I am asked about Cisco Next Generation Security aka FireSIGHT licensing at least once a week. This post will explain the license options for Cisco FirePOWER and what is needed to request demo licenses to enable your demo system. NOTE: This is the current license model as of March 8th 2015.
For those that are not familiar with the new Cisco FirePOWER offering, it is a blend of Content Filtering, Reputation Security, Application Visibility and Controls, Vulnerability Scanning, IPS/IDS, Network and Endpoint Day Zero protection. These features are offered as a dedicated physical or virtual appliance, as a software option ran inside of a X generation ASA or as a Cloud service. For the dedicated appliance, virtual appliance and ASA version, there are three license options.
1) URL – This gives you a subscription feed updating website categories and reputation. This means you can block specific types of websites such as “adult” or “gambling” websites. Applications are included with the default system and do not require the URL license. For example, blocking Facebook games, Bittorrent or AOL Chat all can be done without the URL license.
The URL license also includes monitoring the reputation of a website meaning its “credit score” type rating. So if a website says they are a bank however have been online for one hour, hosted from godaddy.com and so on, it is probably not a bank and will have a low reputation score. Same goes for a real bank that is breached and starts passing malware to users. This isn’t fool proof since somebody could breach a trusted website and launch attacks from it however as those attacks are seen, the credit score will eventually go down. It is a great first line of defense to scrap off the common web attacks. You can learn more about reputation security HERE.
URL Tab shows the URL License. Other Tabs Are Default Options
2) Intrusion Detection / Prevention – This provides the ability to identify and prevent attacks. Whats unique about the FirePOWER offering is the IPS not only provides the general signatures, but it also leverages the built in vulnerability scanner and content visibility to self tune or adapt to your environment. This means if you have assets that are not protected, FireSIGHT will recognize and either auto protect or recommend to enable protection before the vulnerability is exploited. The same goes for recommending to turn off signatures for assets that don’t exist on the network.
3) Advanced Malware Protection (AMP) – When AMP is enable, every file on the network is given a SHA256 hash. That hash can be sent to Cisco’s Talo’s team (once ThreatGRID) to see if anybody has seen it as being malicious. If the file is interesting, the actual file could be sent to the cloud to be fully analyzed for malicious intent. Files are also monitored on network for behavior such as polymorphism, Fuzzing, what ports are used and so on basically looking for indications of a system being compromised. (NOTE: This can be files crossing the appliance and internal files seen going between hosts). If the cloud lookup, cloud file dissection or network monitoring identify the file as being malicious, a page is created showcasing what the infection is, who first brought it on the network, everybody who has seen and infected by the file, other possible versions seen in the wild and so on. This does not require any agents meaning it is just a license to enable all of this.
Shows .exe malware SHA introduced and passed to other systems
The Mitglieder.exe malware was introduced through Firefox by this person
NOTE: There is a optional agent you can install on endpoints to provide deeper visibility. The agent can tell you where the infection is installed, what it modified, provide more visibility about the endpoints behavior and auto remove the file. It is not required as just with network AMP you will know anybody infected, how it happened and what to look for however you won’t be able to know where it is at on each host or have the ability to auto remove it. I personally use AMP as a cloud service meaning just the agents on my family’s computer as a means to catch malware that bypasses my family’s anti-virus. The AMP agent has an additional cost sold as bundles and available for windows, MAC and mobile devices.
Shows Infection Stopped By AMP
Application Visibility and Control comes with the default system. You also need a controller license if you are using the ASA version of FirePOWER that is bundled in at no cost. If you want centralized management for the ASA models, there are three license options for the virtualized version of FireSIGHT (most common request for demos). They are a limit to 2 ASAs license, limit to 10 ASA license and unlimited which maxes out at 25 ASAs. The hardware managers can go beyond 25 ASAs if that is required.
If you want to test out the FirePOWER solution on your ASA or as a dedicated appliance, you will need to request one or more of the licenses listed above, a licenses for the management system (if you are using FireSIGHT for centralized management) and the controller if you are using a ASA to host FirePOWER. Your Cisco rep will ask you for two things required to provide you a demo license. Those are
1) The model of hardware you want to enable FirePOWER on
2) The Management License Key – This is found in FireSIGHT for versions 5.1 and later. Go to System -> Licenses and click “Add new License”. The Add Feature License page will appear and show you the license key. Here is an example of what you will see.
Hopefully this post helps answer Cisco FirePOWER questions about licensing.