Cisco revealed Feb. 24 that it is adding critical new security capabilities to its portfolio, thanks to technology gained via the $2.7 billion acquisition of SourceFire in 2013.
The advanced malware protection (AMP) feature has been available on SourceFire’s FirePower appliances and will now be available as a service for Cisco’s customer base. Cisco has long had a myriad of different security capabilities, though company executives says that AMP brings features Cisco never had before.
AMP is a file reputation, behavior and sandbox technology, Raja Patel, senior director, for cloud security product management at Cisco, explained to eWEEK. With the normal intrusion prevention system (IPS) and firewall technologies that Cisco has long had, they all typically have signature- and rules-based approaches to threat detection.
“We haven’t had in our portfolio the ability to go deep into each file,” Patel said.
For example, if a user running on a PC gets an executable (exe) file, the first layer of AMP, which is a file reputation piece, will determine whether Cisco has actually seen the file before or not. If the file is known to be bad, based on reputation, then it is blocked.
But AMP doesn’t stop there; the file could then be sent to Cisco’s file behavior service capability, which will then take a look at the file inside the sandbox. The basic idea behind a sandbox is to isolate a given file or application and see how it behaves without putting the rest of the system at risk.
Inside the sandbox, Cisco’s file behavior service will try and make a further determination to see if the file is good or bad. The Cisco service will let the file sit for a period of time in the sandbox, since many forms of advanced malware are known to stay dormant for a period of time before becoming active, Patel said.
If the exe file is, in fact, determined to be malicious, for Cisco customers with AMP, there is an auto-remediation feature to remove the file, Patel said. Going a step further, AMP isn’t just about protecting one user on one PC. All other Cisco AMP users that may have also come in contact with the malicious exe can also be alerted and benefit from AMP’s remediation.
The AMP capability will now benefit Cisco’s existing Integrated Service Router (ISR) and Adaptive Security Appliance (ASA) security hardware customers. Cisco’s wireless customers, however, will not immediately be able to directly integrate with AMP. Patel said that he had no additional comment on direct integration points for AMP beyond the wired portfolio.
That doesn’t necessarily mean that wireless clients can’t benefit, Patel said. “In most deployments, the wireless LAN will eventually hit a wired gateway before it goes out to the WAN,” he said.
While Cisco is now pulling in software features from the SourceFire FirePOWER product line to benefit existing customers, Cisco is also expanding the hardware options for FirePOWER appliances.
The new FirePOWER 8390 boasts a capacity of 60G bps of inspected traffic throughput in a single chassis. Two 8390 chassis can be clustered together providing a top-end of 120G bps, making it one of the highest-bandwidth next-generation firewall appliances in the market.
Palo Alto Networks recently announced a 120G-bps firewall platform.
SourceFire’s heritage comes from its open-source roots and it’s a heritage that is being respected and expanded upon in the Cisco era. At the core of SourceFire’s technology is the open-source Snort IPS, which is now set to benefit from OpenAppID, an open-source application identification engine, Patel explained.
Being able to properly identify applications is the key to being able to control and manage them. There are multiple commercial technologies that do application identification; the OpenAppID effort is an attempt to open up intelligence and make it more broadly available.
“We have a Snort engine with an OpenAppID processor that allows for the detection of applications on the network and it allows for reporting and application policy settings,” Patel said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.