protected VPN connections from similar devices you know your point-to-point or site to site VPN as well as secure connections from traveling employees or remote employees another option to consider within the VPN realm is does the firewall offer dual factor authentication support many firewalls will let you plug into online api's like duo or authy which allows for you know an extra layer of security between your remote users and your network the cisco aasa provides a VPN concentrator so it has a built in it's built in directly into the firewall one thing to note is that the VPN is a function of the cisco aasa not not firepower so users connect using any connect to connect users and they can be configured to allow users onto the network via LDAP Active Directory or Cisco ice the aasa' also provides options for dual factor authentication like duo security and this provides an extra layer of security by ensuring even if your users credentials are compromised a second token will be required now I want to continue with the idea of you know ease of use within this VPN realm and to do this I just want to explain really the simplicity of setting up VPN users adding and allowing users to connect to the network via VPN is fairly straightforward in the aasa' you start really by creating certificates and these are the certificates that will be used you know to encrypt the traffic between the client and the Gateway then you configure LDAP and Active Directory or whatever you're using like maybe radius in the any connect connection profile and this creates a profile that will act as the authentication mechanism that any connect uses in this example I'm showing you the radius server but you can select whichever option your organization prefers this also is where you configure the policy that will be used it is it's within this policy that you would enable dual factor authentication and you can figure this policy in the configure triple a servers group settings for dual authentication you would specify the sir for such authentication you know duo or authy for example then you need to set up user base settings like you know the IP addresses that are to be used by VPN users once you have these components set based on your organization's needs you'll have a fully functioning VPN running so with that let's explore the Palo Alto like the a sa Palo Alto includes a VPN concentrator in the firewall VPN connectivity is done via the global protects subscription global protect works very similar to any connect in that you download a client to your users machine and then create the tunnel via the application users authenticate to the VPN via LDAP Active Directory radius or or you know really anything similar that you would with any connect there's also an option to an import you know via a local database as well which may be useful for you paulo also also supports dual factor authentication much like the a sa adding and allowing users to connect to the network via VPN is fairly easy with the Palo Alto adding users to the Palo Alto is as simple as creating certificates and these are their certificates that will be used again to encrypt the traffic between the client and the Gateway configuring LDAP Active Directory radius or a local database in the authentication profile is the next step and this creates a profile that will act as the authentication mechanism that global protect uses in this example I'm showing the LDAP server but there are a variety of options to choose from and here we're showing the specific servers where users connect to the server credentials as well as you know the time limits for authentication the next step after this is to configure the firewall gateway to allow VPN traffic now this is the gateway where users will gain access on your network from this area I enter details for the indication itself the tunnel details including whether or not I enable IPSec and the Gateway address where users actually connect from and finally configuring client access you know you have to set up the network where clients will join the network typically this is set to its own subnet so that you know these users are isolated from other users on the network setting this up is as simple as you know the other steps I specified DNS details for VPN users you know what the DNS search domain is which here is called the DNS suffix the pool of IPs that users connect to and you know any of any route details that I need to provide overall setting up VPN users and connecting with global protect client it's really easy and it's no more cumbersome than you know any connect the fourth item to consider is capacity branch offices may leverage a firewall and in dual capacity to serve as both a security device and as a network switch and larger organizations meanwhile usually just drop the firewall into a large architecture in which the firewalls only role is to filter traffic so pay close attention to the manufacturers recommendations for maximum node support exceed of firewalls capacity and you'll experience errors flat out traffic denials you know due to lack of licensing and or you know potentially unacceptable performance you'll also want to see what type of hardware they use for exporting traffic analysis details on low-end machines with high traffic enabling features like net flow or IP fix exports can tax the CPU greatly causing performance troubles the Cisco a sa brings much to the table with regard to capacity they app platforms and standalone options like the a sa 5506 X with fire power services and that provides support for throughput of 300 megabits per second but they also have high capacity solutions like the a sa 5585 