Migrating to Cisco’s Next-Generation Firewall for Core Security

Published: September 2018

As Cisco migrates more applications to the cloud, we have seen a need to deploy the next generation of cybersecurity systems in our network. Some of our applications were experiencing performance issues due to capacity constraints in our existing security systems, which impacted user experience and productivity. Users have reported things like slow performance and disconnection of business-critical applications due to packet loss and congestion.

Additionally, some types of cloud connectivity require enhanced security visibility and controls to protect the Cisco network from cloud vulnerabilities and to meet updated requirements from our security team.

To address these challenges, Cisco IT chose the Cisco Firepower® 9300 security appliance as our new core defense solution. This carrier-grade, next-generation firewall will enable us to:

  • Improve scalability - Obtain a high-performance, scalable defense platform that can serve continuing growth in traffic
    Our peak cloud traffic has grown more than 200 percent from 2017-2018. This created congestion and packet loss, impacting client productivity. By replacing the end-of-sale Cisco Adaptive Security Appliance (ASA) firewalls with Firepower 9300 hardware, we were able to quickly resolve these scalability issues and allow room for growth for the future.
  • Introduce brand new security controls - Simplified and cost-effective introduction of security in new places in the network
    As the enterprise network expands beyond traditional boundaries into the cloud, it becomes important to introduce security in new places in the network. In the past, this would involve deploying a large number of dedicated appliances across the network which would come at a high cost to host and manage. By using a next-generation firewall instead, this allows us to deploy a single pair of devices, delivering the scale and security capabilities we need in places where we did not have appropriate controls in the past.
  • Reduce footprint and complexity - Consolidate existing security services onto a single platform
    Our traditional defense solution requires excessive rack space, power, and cooling; introduces a lot of complexity into the network; and creates challenges in correlating security and network events. Using the Firepower 9300 with Firepower Threat Defense (FTD) software will provide the scale and functionality to consolidate multiple security tools into a single platform. This will reduce our environmental footprint and operational overhead, simplify global policy deployment, and improve end-to-end security visibility. (See diagram)

We know our customers are experiencing similar challenges. As “Customer Zero” we have had the opportunity to influence the product design by providing real-time feedback to our engineering teams early in the development process. In this way, we are helping build Cisco security solutions that our customers can purchase with confidence.

As of mid-2018, we have deployed Cisco Firepower 9300 as enterprise firewalls at more than 75 percent of Cisco IT CloudPort locations. CloudPorts are how Cisco IT provides optimized and secure connectivity to cloud resources from our enterprise network. We have also deployed the appliances in four additional locations as part of a new model to secure our lab environments. We plan to implement the appliances in all of our major corporate hubs by mid-2019.

Corporate Firewall: Replacing the Hardware, Transitioning the Software

The Cisco IT enterprise firewall provides Internet and cloud connectivity for more than 133,000 users and protects the Cisco enterprise network from external cyber threats but with an ever-expanding demand on network resources, we needed a new firewall that could grow with us: “Our most critical objective was to address our performance issues. We were able to quickly resolve those concerns by deploying the Firepower 9300 hardware while temporarily keeping the ASA software, eliminating 5-10 high-impact network incidents we experience each year,” says Michael Ellison, senior network engineer, Cisco IT. “We previously had to engineer our traffic across three different firewalls for scalability reasons and this is allowing us to reduce that complexity by consolidating down to one.”

By replacing the hardware, we have experienced 5 times higher traffic throughput and better performance. With our upcoming transition to FTD software we will also be able to address our critical concerns with operational overhead, detecting potentally malicious activity faster than before and eliminating it before damage can be done. We plan to move to FTD as quickly as possible to see these benefits.

Direct-to-FTD Design for Labs

Cisco has more than 2.1 Million IP addresses in internal labs globally that connect at 600 different places across the globe into the corporate network. Our lab networks critically needed brand new security capabilities, which required us to move to FTD straight away. This approach also allowed us to see the benefits of deploying FTD firsthand and set expectations for our FTD deployment on our enterprise firewalls.

“Labs are more dynamic in nature and need high levels of flexibility, so we tool network and security around them differently,” says Roel Bernaerts, network architect, Cisco IT. “By moving all labs into a separate virtual overlay network, we reduced the number of interconnects from 600 to 13. By deploying Firepower 9300 with FTD at these interconnects, we now have better visibility and more defense tools at our disposal, which has allowed us to detect and prevent 18,000 new security threats in a single day.” (See diagram)

Security threats from labs have been historically detected further into the network and mitigation typically involved disconnecting an entire lab or blackholing all traffic from specific hosts. Not only did this impact the critical delivery of new Cisco products and software, it would also typically take several hours to validate the incident and implement the mitigation, allowing threats to spread within the lab and potentially to production systems. With the new solution, specific threats are blocked automatically without impacting legitimate traffic and should a more sophisticated policy be required, it can be pushed within minutes of detection.

Centrally Mangaging The Infrastructure

We also deployed a high-availability pair of Firepower Management Center (FMC) appliances to control our FTD deployment. FMC allows us to manage our defense policy from a centralized location and instantly push it to all FTD appliances around the world. Additionally, enabling new features previously required a specialized skillset to perform code upgrades, taking up valuable resource time and occasionally resulting in critical outages caused by human error. With FMC we can now deploy new versions of code with the push of a button.

FMC also provides insights into what traffic is passing through our security appliances. Analyzing this data allows us to make more informed, insightful decisions to fine-tune network and security policies.

In our previous deployment, network engineers did not have access to security appliances, making it very hard to troubleshoot performance issues. With FMC, these engineers can now gain visibility into these systems while our security teams can continue to restrict access to sensitive security information.

Future Benefits of a Consolidated Security Solution

Although our next-generation firewall implementation is still in progress, we are already realizing many of the benefits. We expect to see even more value in the near future once we migrate our enterprise firewalls to FTD, including:

  • Reduction of operational overhead - The Firepower 9300 provides us the scale and capabilities to significantly consolidate the number of security devices we support and manage—from 116 to 26. This will significantly lower complexity, remove multiple points of failure, and eliminate common causes of critical incidents. All of this will result in a reduction of operational overhead by approximately 20 man hours per week.
  • Reduction of data center footprint – The above reduction in devices will allow us to eliminate 40 rack units from each of our data centers. This will lead to savings related to power, cooling, and rack space in our data center and co-location facilities. Overall, we expect this to result in cost avoidance of over half a million USD per year.
  • Increase in speed - Today, pushing out an access list change to all of our enterprise firewalls globally would take an engineer over 6.5 hours. With all of our devices managed by FMC, this would be reduced to under 30 minutes. Other security policy changes or network optimizations could be pushed out with similar speed and time savings.
  • Simplification of automation and orchestration - By having the APIs exposed for the Firepower 9300 and FMC, we expect to support end-to-end deployment and orchestration of new network and security services. In addition, the APIs will allow us to improve the automation of our day-to-day security activities and more easily automate one-off changes, which were difficult to do previously due to high overhead.

For more information