Solved: Why did cisco move from CX module to SFR module?

rakesh24csco · ‎10-28-2015

Hello,

I am just curious to know why did cisco move from CX module to SFR module?

As far as I know, Sourcefire has been know for it's strong IPS features and SNORT technology. CX module is capable of doing NGFW services. What makes SFR a better solution as compared to CX module? I am just concerned about technical part, not about the business part.

Hoping valubale respones ASAP.

Thanks,

Rakesh Kumar

Boris Uskov · ‎10-28-2015

Hello,

ASA CX was developed by Cisco in order to have a product in class of Next Generation Firewalls. The idea was great: they bought IronPort and so that Cisco got one of the best web-proxy servers. After that cisco introduced CX software module for ASA appliances. This module was built on the basics of IronPort web security appliance. Later Cisco added the functions of NGIPS to CX module.

I had a chance to install and work with CX module in 2013 year. And I found out for my self, that CX module had a lot of bugs and doesn't work stable those days. After some years cisco correctred a plenty of bugs, and as far as I know, modern versions of CX module works fine. But the moment was missed. They still needed the NGFW, which is better than competitor's. Moreover, classic Cisco IPS and NGIPS on CX module were not among the leaders on the IT and Security marked.

From my point of view, this situation became the main trigger for buying SourceFIRE company. After creating the sfr module for ASA, Cisco took the first place in gartner magic quadrant for NGFWs.

Also, all Cisco classic IPS were EoS after they had bought SourceFIRE:

http://www.cisco.com/c/en/us/products/collateral/security/ips-4200-series-sensors/eos-eol-notice-c51-733186.html

ASA CX module became EoS too:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-733917.html

From the technical perspective, from my point of view, we should compare ASA CX with SFR within two classes: as NGFW and as NGIPS.

If comparing the functions within NGFW class, both modules are good. Some functions work better on CX, some - on SFR. For example, AVC is better (only from my point of view) on SFR. SFR can recognice web applications and other types of applications more correct and deeply. But the question of Authentication is better on CX module. On CX module you can configure both Active, Active with SSO and Passive Authentication. On SFR at this moment you can use only Passive Authentication. Decryption policies exists on CX. Decryption for SFR on ASA is in the road map. Reporting works better on SFR. And so on...

If comparing the functions within NGIPS class, SFR is much much better and provide a great number of services, which can help to make the network secure. For example, nework discovery - on SFR with FireSIGH management you can get host profiles for every host in the network. In host profile you can find infos about OSs, Indicators of Compromise, Vulnarablilities and so on. Moreover, SFR can be used with AMP licenses, which introduce the services of antimalware. So that you can search for malware in the files, which are uploaded or downloaded through the SFR module.

View solution in original post

Boris Uskov · ‎10-28-2015

Hello,

ASA CX was developed by Cisco in order to have a product in class of Next Generation Firewalls. The idea was great: they bought IronPort and so that Cisco got one of the best web-proxy servers. After that cisco introduced CX software module for ASA appliances. This module was built on the basics of IronPort web security appliance. Later Cisco added the functions of NGIPS to CX module.

I had a chance to install and work with CX module in 2013 year. And I found out for my self, that CX module had a lot of bugs and doesn't work stable those days. After some years cisco correctred a plenty of bugs, and as far as I know, modern versions of CX module works fine. But the moment was missed. They still needed the NGFW, which is better than competitor's. Moreover, classic Cisco IPS and NGIPS on CX module were not among the leaders on the IT and Security marked.

From my point of view, this situation became the main trigger for buying SourceFIRE company. After creating the sfr module for ASA, Cisco took the first place in gartner magic quadrant for NGFWs.

Also, all Cisco classic IPS were EoS after they had bought SourceFIRE:

http://www.cisco.com/c/en/us/products/collateral/security/ips-4200-series-sensors/eos-eol-notice-c51-733186.html

ASA CX module became EoS too:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-733917.html

From the technical perspective, from my point of view, we should compare ASA CX with SFR within two classes: as NGFW and as NGIPS.

If comparing the functions within NGFW class, both modules are good. Some functions work better on CX, some - on SFR. For example, AVC is better (only from my point of view) on SFR. SFR can recognice web applications and other types of applications more correct and deeply. But the question of Authentication is better on CX module. On CX module you can configure both Active, Active with SSO and Passive Authentication. On SFR at this moment you can use only Passive Authentication. Decryption policies exists on CX. Decryption for SFR on ASA is in the road map. Reporting works better on SFR. And so on...

If comparing the functions within NGIPS class, SFR is much much better and provide a great number of services, which can help to make the network secure. For example, nework discovery - on SFR with FireSIGH management you can get host profiles for every host in the network. In host profile you can find infos about OSs, Indicators of Compromise, Vulnarablilities and so on. Moreover, SFR can be used with AMP licenses, which introduce the services of antimalware. So that you can search for malware in the files, which are uploaded or downloaded through the SFR module.

rakesh24csco · ‎12-27-2015

Thanks for the reply Boris.

Do you have more information to share on technically differentiating between CX and SFR?

Boris Uskov · ‎12-27-2015

Hello,

I just want to add, that with new version of SFR (6.0.0.0 was released in November 2015) Active Authentication, integration with Cisco ISE and Decryption were introduced for Cisco ASA and its SFR module. For more information, see the Relase Notes:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/relnote/firepower-system-release-notes-version-600.html

Unfortunately I don't have the document, which can show technical differences between CX and SFR, and I'm not sure if such document exists.

You can find more information about SFR module here (Documentation Roadmap):

http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html

rakesh24csco · ‎12-28-2015

Thanks for the helpful information Boris.

I think all we need is the practical working experience to figure out how they behave when implemented in a real environment.

Boris Uskov · ‎12-28-2015

Yes, sure.

If you have ASA appliance with SSD disk, you can install sfr module:

https://software.cisco.com/download/release.html?mdfid=286271170&flowid=77242&softwareid=286277393&release=5.4.0.5&relind=AVAILABLE&rellifecycle=&reltype=latest

and FireSIGHT System to control SFR:

https://software.cisco.com/download/release.html?mdfid=286259687&flowid=72302&softwareid=286271056&release=SEU&relind=AVAILABLE&rellifecycle=&reltype=latest

If the links above are not available for you, you can ask your Authorized Cisco Reseller or Representative to provide the software for you for testing purposes.

You will need also to ask Cisco Representative to provide trial licenses for you for testing purposes.

If you don't have ASA with SSD disk, which you can use for testing, you can deploy a Virtual IPS Sensor for VMWare ESXi host:

https://software.cisco.com/download/release.html?mdfid=286259690&flowid=72310&softwareid=286271056&release=5.4.0.5&relind=AVAILABLE&rellifecycle=&reltype=latest

It has almost the same functionality, as SFR module.