X with firepower SSP 60 which can provide up to 20 gigabits per second and Cisco offers you know a broad range of solutions regardless of capacity which in turn provides a solution to organizations of you know any size Palo Alto Networks brings a wide variety of solutions to the next generation firewall capacity table as well and it starts you know from there PA 500 which offers throughputs of 250 megabits per second to their their massive PA 7080 which has support for over 200 gigabits per second so they to offer a broad range of solutions to fit the needs of any organization so with that in mind I'd like to jump into the performance details for both solutions a few notes about performance in general both the Cisco AAS a with fire power services and the Palo Alto offer high throughput options as well as small and medium sized business options for companies that require minimal throughput the major player with regard to performance comes directly from the features you enable in either system for example if you enable malware detection in Cisco firepower or Palo Alto you should expect to see a 50% hit to the performance of those systems and if you have higher volume of traffic you should expect this number to increase especially if you're reaching the limit for that device likewise if you're under taxing the hardware you know let's say you have a Palo Alto PA 70 80 or an a sa 55 85 X you know for a network with less than 100 megabits per second bandwidth the likelihood of you overpowering the system is very limited and the inverse is true also if you only have a you know a smaller scale a sa 5506 X or a Palo Alto PA 500 you know with over a gigabit bandwidth then your just system isn't going to be able to handle that volume therefore there are a few things to keep in mind when you're looking at this performance you should look at your current bandwidth requirements again if you have more bandwidth than the firewall can handle it'll cause performance degradation and only enable the features that you while both Cisco and Palo Alto provide excellent features you may not need them all and finally you should look to the future your needs may change and if you anticipate that you'll you know say require VPN users or the antivirus capability is moving forward consider the impact it will have on the system upgrading to the next device tier now will save you time money and frustration in the future the fifth reason you should consider when planning to purchase a network firewall is Gateway security many organizations successfully reduce costs by centralizing antivirus anti-spyware and anti-spam protection solutions on their firewall when comparing firewall capabilities and determining total cost of ownership factor the cost savings that you can you know see if you deploy these services on the firewall device versus say a traditional domain controller or other server anti-malware and threat mitigation is brought to the aasa' with cisco advanced malware protection using fire site cisco amp provides you with global threat intelligence advanced an unboxing and real-time malware blocking to prevent breaches via the fire site web GUI I can see an analysis on threats that are happening in this view I can see the indications of compromised by hosts as well as over time and I can also see the malware threats and intrusion events now if I drill into these threats I can see the specific malware that's occurring in a given time frame from this view I can see the threat name file name as well as the sha for the file and once you dig into you know an identified threat you can see the entire history of that file this is known as retrospective security meaning having the ability to track all interaction points with the infected file each circle here is a is a traveling point now let's look at the Palo Alto anti-malware capabilities so Palo Alto security comes from wildfire subscription and according to Palo Alto wildfire provides detection and Prevention of zero-day malware using a combination of malware sandboxing signature based detection and blocking a malware wildfire extends the capabilities of palo alto networks next generation firewalls to identify and block targeted and unknown malware palo alto claims that wildfire quickly identifies and stops advanced attacks without requiring manual human intervention now in this view I can see the items submitted to wildfire this includes the file name submitted the attacker and the victim because wildfire is a cloud-based service I can see the details for my traffic in their website interface here I can see an overview of the malware and this will show me the actual malware caught compared to you know the but benign submissions and I'm also given details about the source of the submission you know the device sending those details so both of these solutions you know offer pretty robust details regarding gateway security now the sixth reason that I'll discuss is content filtering some firewall manufacturers offer web filtering subscriptions and the benefit is that all of the network services associated with a business you know from the Gateway security services to content filtering can be consolidated on a single device of course the drawback is that you have to pay for the privilege but when you're reviewing potential hardware based firewall solutions consider your organization's needs and budget and determine whether content filtering should be administered from the firewall if the answer is yes select a firewall that supports reliable proven content filtering the ability to see application specific details it's quite robust in the firepower interface viewing a number of