This is the beginning of a series of case studies that present our day to day operations, coming straight from our engineering team. The blogs aim to present some of the different projects that our team has completed and present the outcome of the changes that were made.
With this first post we are focusing on a migration from an old Cisco product line (Cisco ASA) to a new and more secure one - Cisco Firepower. The reason we chose this specific migration is because of the end-of-life announcement by Cisco for their ASA products. This announcement leads us to believe that it is finally time for the first official wave of Next-Gen Firewalls.
What is a NGFW?
NGFW stands for Next Generation Firewall.
And why do I need to migrate from my ASA firewall?
The short answer to the question is that the ASA firewalls and their analogs are becoming more and more obsolete with each passing year. This suggests that malicious actors might find exploits that can endanger your infrastructure, clients and most importantly - your business. To protect yourself from such a scenario it is best to be on top of your security and make sure you are dropping the correct packets before they even enter your network.
But how are NGFW different from the current firewalls?
A firewall blocks the traffic to and from your network, based on the destination of said traffic. This means you do not know what exactly enters your network, only where it has come from.
NextGen Firewalls allow you to inspect the traffic and prevent attacks that come from ‘trusted’ sources.
DISCLAIMER: For security reasons our customers are anonymized and are not mentioned in the case studies.
Our client, a database solutions provider with an impressive track record asked for a migration from Cisco ASA to Firepower. Being a well known and trusted industry leader, they need to set an example of how a network infrastructure should look like.
The company owned 2 ASA firewalls, that since to the end-of-life announcement had to be migrated to the newer and more secure device by the same vendor - Cisco Firepower. So the task looked like the following:
- Analyze the current running configuration of the 2 ASA devices;
This includes but is not limited to:
- VPN configuration
- NAT policies;
- Access-list rules;
- Introduce the config on the newly acquired Firepower devices;
- Deploy and Integrate the new solution with the existing infrastructure.
Design and Solution
- We analyzed the current configurations of the devices.
- We contacted the clients to discuss potential improvements of the rules and use cases.
- After reaching a conclusive design for the solution we used our tools to automate the migration.
- After a few health checks and testing we were ready for deployment.
Cutover and Feedback
We scheduled a window with the clients for the final migration to the new solution. Everything ran smoothly and the cutover was short and efficient. After completing the tasks we saw an increase in the visibility of the network traffic. The throughput of the edge devices was also increased allowing for faster connections.