Many people think that with the adoption of a next-generation firewall (NGFW), that they no longer need a stand-alone intrusion prevention system (IPS).
That’s simply not true. A “true” NGIPS can provide visibility, threat detection, threat response, and malware discovery. And it can do all that in areas of your network that remain off-limits to firewall inspection and controls.
Safeguarding your network assets and data from today’s threats requires detailed visibility into all your network layers and resources.
- It requires comprehensive, and up-to-date security intelligence.
- It requires a dynamic approach that uses awareness and automation to adapt to new threats, new vulnerabilities, and everyday network changes.
- It requires Cisco Firepower NGIPS (Next-Generation Intrusion Prevention System) threat appliances.
The Cisco Firepower NGIPS threat appliance provides industry-leading visibility and threat efficacy against both known and unknown threats.
Cisco Firepower NGIPS stops threats by using:
- More than 30,000 IPS rules that identify and block traffic trying to exploit a vulnerability in your network
- Reputation-based IP, URL, and DNS security intelligence that can shrink the attack surface by identifying malicious sites
- A tightly integrated defense against network-based advanced malware attacks
- An integrated sandboxing technology that uses hundreds of behavioral indicators to spot zero-day attacks
- An Indications of Compromise (IoC) feature that correlates events from multiple sources to identify what may be compromised hosts
Upgrade your customers to Cisco Firepower NGIPS today to help them protect their network, users, applications, and information assets.
It’s as easy as 1…2…3
- Confirm your current IPS model and refresh needs.
- Review the recommended migration path.
- Contact your trusted Cisco Security account manager or partner to get started.
Migration Recommendations for Cisco IPS and FirePOWER
Migration Recommendations for Cisco IPS and FirePOWER (former Sourcefire) Customers
Cisco IDS/IPS 4000 Appliances |
Recommendation |
Throughput Performance Improvement |
| Cisco IPS 4270-20 | Firepower 4110 | 2X |
| Cisco IPS 4360 | Firepower 4110 | 3.2X |
| Cisco IPS 4510 | Firepower 4110 | 1.33X |
| Cisco IPS 4520 | Firepower 4120 | 1.6X |
| Cisco IPS 4520-XL | Firepower 4140 | 1X |
| FirePOWER 81xxAppliances |
Recommendation |
Throughput Performance Improvement |
| FirePOWER 8120 | Firepower 4110 | 2X |
| FirePOWER 8130 | Firepower 4110 | 1X |
| FirePOWER 8140 | Firepower 4120 | 1.33X |
| Firepower 8xxxx AMP Appliances |
Recommendation |
Throughput Performance Improvement |
| FirePOWER AMP 8050 | Firepower 4110 AMP | 1.5X |
| FirePOWER AMP 8150 | Firepower 4120 AMP | 1.2X |
| FirePOWER AMP 8150 | Firepower 4140 AMP | 2X |
Why NGFW and NGIPS are needed in network security infrastructure?
Do you really need both a next-generation firewall (NGFW) and next-generation intrusion prevention system (NGIPS) for my network security infrastructure? The answer is YES!
What does a next-generation firewall do? The NGFW has its core competencies and it includes:
- Network address translation
- Acting as a stateful firewall
- VPN concentrator
- Application visibility and control
- And don’t forget, IPS inspection
A next-generation IPS has its core competencies and they include:
- Inspect asymmetric traffic flows
- Perform as a transparent bump-in-the wire inspection device
- Provide visibility and protection by inspecting network traffic that moves lateral to a perimeter firewall
Since the NGFW is a network device, it can operate lower in the OSI stack and can act as a network boundary or create a network pinch-point perfect for stateful firewalling, application identification, and deep packet inspection.
Using a NGIPS to perform deep packet inspection makes for a more effective strategy against the would-be-adversary. Because an NGIPS does not maintain a state table, it is less vulnerable to attacks that exploit state table exhaustion and result in denial of service. This also gives it the ability to inspect asymmetric data flows. The NGIPS is also a transparent device, just a bump in the wire, allowing traffic to flow as if it is not even there, even if it is deployed in the core, doing deep packet inspection or on the network edge.
Did you know that traffic looks differently in the core vs. the edge of the network? Advanced persistent threats are more easily detected by the NGIPS. Because the NGIPS can be deployed where it will have of the lateral visibility of the traffic, it gives you that advantage over a firewall. A traditional stateful firewall cannot provide this. The lateral visibility it is perfect to identifying machines on a network that have already been compromised and are being used by a bad guy to collect and infiltrate sensitive or important data.
Visibility and the ability to secure a network at the perimeter and at the network core should be essential for every organization that wants to strengthen their overall security posture.
Learn More: Find the Right Cisco Firewall for your Needs
To learn more about Cisco Firepower NGIPS threat appliances, please visit https://www.cisco.com/go/ngips.
To learn more about the Cisco Advanced Malware Protection capability, please visit https://www.cisco.com/go/amp.
To learn more about Cisco’s Talos Security Intelligence and Research team, please visit https://www.talosintelligence.com/.
Info from https://www.cisco.com/c/dam/m/en_us/products/security/ngips/NGIPS_transition_guide.pdf
More Related
Guide to the New Cisco Firepower 2100 Series
How to Deploy the Cisco ASA FirePOWER Services in the Internet Edge, VPN Scenarios and Data Center?
The Most Common NGFW Deployment Scenarios
Cisco’s High-end Next Generation Firewalls-Firepower 4100 and 9300 Series
