Cisco is showing off the combination at Interop this week in Las Vegas.
The announcement comes just days after VMware announced that FireHost, a security-minded cloud hosting company, chose to design its next generation of cloud around NSX rather than Cisco ACI. A key factor was NSX’s innate security abilities compared with ACI’s reliance on partnerships and external security products, FireHost told SDxCentral.
Note that vendors often give customers a peek at the roadmap. So there’s a good chance FireHost — which made its decision months ago — did know that today’s announcement was coming.
Cisco’s move is part of an ongoing trend: Firewalls will likely continue to become more tightly integrated with networking gear, says David Stuart, director of product marketing for Cisco’s security business unit. It’s a way to “lessen those choke points” by providing better communication between firewalls and network elements.
Sourcefire’s Dose of ‘Next-Gen’
Acquired in 2013 for $2.7 billion, Sourcefire brought Cisco the ammunition to create something it could call a next-generation firewall — thereby catching up to competitors such as Palo Alto Networks that had co-opted the “next generation” term.
Sourcefire’s technology got integrated into Cisco’s firewall with the September launch of the ASA 5000 product line, bringing application-level control, threat detection, and Sourcefire’s celebrated intrusion prevention system (IPS) into the mix. (The pig in the photo above is the mascot for Snort, the open source IPS engine that Sourcefire created.)
Part of Sourcefire’s story was the ability to take action before, during, and after an attack — that is, to try to prevent an attack in the first place, and if one happens, put mitigation measures in place to limit the damage. As an example of the “during” or “after” phases, consider this: When bad traffic does get through the perimeter, FirePower can track a visitors’ lateral movement around the network. If it spots behavior that’s suspicious, it can quarantine the intruder or boot it out.
ACI’s ability to alter the network means Sourcefire’s work can be deployed dynamically and can be more easily automated, says Hari Krishnan, director of security-product marketing for the Insieme branch of Cisco.
Cisco is also using this release to highlight some of the security-friendly aspects of the Application Policy Infrastructure Controller (APIC), the element at the heart of ACI. For example, the APIC can provide isolation for traffic in a multitenant environment, much in the way NSX does. And the APIC operates by applying white-list policy to determine what traffic actions are permitted. White-listing adds some level of security by itself, because any unusual attempts to reach certain network regions will just be ignored; they’re not on the list.
FirePower integration is due to be available for ACI in June. It will be a free software upgrade for current ACI customers.