categories from a side checklist I can select them and then I can add them to a filter and this will show me the applications that are under a given category from this view I can see the type of application it is as well as the port information if it's available and this is good to know because now I can you know create policy rules to allow or deny such traffic in this case I'm looking at remote file storage content filtering on the Palo Alto is powered by their advanced application detection algorithm and the content filtering is handled by looking at the application behavior via rules so rather than blocking Dropbox for example you could block file sharing which would block any application that fits that rule you know like box sugarsync etc so let's take a look at what this looks like by viewing the applications section in the objects tab you can search for applications which Palo Alto has deemed a part of a given category if I click in the search bar in this example I search for web browsing I can see the categories that my search falls under I can also see the subcategories and technology that the filter is associated with then in the bottom section I can see the individual items that are associated with my search this is very beneficial because I can see a much more you know focused list of applications then I can if I'm only looking at port protocol details alone also since it is based on patterns and not port protocol I don't have to worry about applications misusing them to bypass traditional firewall rules so now that you have these details and you know the features we'd like to take you into the final and by no means least reason which is advanced monitoring and reporting repeatedly throughout just one business day a single device can block thousands of intrusion attempts detect consolidated attacks and log failing or failed network connections but this information is helpful to network administrators only if it's available in a readily available format so you want to look for firewalls that not only monitor important events but that also log this data in compatible formats and a good firewall ideally can support next-generation net flow and IP exports given that mike is going to now show you how you can take advantage of the advanced flow exports from Cisco a si with fire power services and the Palo Alto next-generation firewall take it away Mike Thank You Justin hello everyone my portion of the presentation will focus on the flow exporting architectures the insight you can gain by gathering flows the shortcomings in each vendors exports I'm going to cover what other vendors are exporting and how Cisco and Palo Alto can learn from them and how to gain insight into encrypted traffic without the use of man-in-the-middle you know certificate hijacking so both firewalls we're talking about today and the screen captures will be sending NetFlow off to our flow collector called scrutinize ur and scrutinize ur accepts all NetFlow versions and variations including IP fix and s flow and I'll be demonstrating the differences between the flow exports from these two vendors and of course I'll show you how to increase their contextual information they provide as well first let's take a look at the Cisco aasa and then we'll come back to the Palo Alto appliance the Cisco aasa by the way exports something called n sell which stands for net flow security event logs and as Justin pointed out the a sa actually has two separate appliances running on the same box the first one shown here is the traditional a si which exports n cell and the second one appliance is firepower which gets its own IP address notice an orange the IP address of the a si on the right 10.1 one 251 and firepower in yellow on the left is 10.1 one 241 here's how we collect data from firepower in scrutinise err we collect flows from the Cisco Asaf as already stated using n cell and this is how we've always cool the data from the a sa but now we have firepower and fire sight being introduced so what's different now though is you know that we collect data from fire site and this is done by sending the firepower metrics from the a si to your fire site server scrutinize er then collects these details from fire site using the e stream or API again pay attention to all of the different IP addresses involved so imagine having four Cisco a si firewalls all with fire power all of them would be sending n sell off to scrutinize ur from their own unique IP addresses and scrutinize ur would display flows from all four you know and they'd show up as four different exporters at the same time you have the same four firewall sending traffic details up to the fire site server and then scrutinize our using the e stream or API to collect that information so what does it look like well if we go in to scrutinize errs interface and look at the data we're going to see four different firewalls all with unique IP addresses or host names in scrutinize ur and I can click in for details we also see a single IP address for fire site which represents the data collected using estream or for all four of the same firewalls what's unique about the scrutinise ur interface is that you can report on the fire power data across all four firewalls or select a specific firewall by clicking on the IP address and notice again that the IP addresses representing the fire power logs are different from the IP addresses used by the same firewall to send the n cell data so why does scrutinize ur send log information from both appliances I can't answer that but what I can tell you is that the details available in the fire site logs is really pretty good let's take a look so here is a