topic Re: NGIPS Vs in Network Security

NGIPS Vs

adamgibs7 — Tue, 03 Sep 2019 04:56:51 GMT

Dears

I want to know more on the NGIPS of Cisco, hence what i know the NGIPS are signature less and they detected on the pattern based , actually can anybody share with me an example how threat will be detected by a pattern algorithm, If it is pattern algorithm then what are the rule update in the Cisco Firepower.

As if now the fortinet firewalls are capable of doing DLP, Antivirus, NGIPS, Web Filtering, APP Filtering, WAF, EMAIL Security all in one box,, is it Cisco Firepower supports DLP, Antivirus, WAF,Email Security i don't think so becz i don't see any option to configure them.

Also i would like to know about Cisco AMP, Cisco has 2 types of AMP , AMP for endpoint and Network AMP ( AMP 7150, 8050 etc etc ),what difference these AMP do then a Threat grid ( Sandboxing),

If a customer has an AMP does he require a Cisco Threat Grid subscription or on premises ??? and if a customer has a Threat Grid does he needs a Cisco AMP. ( network or endpoint)

Thanks

Re: NGIPS Vs

Marvin Rhoads — Fri, 06 Sep 2019 14:41:08 GMT

It's easiest to just have a look at a typical IPS rule (see screenshot below) than to explain it in general. Rule updates in Firepower are new Snort rules created by Cisco Talos = IPS rules.

Firepower is not a Unified threat Management (UTM) device so its coverage of the other areas you mentioned is little to none. You can do very crude DLP with sensitive data protection feature.

AMP is available on Firepower as well as as an endpoint product. They are complimentary. If we can see and block the file as it transits the perimeter then that's a good thing. The endpoint product is more comprehensive but only for the endpoints where it is installed.

AMP (all kinds) uses the Threatgrid backend to a certain extent. Without a Threatgrid subscription your account is limited to a small number of file submissions (200 if I recall correctly) for Threatgrid analysis per 24 hour period. You also get the detailed insight when you have full threatgrid and the ability to play the sandbox recordings, submit files on an ad hoc basis directly etc. It's more useful for a full Security Operations Center and/or forensic investigative purpose. If you only have Threatgrid (and no AMP) then you are only doing manual file submission - not very useful for most enterprises.

Re: NGIPS Vs

adamgibs7 — Mon, 16 Sep 2019 20:33:25 GMT

Dear marvin

thanks for the reply,

Can AMP4E replaces corporate antivirus solution which is been used for years and years.

As you have mentioned that without a AMP we can manual submission to threat grid , what if i dont have a AMP ( All kinds) ans i have a ASA with firepoewer services or FTD, they can send file to threatgrid for sanboxing and accordingly they can block, Please correct me if i m wrong.

thanks

Re: NGIPS Vs

Marvin Rhoads — Tue, 17 Sep 2019 03:14:54 GMT

You're welcome.

Yes AMP4E can replace traditional antivirus products.

If you do not have AMP for Networks licensing on your ASA Firepower service module or FTD device then they cannot avail themselves of Threatgrid by themselves. The automated file upload requires an AMP for Network license.

Re: NGIPS Vs

adamgibs7 — Tue, 17 Sep 2019 06:49:44 GMT

Dear Marvin

Thanks for the reply,

Please find the attached , I have once question here , is it FPR4110-NGIPS-K9 and FPR4110-AMP-K9 all are using the same OS ???, so i am confused here AMP for Network has different appliance but are these appliance use the same OS 6.X???

Also want to know for NGIPS OS even, what i understand is FPR 2100,4100,9100 can act as a standalone NGIPS with the same image of FPR 6.X only configuring the IPS part from the FTD OS.

Please confirm.

Re: NGIPS Vs

Marvin Rhoads — Tue, 17 Sep 2019 08:51:09 GMT

They are all the same hardware and software. The difference is in how you configure and use them.

Other minor differences are things like if you specify the appliance with ASA image, the ordering tool doesn't allow you to choose Fail-to-wire (FTW) netmods as they are incompatible with ASA software.

Re: NGIPS Vs

adamgibs7 — Tue, 17 Sep 2019 19:38:43 GMT

Dear marvin

Thanks for the reply, You are the one from whom i can expect the replies, Please reply for below queries to have more clarity on the products

AMP appliance such as ( 7150, 8050 etc etc ) are also based on FTD image
In AMP4E who is the server for endpoints Talos cloud or AMP appliance ( 7150,8050 etc etc ) can become a server.
Is it Cisco AMP4E EDR capable??
If incase i need to have a dedicated NGIPS then i can add a FTD device 2100,4100 or 9300 models with FTD image using only the IPS Tab in the FTD OS acting as an transparent FW scanning traffic becz i will be having a another box such as 21XX for NGFW. I am assuming the same concept as we use to do in older IPS

Re: NGIPS Vs

Marvin Rhoads — Wed, 18 Sep 2019 14:58:37 GMT

You're welcome.

1. 3D Series (71xx and 8xxx) are NOT based on FTD. They are all NGIPS and use classic Firepower OS (from Sourcefire).

