Validating Cisco's Threat-Centric Security Solutions
Test case 2a: Firepower 9300 with FTD, NGIPS, AMP.
SUMMARY: We reviewed the Cisco Firepower 9300 platform architecture in combination with Firepower Threat Defense (TFD), Next-Generation Intrusion Prevention System (NGIPS) and Advanced Malware Protection (AMP), focusing on functionality, configuration and manageability aspects.
1. Overview of Firepower 9300
Cisco's security architecture allows the implementation of the same security applications (eg. ASA, NGIPS) on top of a range of physical or virtualized platforms. At some positions in the network, where a high performance is required, Firepower 9300 provides a suitable hardware platform, equipped with accelerator cards for encryption and potentially other functions. Meanwhile, at the edge, or at a customer's premises, where low costs are more important than high performance, common server/virtualization platforms can be used to host the same security functions at lower scale.
Firepower 9300 is based on the Cisco UCS chassis, and augmented with mezzanine acceleration cards for encryption, packet classifiers, and so on. Cisco claims its architecture provides up to 960Gbit/s internal fabric capacity, with 2x40Gbit/s backplane connection to each module. Currently Cisco offers SM-36 and SM-24 blades with respective 36 and 24 physical CPU cores, providing, respectively, an estimated 80 Gbit/s or 60 Gbit/s of firewall throughput performance. We tested Firepower 9300 performance aspects in test case 5 (documented later).
From the software perspective, the Firepower 9300 platform differs from the generic server or NFVi platforms. The operating system basis is FXOS, with a central Supervisor and modules that run on each of the three blades. On top of FXOS, the orchestration can deploy a single software package, the "main application" such as ASAv and optionally a "decorator application," such as DDoS protection. Third-party software not specifically designed for use with the Firepower platform can be instantiated within generic KVM supervisor running on top of FXOS.
The software is staged through the management module. Cisco explained that all packages would be digitally signed (Cisco Secure Package -- CSP), while the software integrity would be verified via secure boot and would be tamper-proof. EANTC did not test supply chain security aspects.
Cisco explained that the platform is designed for clustering the individual security modules (three within a single chassis, up to 16 total), to achieve a higher throughput capacity if necessary. The clustering is possible within a chassis, but also between multiple chassis.
By defining a cluster, one can automatically deploy the same software stack across all security modules. The clusters can be defined within a single chassis (intra-chassis), or between multiple chassis (inter-chassis), up to a five-chassis setup. Cisco mentioned that active-standby and active-active cluster configurations would be supported; EANTC did not evaluate resiliency aspects.
The interconnection between chassis can be provided by setting up Virtual PortChannel (vPC) from the redundant Cisco Nexus switches.
The Firepower 9300 platform supports flow offloading. Cisco explained that the flows are processed by the flow classifier acceleration module, and the newly detected flows are first redirected to the software module for full inspection. Once the software achieves a sufficient classification of the flow, it can offload further processing by supplying offloading instructions to the flow classifier. Cisco explained that Firepower 9300 can redirect trusted flows to the lightweight data path, freeing the module's performance for other processing. Vendors use a range of mechanisms to optimize performance of virtualized network functions; this Cisco feature looks exciting and EANTC looks forward to testing it in a future project.
2. Demo of the Firepower management
We reviewed the Firesight Manager, the management and monitoring application for the Firepower and reviewer the process of security services provisioning.
In the initial configuration of the test bed, a single Firepower 9300 chassis was available, equipped with two security modules. In the first step, only one security module was provisioned with Cisco's Virtual Firepower Threat Defense (FTDv) function. In the main UI view, we were able to view the status of the modules and the network ports.
As the next step, we added a new logical device -- a Cisco FTD to be assigned to the as yet unused second security module on the chassis and assigned physical network interfaces to it. The chassis management proceeded with the installation of the FTD software package on the second module.
3. Statistics reporting
Next, we reviewed example statistics provided by the Firepower 9300 platform and the functions were instantiated. The main dashboard provides an overview of the traffic volume by detected applications, network areas and behavior.
Table 11: Hardware & Software Versions
|Security Platform||Firepower 9300||Not disclosed|