partial list of the details you can export from fire site and notice that many of the values the values have been crossed out now I did that because this was actually a document that I used with engineering to say okay look customer can choose all of these but realistically the flows would be so big that a single flow wouldn't fit inside an Ethernet Datagram so what you kind of do is you select what portions of the flows or the logs that you want to export out as as IP fix and you can enable whatever you want in a configuration file so this is this image is really just showing off what we enabled by default okay here we are in the scrutinise err interface reporting on the e stream of data now beyond the dozens of traditional flow exports that also work you have about a dozen or so reports to choose from fire site allows scrutinize ur to report on the you know the application on the desktop that triggered the flow as well as the HTTP host targeted in the flow scrutinize ur can also report on the user name the application as well as the URL targeted which helps track down the malware or the potential source of an application performance issue all right now let's change gears and focus on the flow information exported by the Palo Alto firewall in scrutinise er it's a lot more straightforward beyond the dozens of traditional net flow reports again that work with the Palo Alto net flow v9 exports we also built in two unique reports that are specific to their export and you can get details on the applications running on the end systems as well as the user names but what about getting the URLs in the fully qualified domain name or fqdn like we saw with the Cisco a sa well Palo Alto doesn't export that but there is a way to add it introducing flow pro defender it sits on a span port and monitors all of the I think to and from the DNS servers and then it sends details about the requests off to the scrutinize er server as IP fix and then we use that data and correlate it with flows in our reporting so simply put flow pro defender creates a log of all the traffic to and from the DNS the log includes the fqdn requested as well as several of the details about the DNS transaction and like I said IP fixes used it's the transport so here's the value add a flow Pro defender to any flow export from any vendor and notice that the over on the left the up office gated source machines and you see the destination on the right with the sites like Akamai and Amazon AWS let me just hide that for a second and notice the words underlined in red right so that's all your your Akamai and Amazon AWS so what we do is using the data we collected from flow Pro defender scrutinize er inserts it the fqdn into the the reports and we do this for Palo Alto and every other vendor that exports flow data the strategy even works if the data is encrypted which really makes it very useful as you can see you see YouTube Facebook Microsoft so it's a great way to see inside that encrypted traffic alright now let's do a direct comparison between Palo Alto on the left and Cisco aasa on the right the nat details for example are pretty much the same cisco has a couple more but we can create them in the Palo Alto export with the report designer that ships with scrutinize er and notice the Cisco firewall option in the menu cisco allows us to report on the ACLs being violated the most frequently this is useful information when trying to decide which ACLs are important and I could do that with the Palo Alto so let me show you an example of this report and here you see list of the ACLS the ingress ACLs in this case would you egress as well being matched the most frequently on the aasa' and so this is something we think that Palo Alto would be nice if they added Cisco and Palo Alto both export the firewall event and Cisco exports the extended event which sounds great but after numerous requests submitted to Cisco we pretty much didn't get anywhere so we've determined that the extended event value must not hold any substantial relevance because we could not find any documentation on it so if anyone can find it please let us know and we'll add it to our reporting all right Barracuda is a new to the flow export market and they export IP fix and you can see here that the flow they export both the firewall rule and the firewall reason I thought that was pretty nice Barracuda is not alone SonicWALL exports more details about the flow allowed and denied and here we're seeing the intrusion detected and now I'm really doing a lot of comparisons here to the Cisco Asin cell export as well there you can get some more details from firepower right from fire site another example from SonicWALL is the virus so it tells me the end systems you know in SonicWALL exports IP fix but you know it's they're not without problems either we need a way to whitelist certain behaviors because their appliance you know is triggering false positives for us and then they of course on alone in the industry for triggering false positives VPN reporting is a nice way to segue into my final section you know this is very important SonicWALL has done a good job of being really the first vendor that we saw that focused on VPN reporting you know to give you some nice details so how can we do some of this stuff with Cisco and Palo Alto well introducing Cisco anyconnect version 4.2 which exports IP fix directly from the VPN clients and the DTA the excuse me the details are incredible let's go any connect IP fix exports provide insight into the applications running on the desktop that triggered specific flows so I can actually click on the process name and see the flows so I'm only showing you