topic You are best qualified to in Network Security

Cisco Firewall in AWS - Should i use ASAv or FTDv/FMCv?

Ramesh.Ramani — Tue, 26 Mar 2019 00:21:40 GMT

Hello All,

I'm trying to setup a DMZ for my client in AWS. I've never done this before and hence the question. I'm planning to use ASAv as the Internet Facing firewall and FTDv/FMCv (Firepower threat Detection virtual and Firepower Management Center virtual) for Threat Detection.

I've been told that i could instead just use the FTDv/FMCv instead of using an ASAv as it works as a Firewall as well (Next Generation Firewall - NGFW).

Could someone please advise if this is indeed the case? If that is the case, then is it a whole different than the ASA (as a firewall)? I'm quite familiar with the ASA, but not the Firepower and I have some tight timelines to meet for this project, so was wondering if the Firepower NGFW is similar in configuration as a firewall as for an ASA?

Also, when i take a look at the licensing/part numbers for the ASAv, i see this terminology which says : 16 pack and 8 pack licenses. What does this mean? Does this mean that i can use this one license for 16 or 8 ASAvs?

Thanks.

Ramesh

As of right now, which you

Marvin Rhoads — Fri, 08 Jul 2016 00:00:58 GMT

As of right now, which you choose depends on what features you need.

ASAv has almost all of the classic ASA appliance features. i.e. it's a stateful firewall in virtual appliance form factor.

FTDv/FMCv is more of an IPS solution (although 6.1 due out in the next month will up the game (still short of feature parity) vis a vis what an ASA offers).

The ASAv licenses are indeed offered only for multiples at this time. 16- and 8-pack are just that.

Hi Marvin,

smailmilak — Mon, 17 Jul 2017 08:42:38 GMT

Hi Marvin,

please tell me if we can get SourceFire features with ASAv or is a hardware appliance necessary?

Customer is also asking if these features are support:

- SSL inspection

- BW control

- Inline Malware protection

- Anti SPAM

- IPS (probably part of SFire)

ASAv is ASA only - no

Marvin Rhoads — Mon, 17 Jul 2017 12:16:08 GMT

ASAv is ASA only - no Firepower features at all.

FTD is available in virtual machine (VM) form. I have never seen anybody try to do SSL inspection on that although technically it is possible. The performance goes down considerably (75%+).

Basic bandwidh control is possible with FTD, as is inline Malware and IPS.

Antispam is more of an email security appliance (ESA) feature.

Thanks!

smailmilak — Mon, 17 Jul 2017 12:41:45 GMT

Thanks!

So we should go with FTDv?
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-qsg.html

It seems that those requirements are more for Checkpoint?

You are best qualified to

Marvin Rhoads — Mon, 17 Jul 2017 15:44:49 GMT

You are best qualified to decide what works best in your environment.

Cisco's security products are backed by the best (by an order of magnitude) and most comprehensive security research orgainization in the world (Talos).

Most other vendors are just playing catch-up or selling to their installed base. Checkpoint Threatcloud doesn't even come close to Talos.

Thanks for the tip.

smailmilak — Tue, 18 Jul 2017 06:36:43 GMT

Thanks for the tip.

So SSL inspection and BW control is a feature on WSA?

Antispam is a feature on ESA like you have said. The other features are supported on vFTD.

Yes the WSA does both SSL

Marvin Rhoads — Tue, 18 Jul 2017 15:41:48 GMT

Yes the WSA does both SSL inspection and bandwidth control.

While it can be done technically for many sites, most organizations do not opt for SSL inspection of otbound traffic as it is very resource intensive, requires an enterprise PKI and potentially presents privacy concerns. Also some applications use certificate pinning and other technologies that thwart any scheme that uses man-in-the-middle decryption/re-encryption.