Cisco Secure FirewallSecurity TransformationCisco
Article6 minute read

Cisco Secure Firewall History and Terminology

An overview of Cisco Secure Firewall history, and an introduction to Cisco Security verbiage, lingo, and acronyms.

As with any solution that's been around close to 30 years there's always a history, and Cisco Secure Firewall Threat Defense (or FTD) is no exception to this. The PIX firewall started back in 1994 to obfuscate private networks, this little company called Network Translation Inc. is where the Cisco Firewall really got started. The PIX OS was a layer 4 firewall, with stateful inspection of return traffic through conduits, it was industry leading at the time. It had ACL's, NAT/PAT, and was the first to introduce protocol specific filtering. Cisco picked up Network Translation Inc. in 1995 to help improve their LocalDirector solution with the PIX code base, and LocalDirector ended up being the first industry load balancer (Thanks to the PIX OS). The PIX OS was quite the hot commodity back then and was a solid foundation for added functionality ever since.

Fast forward a few years to 2005, and the PIX OS is improved, but still true to its roots as a layer 4 firewall. Around this time is when Cisco Adaptive Security Appliance (ASA) came about. The ASA inherited the PIX OS, but moved it to a Linux based operating system, and picked up the nickname Lina. The newly converted Lina code also combined in the Cisco IPS 4200 and VPN 3000 concentrators. These two solutions added remote access improvements and rudimentary IPS. While the PIX OS had a few more years, post-acquisition, it was eventually retired in 2008 three years after the ASA initial release. However, the Lina code remained at the heart of the ASA, and thus the PIX-OS code lived on as well. Meanwhile, another company was building momentum on the IPS front, Sourcefire. 

Martin Roesch in 1998 came out with a packet sniffer called Snort (since it was sniffing packets after all). This open-source tool was one of the best Intrusion Prevention Systems (IPS) available for security teams, and a few years later in 2001 Martin founded a little company called Sourcefire. The sniffing capabilities of Snort made Sourcefire a huge hit, and the company Sourcefire continued to grow in the security market. Following its IPO, Sourcefire acquired additional companies to help protect against malware. In 2007 Sourcefire acquired Clam Antivirus (ClamAV) creating the Sourcefire Vulnerability Research Team (VRT) and added malware scanning to Sourcefire appliances. This VRT team was enhanced again in 2011 when Sourcefire acquired Immunet, which utilized the cloud to store virus definitions eliminating the need for virus signature downloads. The VRT team was foundational in a big way, and we still know them today as Cisco's Talos.

The success of Sourcefire didn't go unnoticed. After failed acquisitions from Check Point and Barracuda, Cisco eventually acquired them in 2013 for a hefty 2.7 billion. After acquisition, Sourcefire was rebranded to FirePOWER. This is why we had ASA's with FirePOWER services for years after the acquisition.[1] The Sourcefire code endured, and became known simply as Snort inside the ASA's with FirePOWER services. The added IPS functionality from Snort replaced the outdated ASA's IPS 4200, and these two operating systems (Lina and Snort) both ran in the same box for a while. The Lina (PIX-OS based) code handling the routing, NAT, ACL's and VPN functionality. While the Snort (Sourcefire) code handled IPS and malware inspection. It worked, but wasn't optimal. Packets had to switch back and forth between operating systems, and there were issues with flowrates through the box. This was the reason Cisco forked a new code base from the Sourcefire code and called it Firepower Threat Defense (FTD).

Firepower Threat Defense (FTD) started in version 6.0 (just before the beginning of 2018), and worked on porting the ASA functionality into the Sourcefire code (now called Snort). Early version of Firepower Threat Defense (FTD) messed up elements of this porting causing bugs and reliability issues for a couple of the initial major releases. However, after the dust settled FTD started to stabilize, and between version 6.4 to 6.7 we saw more functionality getting added from ASA to FTD. After version 6.7 we finally had feature parity, all the features had been translated to the new FTD code base, with a few minor exceptions.[2] 

After 6.7 we saw new features getting introduced again in rapid succession; in 2021 with version 7.0 there was added Snort 3 functionality, in 7.1 we saw the introduction of Encrypted Visibility Engine (EVE), and version 7.2 (in 2022) added compatibility with additional public clouds!  This brings us to current day, where at Cisco Live 2023 they announced 7.2.4 is now the recommended image for FTD. Version 7.2.4 focus is on fixes across the code base. It's meant to last, and that's why Cisco has made it the recommended release. 

At this point. Those software version numbers are probably a blur and a bit confusing. Trust me, you're not alone. The big thing to remember about software versions are what their release cycle is. For FTD the code release cycles are:

  • The Short-Term (ST) Release - these versions have a shorter lifecycle, but it includes the latest feature set
  • The Long-Term (LT) Release - these versions provides a longer lifecycle. If you are looking for a release that has the latest features and longer support duration, this should be your choice.
  • The Extra Long-Term (X-LT) Release- these versions offer the longest lifecycle and are often chosen for government certifications (e.g. FIPS, FedRAMP).

Each release has various risks and features to balance with each organizations risk tolerance. So, choose the one that's best for your organization. If you're wanting the longest-lived version, then target the LT or X-LT releases, if you're after features look to the ST releases.

That's the history of Firepower Threat Defense (FTD) in a nutshell. The firewall continues on today under the new name Firewall Threat Defense (FTD), but it's still the same Sourcefire branch operating system with all the ASA features inherited from PIX-OS and the VPN3000. The Cisco Firewall has come a long way in 30 years, and who knows what form it will take in the next 30 years. One thing you can bet on is that FTD will still be at the heart of the Cisco Firewall, even then. 

[1] The capitalization of 'POWER' in FirePOWER was intentional by Cisco to help separate the post-acquisition products from the preacquisition Sourcefire's Firepower products.

[2] Feature parity details: https://salesconnect.cisco.com/sc/s/simple-media?vtui__mediaId=a1m8c00000nilvRAAQ

 

Technologies