one report out of like 20 because I got to give this back to progestin the sha-256 hash which can be clicked on to verify the executable on the operating system you know to verify that it's a valid hash so we go out to total via virustotal excuse me or Cisco ironport so if you like that concept of Cisco anyconnect which we fully support we do there's another option if you have Palo Alto it's called IP fixify it's an open-source free product that allows you to export many of the same details as cisco anyconnect at no additional fee it's completely open-source and you can see here that gives you the parent process again the sha-256 click go to virustotal and i underlined it in red you know being studied as portable executable file whatever so get a lot of the same functionality if you're looking for that out of palo alto check out IP fix file you can export anything from any operating system and it's open source so with that Justin I'm going to hand a presentation back to you so now the question many of you are asking yourself how much does this cost well let's start with Cisco so an entry-level 5506 X starts at sixteen hundred ninety five dollars for the hardware unit subscription to the fire power services was something I couldn't obtain from Cisco but I can assume based on other vendors that it's going to be an additional twenty percent at least per standard subscription model the higher-end units cost quite a bit more the the 5585 X starts at around $225,000 and can run you know more depending on the throughput required regarding Palo Alto a low-end 50a 500 starts at $4,500 retail and then you can add on to their subscriptions which are 20% per subscription and there's four subscriptions which include you know wildfire as well as global protect meanwhile there PA 7080 starts at around $300,000 retail you can add up to ten network processing cards each costing a little more than a hundred thousand each so in summary the Cisco a sa with fire power services and the Palo Alto next-generation firewall offer a broad range of benefits for organizations of all sizes and deciding which solution to go with is entirely dependent on the features you need and the type of environment you have so while there are no clear winners today or perhaps there's only winners be sure that the features of either solution meet the requirements of your business now with that we can take some questions asked by our audience so the first question that we have is is my a si upgradeable after purchase and really I guess to answer that that would all depend upon how long ago you purchased your a si a si is that have been purchased more recently are much more easily upgradeable with regard to you know RAM and CPU performances then the older one so you'll need to check with you know how long ago you purchased and then I would check with Cisco for specific upgrade paths the next question that we have is does IP fix if I run on Linux to answer that yes it runs on Linux and windows it's also since it's open source you could theoretically compile it to work on you know Mac OS X for example or or Android or iPhone so being open source you can see exactly you know what those requirements would be moving forward into a different platform the next question you know what version of flow Pro defender do I need to get these new features so the features that Mike showed require well two things they need flow Pro defender 16.2 for those exports specific to you know especially like fully qualified domain name but you also will need scrutinize er 16 to in order to to see those reports in our own system if you have another flow collector you'll be able to see those those templates in flow Pro defender 16 - the next question is if I don't have fire site will flow Pro defender work with an AAS a yes it will and it will actually work with any flow exporter and actually non flow exporter as well because the flow Pro defender added heart is actually a an IP fix generating probe so it sits at a you know say a span board and then it sees your network traffic and it generates flow data from that traffic and then sends it to your net flow X collector and so what we have a we have time for probably one more maybe two more questions I'm an existing customer can I evaluate these reports um so yes yes you can we're actually changing the licensing to in in 16.3 coming in this month and what it's doing is it's offering unlimited devices in our free edition so you can actually try that out and then you'll be able to see all of those reports available so I'll do one more question and the this question is a can scrutinize ur be distributed I'm assuming you mean is it capable of being in you know in multiple environments so like multiple data centers and multiple say branch offices and stuff and such so there is a centralized interface and we do offer multiple collecting points that that sync with that centralized interface and then all flows are deduplicated and stitched and and basically that allows you you know you can scale out to over 8 million flows per second with that type of architecture so so with that we thank you very much for joining us in this webcast and if you have any questions feel free to give me you know send me an e-mail at justin jet at clicksor calm until next time make sure you have a incident response system that you can rely on
Info
Channel: Plixer
Views: 65,980
Rating: 4.5646257 out of 5
Keywords: firewall, cisco, firepower, palo alto, next-gen firewall, comparison, network security, asa
Id: GDfw2ayLZOA
Channel Id: undefined
Length: 43min 25sec (2605 seconds)
Published: Tue Nov 29 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.