Next Generation Firewalling
Crossconnect sells and supports the industry’s two leading next-generation firewalls, Cisco (Firepower & ASA) and Palo Alto. Of note, these are the only manufacturers that overlap in our product line—we’re fluent in both in order to fit the diverse needs of our clients. We’ll help you determine which option is the right fit for your organization.
Cisco sets the bar when it comes to complete end-to-end threat solutions. All Cisco security solutions have integrations to share data—and when integrating with Stealthwatch, ISE, AMP For Endpoints, and other major Cisco security products, the results are unparalleled. Learn more about Cisco firewalls here.
Palo Alto offers one of the most powerful, yet easiest to manage, firewalls on the market. Crossconnect has multiple PCNSEs, Palo Alto’s top certification, and provides 24×7 support in its Palo Alto practice. Crossconnect’s mature practice includes multiple successful installs implementing Palo Alto Firewalls with Cisco Application Centric Infrastructure (ACI).
Palo Alto TRAPS is a cloud-based endpoint protection client that provides best-of-breed security down to the desktop, blocking malware, exploits and ransomware.
Best Practice Assessments
Palo Alto Best Practice Assessments (BPA) assess your current PA firewalls against hundreds of best practice configurations that Palo Alto has found to ensure the highest security in your PA firewalls. BPA’s allow a company to continuously improve their PA firewall configuration and threat surface over time ensuring that every day they are more secure then the last. BPA’s will give you an insight into your security control adoption over time as well as give you a list of PA best practices that you are not conforming to and instructions on how to remediate.
Advanced Malware Protection
As part of Cisco’s next-generation firewall feature set, Crossconnect also recommends running Advanced Malware Protection (AMP). In short, the best way to think of AMP’s functionality is like an advanced virus scanner. AMP is available as both AMP for Networks (AMP4N) and AMP for Endpoints (AMP4E). When deployed as AMP4N, the Firewall itself detects and blocks malicious content. When deployed as AMP4E, the endpoint communicates with the AMP cloud and protects against malicious content. When deployed together, a full network and endpoint trajectory can be calculated, allowing the AMP4N console to orchestrate post-attack remediation via AMP4E—all keeping your business humming along smoothly.
Identity Services Engine
Identity Services Engine (ISE) is a foundational Cisco security technology. At it’s core, ISE changes the dynamic of networking from trusting based on IP or VLAN to trusting based on who a user is and what type of device they have, offering next-generation secure network access. Consider the following everyday issues:
- Instead of trusting by which wired port a user plugged into, can we instead trust by someone’s identity?
- Can that trust travel with them throughout their network interactions, similar to a security badging system in a building?
- We need to validate that a device is a company asset and not a user’s personal device, which may carry malware or be more susceptible to attack.
- If a device is a company asset, how do we ensure it’s running up-to-date security software?
- On a wireless network, how can we decrease our SSID count (which increases wireless performance) and eliminate PSKs?
- On a wireless network, how can we manage guest access by time-of-day, or allowing a receptionist to grant access?
- On a VPN, how can we ensure the same level of control we might see on a wired or wireless network?
ISE is the answer to these questions and more, and is foundational to Cisco Digital Network Architecture (DNA), Cisco’s new network management infrastructure. We generally find ISE to be a core component for virtually all Cisco users.
Cisco Stealthwatch is a “network as a sensor” tool that uses netflow data to pick up potential malware patterns and allows the entire network to act as a large Intrusion Detection System (IDS). Stealthwatch users are equipped to outsmart emerging threats with industry-leading machine learning and behavioral modeling, all with a solution that grows with their business.
A more recent development in Stealthwatch is Encrypted Threat Analytics (ETA). Prior to ETA, the intelligence provided from Stealthwatch was limited if traffic was encrypted. ETA is available only on the Catalyst 9000 series switches, and using the higher processor speeds in the Catalyst 9000, it assembles pattern data on encrypted traffic, and exports that to Stealthwatch. This creates a digital fingerprint that can be used to identify malicious traffic without decrypting it.
Aruba Clearpass provides robust and highly configurable Identity and Access Management for the modern network. Clearpass is a key aspect of a zero-trust network where all users and devices on the network are authenticated, identified, and assigned policy based on their context in the network. Clearpass supports Wired and Wireless 801.X, Endpoint profiling and device type-based access, Posture Checks, guest and BYOD portals, and much more. Most importantly, Aruba Clearpass is a truly multi-vendor solution and can be integrated with any vendor’s network equipment.