Skip to main content

Core Security Adoption Bundle: Cisco Firepower Core Security Adoption

Crossconnect Engineering’s process will take your firewall posture from port-based to adopting the advanced feature-sets that make firewalls “next generation.”

Home > Security > Core Security Adoption > Core Security Adoption Bundle: Cisco Firepower Core Security Adoption

What Makes a Firewall “Next Generation?“

Traditional firewalls are port-based. This means that users are only identified by their IP address and services are only mapped to ports. However, users change IPs and use multiple devices, and most malicious traffic now hides as encrypted traffic on trusted ports.

How Next Generation Firewalls Address These Issues

The problem the Core Security Adoption Bundle addresses is that most next-generation firewalls are installed as a conversion from a port-based firewall, and the next-generation features are not adopted, leaving a security posture little better than the original firewall. This is because successfully enabling the entirety of the next-generation feature set, while at the same time not breaking production traffic, requires a significant amount of work to adopt in your organization. Most organizations do not have the resources to complete this internally.

Moreover, traffic decryption is required for the majority of next-generation features to work: nearly all traffic, including threats, are encrypted. The ability to decrypt TLS/ssL-encrypted traffic is now a foundational security function. These features are severely limited without decryption: Antivirus, Intrusion Prevention, Wildfire (Sandboxing), File Blocking, and App-ID (Application Visibility & Control). Next-generation firewalls must perform traffic decryption in order to be effective today.

Key Features

  • Intrusion Prevention (IPS)
  • Malware Scanning & Antivirus
  • AVC (Application, Visibility, & Control)
  • Antivirus
  • Feedlist Blocking
  • File Blocking
  • DNS Security
  • User Identity

TLS/SSL Decryption (“traffic decryption”) critical to enable features above

WHAT WE DO

Features Our Services Will Adopt for Your Business

Adopt These Features For Your Business

User Identity – Identify users and user groups via Active Directory regardless of IP
address.

Traffic Decryption – Enable traffic decryption using pilot groups, and after remedying
incompatible websites and applications, escalating to increasing numbers of users in a
safe fashion.

  • Exclude traffic based on compliance or business requirement reasons (ex: Health, Finance, Government, Military)
  • Exclude incompatible applications or those with security dependencies on certificate pinning.

Malware Scanning – Block malicious files passing through the firewall based on signature matching. Cloud sandboxing when there is no signature match.

Feedlist Blocking – Block & alert on connections going to known command & control servers and other malicious sites via DNS and URL based feed lists from Cisco’s Talos Intelligence Group.

IPS (Intrusion Prevention) – Examines network traffic to identify and block attacks based on known vulnerabilities.

AVC – Traditional port-based firewalls identify an “application” by identifying the port
number. AVC identifies an application regardless of port and works with applications
that use multiple or non-standard ports.

  • Create AVC rules to replace non-TLS/SSL port-based rules.
  • Create “Starter” rules for Allowed, Blocked, and Tolerated TLS/SSL Applications
  • Provide “over-the-shoulder” training to Customer for additional adoption.

URL Filtering – Block access to websites known to host malware, or content filter based on users or groups.

File Blocking – Protects from both data exfiltration and malicious software ingress to the
network. File blocking uses MIME types and blocks unauthorized files as they traverse the
firewall.

DNS Security – Block malicious connections before they begin. Malicious connections use DNS just like legitimate connections. Scan all DNS requests going through the
firewall and block or sinkhole requests for malicious sites.

Deployment, Pricing, and Terms

The Firewall Core Security Adoption Bundle will be deployed in a manner sensitive to minimizing impact to the business. This means allowing proper time to determine any side-effects new security features will have, which means the project will take multiple months to complete. Safety is favored over speed.

Due to the extended timeline to complete, to ensure your project continues to progress, our service includes technical project management with regular status meetings to ensure the service
continues moving forward.

Pricing is provided at a flat rate. All services are implemented by a CCNP, overseen by a CCIE. Pricing is for a single logical firewall (one firewall, or one HA pair) and is priced by quantity of users:

Pricing

Users

1-250 Users (2.5 months)

$20,000

250-500 Users (3.5 months)

$30,000

501-750 Users (4 Months)

$35,000

751-1000 Users (4.5 months)

$42,000

Contact Us

Overage Users

If near the edge of a user tier, additional users may be added to the lower tier: $120/user for 1-250 tier, $100/user for 251-500 user tier, $80/user for 501-750 user tier, $60/user for > 1000 users. 
Example: 252 users may be purchased at $20,240.

What changes between user/pricing tiers?

The service is fundamentally the same regardless of if deploying for 1 user or 1,000 users. However, larger user bases have longer deployment times for features, as there are naturally more applications, file types, and web traffic involved. Also, the single largest change in hours is that more pilot groups are used during the traffic decryption phase for safety, resulting in an extended deployment time.

Limitations Apply

Please consult with our sales team for the granular specifics of what is and is not included.