You’ve been asked to do more with less and to keep the network running securely, 24×7, while helping your organization to adapt and persevere during extraordinary times. Adding to the challenge, network and security teams are discovering that TLS 1.3 is breaking long-standing application control and URL security policies, forcing full decryption of flows where that has not been desired.
We’ve been listening to your concerns and enhancing our firewalls with unique capabilities so you can adapt faster, work more efficiently, and optimize your network security posture.
Today, we’re announcing the availability of Firepower Threat Defense (FTD) 6.7 for Cisco Secure Firewall (Firepower NGFW). This release includes features and updates that make your job easier:
- Maintain performance and security where other firewalls are hobbled by TLS 1.3.
- Lowers operational and deployment costs
- Enable firewalling everywhere you need it, including virtual and public cloud environments
Maintain your security policies and network performance in a TLS 1.3 world
Today, over 90% of Internet traffic is encrypted with Transport Layer Security (TLS). The new standard, TLS 1.3, offers many improvements, but presents compliance and performance challenges for firewall and IPS administrators. That’s because it breaks Layer 7 application control and URL filtering policies in unless the flow is decrypted. In most environments, however, administrators are not presently decrypting flows because of policy and performance and administrative burdens.
In FTD 6.7, control and visibility are maintained with TLS 1.3 connections with our unique TLS Server Identity Discovery feature that rapidly probes the server for unencrypted packet header information, ensuring existing security visibility and rules are maintained. And, should the administrator want to do full decryption, they can take advantage of our class leading hardware-based cryptographic acceleration that maintains performance even when application control and threat inspection are enabled.
In situations where enabling full decryption isn’t feasible or permitted, TLS Server Identity Discovery is a tremendous option. It enables security policy enforcement without the performance penalty or compliance risks associated with full decryption. Learn more about how this innovative feature works here.
Simplify provisioning with remote branch deployment
Cisco Secure Firewall is commonly deployed to remote branches as edge security devices. Now, with FTD 6.7 we’re introducing low touch provisioning — to the point where you can send a unit to a branch, have a generalist plug it in, and provision the device simply and remotely using Cisco Defense Orchestrator (CDO).
Similarly, customers with Firepower Management Center (FMC) can now configure management of Cisco Secure Firewall from a data interface instead of the dedicated management interface. This is useful for remote deployments with management from headquarters.
Maximizing security capabilities across virtual environments
As organizations expand cloud adoption, maintaining consistent security policies and operations across environments is critical. Along with FTD 6.7, we’re announcing expanded hybrid cloud capabilities including:
- Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI) support for ASAv and FTDv
- Automated horizontal scale for ASAv in Azure and AWS
- Accelerated networking for FTDv and ASAv in Azure
- FMCv HA on VMware
We are also adding route-based S2S VPN capabilities with static Virtual Tunnel Interface (VTI) support, which is a key requirement for secure public cloud connectivity.
Improved change management, device health monitoring and more
Logging improvements to FMC offer customers more visibility and control for their change management processes. And a new device health dashboard helps users pinpoint potential device issues and network problems.