2. In AMP4E the "server" is usually Cisco's AMP cloud. It can be an on-premises AMP Private appliance. It is never a 3D series appliance.

3. Cisco contends the AMP for Endpoints product can be characterized as both Endpoint Detection and Response (EDR) and Endpoint Protection Platform (EPP).

https://blogs.cisco.com/security/epp-edr-cisco-amp-for-endpoints-is-next-generation-endpoint-security

https://www.cisco.com/c/en/us/products/security/endpoint-security/what-is-endpoint-detection-response-edr.html

Neither term is exact though so people may differ in their opinion.

4. I'm not sure I understand your question.

Re: NGIPS Vs

adamgibs7 — Wed, 18 Sep 2019 20:15:06 GMT

Dear Marvin

As per the datasheet classic series ( 71XX, 81XX) are acting as an AMP for Networks for private cloud i assume, and in previous post you confirm to me as per the screenshot attached FTD 21XX,41XX,93XX can act also as a NGIPS in FTD OS,
If i want to order AMP for Network so which part number I have to order becz as u r mentioning 71xx, 81xx are for NGIPS
in previous post last question which u didnt understood, I mean to say if 41XX is used as an NGIPS with FTD OS then only the IPS Tab needs to be configured, Please find the attacehd.
The 3rd Point above is also applicable for AMP instead of NGIPS
Gartner doesn't mentioned AMP4E in a antivirus solution list

Re: NGIPS Vs

Marvin Rhoads — Thu, 19 Sep 2019 03:28:23 GMT

1. 7XXX and 8XXX are NOT AMP private cloud appliances. AMP Private cloud is orderable as a virtual or physical appliance:

https://www.cisco.com/c/en/us/products/collateral/security/fireamp-private-cloud-virtual-appliance/datasheet-c78-742267.html#OrderingInformation

It acts as the "server" in an AMP for Networks or AMP for Endpoints deployment.

2. AMP for Networks is not a separate product but rather refers to AMP (Malware) licensing on network devices - those include classic Firepower (7XXX, 8XXX 3D series appliances and NSIPSv), Firepower Threat Defense devices or ASAs with Firepower service modules.

3. Yes if you want to use your 41XX as only NGIPS then you create inline interfaces and only configure the IPS-specific features (Intrusion policy).

4. Similarly if you only wanted to use your appliance only for file protection then you would only configure file policy. this would be a very unusual setup though as the cost of an appliance would not normally be justified to use it in such a limited sense.

5. I cannot comment on why Gartner does or doesn't include certain products in certain categories.

Re: NGIPS Vs

adamgibs7 — Fri, 20 Sep 2019 07:27:04 GMT

Dear Marvin

Thanks for the reply we are near to the closure of the post. You have cleared 90% of my doubts hence Cisco has made things complicated in datasheets.

In which situation i will come across to use the Classic series, becz whatever classic series is providing is been provided by FTD and ASA/w firepower services.
But Cisco has made things complicated in comparison with Fortinet , now in Cisco we have ASA, FTD, source fire (Classic series)
As you mentioned that one will not position an appliance for AMP but the same is also not a good practice for position as IPS instead i can positioned a classic series..

Re: NGIPS Vs

Marvin Rhoads — Fri, 20 Sep 2019 11:24:24 GMT

Very few new installations will use the classic series.

Most of the larger vendors have differences in their product lines for various reasons - compatibility with older products, some features customers rely on have not been ported to new architecture, operational models that are slow to adopt new products etc.

For a dedicated IPS with absolutely no need for other FTD features some (but fewer than before) might still select a new classic series. They might cost a bit less, all other things being equal. On the other hand, they are limited should the organization decide later they want the non-IPS features.

Re: NGIPS Vs

adamgibs7 — Sat, 21 Sep 2019 07:12:52 GMT

Dear marvin

Thanks for the reply,

For a dedicated IPS with absolutely no need for other FTD features some (but fewer than before) might still select a new classic series. They might cost a bit less, all other things being equal. On the other hand, they are limited should the organization decide later they want the non-IPS features.

U mean to say that anybody if planing to deploy a dedicated IPS in their network then they should go with Classics series by configuring IPS features only in the classic boxes, apart from IPS feature if they want to configure any other feature it is their choice to do that. Please correct me if my understandings are not correct according to your reply in above post.

I have found some post mentioning about IPS.

https://community.cisco.com/t5/security-documents/upgrade-to-a-ngips/ta-p/3635567

The one mentioning in the below link is not been covered by Firepower.

https://community.cisco.com/t5/security-documents/5-reasons-for-choosing-a-dedicated-ngips/ta-p/3635560

Re: NGIPS Vs

Marvin Rhoads — Sat, 21 Sep 2019 10:10:36 GMT

I was saying that sometimes the customer insists in IPS only. At the end of the day they may make decisions different from my recommendations. There are few reasons for needing a dedicated IPS such as the classic series. If that's their choice then so be it. I usually advise otherwise though.

Those links you mentioned are marketing documents from 2+ years ago. I try to focus on technical and functional requirements and not debate marketing presentations.