Friday, April 27, 2018

Cisco ASA with FirePower Services vs. FTD

More questions about the Cisco ASA with firepower services and FTD:

“What’s the difference between traditional Cisco ASA with firepower and new Cisco Firepower threat defense?”
“Why customer will go for Firepower threat defense, if they already have Cisco ASA with firepower services.”
“What are the benefits of FTD and additional features in FTD?”
“What are the key benefits of Cisco Firepower appliances (4100, 9300) and what are the limitations of Firepower Appliances?”

All the questions above have one point: What are the difference between FTD and Firepower appliance? 

In which scenarios they use and other use cases? 

FTD combines both ASA and firepower code into a single image. At the moment FTD has not reached feature parity with ASA features (no remote-access vpn, no multiple-context mode, no clustering, etc.) but it will be the way forward.

One of the benefits is that you won’t need to configure two separate instances (ASA & Firepower), but have a unified security policy that is managed either with Firepower Device Manager for small to mid-range deployments (ASA 5506-X-5525-X) or using the central management with Firepower Management Center.

The Firepower appliances (4100, 9300) are the new NGFW hardware platform that can run either ASA (without firepower services) or FTD software. They are basically the evolution of the asa hardware platform that support higher throughput.

You may want to go down the FTD road if do not require the features not yet implemented from ASA as stated above. In about two years it should be the defacto standard.

Feature Comparison (Q4, 2016):
FTD is an integrated image which combines all of the FirePOWER Services features with many (but not all) ASA firewall services.

If a customer is already running ASA with FirePOWER services, they may want to migrate in the long term to simplify management and operations. Short term, there are few compelling reasons.
Right now there are very few FTD features that are not available with a combination of ASA and FirePOWER services. Longer term, more development resources on the FTD side may change that equation.

The 4100 and 9300 series are a whole new hardware platform for security appliances based on the UCS hardware. They offer much higher performance for a very attractive price when compared to the ASA platforms.

FTD runs on either the new 4100 and 9300 series or the ASA appliances (except 5585-X). FirePOWER appliances run only the legacy FirePOWER image and will not run FTD image.

What is Cisco Firepower Threat Defense (FTD)?

Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features. This seems to be a good approach taken by Cisco especially when most of the Next Generation Firewall Vendors are offering Next Generation Solutions on a single platform with unified image. Currently the Cisco Firepower Threat Defense (FTD) unified software image is available in the following releases
  • 6.0
  • 6.2
The Cisco Firepower Threat Defense (FTD) is capable of offering following Next-Generation Firewall Services
  • Stateful firewall Capabilities
  • Static and dynamic routing
    • Supports RIP, OSPF, BGP, Static Routing
  • Next-Generation Intrusion Prevention Systems (NGIPS)
  • URL Filtering
  • Application visibility and control (AVC)
  • Advance Malware Protection
  • ISE Integration
  • SSL Decryption
  • Captive Portal
  • Multi-Domain Management
Currently Cisco Firepower Threat Defense (FTD) unified software can be deployed on Cisco Firepower 4100 Series and the Firepower 9300 appliances as well the FTD can be also be deployed on Cisco Firepower Threat Defense (FTD) ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA5508-XASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. However, the Cisco Firepower Threat Defense (FTD) unified software cannot be deployed on Cisco ASA 5505 and 5585-X Series appliances.

Some of the key features which Currently Cisco Firepower Threat Defense (FTD) lacks are as follows:
  • VPN Function
  • Multi Context mode
  • EIGRP and Multicast
  • Does not support Cisco ASA 5505 & 5585-X Appliances
The lack of VPN function is a major drawback which Cisco needs to overcome in upcoming release of Cisco Firepower Threat Defense image. This certainly discourages the enterprise customers to adopt the Cisco Firepower Threat Defense unified image on their supported ASA 5500- Series platforms.

More Related

No comments:

Post a Comment