Published: September 2018
As Cisco migrates more applications to the cloud, we have seen a need to deploy the next generation of cybersecurity systems in our network. Some of our applications were experiencing performance issues due to capacity constraints in our existing security systems, which impacted user experience and productivity. Users have reported things like slow performance and disconnection of business-critical applications due to packet loss and congestion.
Additionally, some types of cloud connectivity require enhanced security visibility and controls to protect the Cisco network from cloud vulnerabilities and to meet updated requirements from our security team.
To address these challenges, Cisco IT chose the Cisco Firepower® 9300 security appliance as our new core defense solution. This carrier-grade, next-generation firewall will enable us to:
We know our customers are experiencing similar challenges. As “Customer Zero” we have had the opportunity to influence the product design by providing real-time feedback to our engineering teams early in the development process. In this way, we are helping build Cisco security solutions that our customers can purchase with confidence.
As of mid-2018, we have deployed Cisco Firepower 9300 as enterprise firewalls at more than 75 percent of Cisco IT CloudPort locations. CloudPorts are how Cisco IT provides optimized and secure connectivity to cloud resources from our enterprise network. We have also deployed the appliances in four additional locations as part of a new model to secure our lab environments. We plan to implement the appliances in all of our major corporate hubs by mid-2019.
The Cisco IT enterprise firewall provides Internet and cloud connectivity for more than 133,000 users and protects the Cisco enterprise network from external cyber threats but with an ever-expanding demand on network resources, we needed a new firewall that could grow with us: “Our most critical objective was to address our performance issues. We were able to quickly resolve those concerns by deploying the Firepower 9300 hardware while temporarily keeping the ASA software, eliminating 5-10 high-impact network incidents we experience each year,” says Michael Ellison, senior network engineer, Cisco IT. “We previously had to engineer our traffic across three different firewalls for scalability reasons and this is allowing us to reduce that complexity by consolidating down to one.”
By replacing the hardware, we have experienced 5 times higher traffic throughput and better performance. With our upcoming transition to FTD software we will also be able to address our critical concerns with operational overhead, detecting potentally malicious activity faster than before and eliminating it before damage can be done. We plan to move to FTD as quickly as possible to see these benefits.
Cisco has more than 2.1 Million IP addresses in internal labs globally that connect at 600 different places across the globe into the corporate network. Our lab networks critically needed brand new security capabilities, which required us to move to FTD straight away. This approach also allowed us to see the benefits of deploying FTD firsthand and set expectations for our FTD deployment on our enterprise firewalls.
“Labs are more dynamic in nature and need high levels of flexibility, so we tool network and security around them differently,” says Roel Bernaerts, network architect, Cisco IT. “By moving all labs into a separate virtual overlay network, we reduced the number of interconnects from 600 to 13. By deploying Firepower 9300 with FTD at these interconnects, we now have better visibility and more defense tools at our disposal, which has allowed us to detect and prevent 18,000 new security threats in a single day.” (See diagram)
Security threats from labs have been historically detected further into the network and mitigation typically involved disconnecting an entire lab or blackholing all traffic from specific hosts. Not only did this impact the critical delivery of new Cisco products and software, it would also typically take several hours to validate the incident and implement the mitigation, allowing threats to spread within the lab and potentially to production systems. With the new solution, specific threats are blocked automatically without impacting legitimate traffic and should a more sophisticated policy be required, it can be pushed within minutes of detection.
We also deployed a high-availability pair of Firepower Management Center (FMC) appliances to control our FTD deployment. FMC allows us to manage our defense policy from a centralized location and instantly push it to all FTD appliances around the world. Additionally, enabling new features previously required a specialized skillset to perform code upgrades, taking up valuable resource time and occasionally resulting in critical outages caused by human error. With FMC we can now deploy new versions of code with the push of a button.
FMC also provides insights into what traffic is passing through our security appliances. Analyzing this data allows us to make more informed, insightful decisions to fine-tune network and security policies.
In our previous deployment, network engineers did not have access to security appliances, making it very hard to troubleshoot performance issues. With FMC, these engineers can now gain visibility into these systems while our security teams can continue to restrict access to sensitive security information.
Although our next-generation firewall implementation is still in progress, we are already realizing many of the benefits. We expect to see even more value in the near future once we migrate our enterprise firewalls to FTD, including: