The Cisco Identity Services Engine (ISE) offers a network-based approach for adaptable, trusted access everywhere, based on context. It gives the user intelligent, integrated protection through intent-based policy and compliance solutions.
N/A
FireMon
Score 7.5 out of 10
Enterprise companies (1,001+ employees)
FireMon is a real-time security policy management solution built for today’s complex multi-vendor, enterprise environments. Supporting the latest firewall and policy enforcement technologies spanning on-premises networks to the cloud, FireMon delivers visibility and control across the entire IT landscape to automate policy changes, meet compliance standards, to minimize policy-related risk. Since creating their policy management solution in 2004, FireMon states they've helped…
Overall, management is not terrible if you have a stable network that is not overly complex. If you don't, this product will take considerable time to plan for an effective solution. I will say support is not very helpful, so if you need assistance after the initial sales rep assisted setup, good luck and be prepared to spend hours on the phone.
FireMon is best used in a large environment (for example, I have >100 firewalls in my environment). It's best used when trying to improve security posture and showing changes in firewall security over time. It might not be the best choice for smaller environments or those that aren't concerned about security management.
Manage high-privilege access to communications equipment. It allows to be granular in the permissions, to have it integrated with the LDAP users and, most importantly, to audit what tasks each user performed.
Profile users and devices and assign privileges and access levels based on that combination. It greatly improves the user experience, since it does not depend on the network it is in, but on the access levels it has depending on the device. It also allows self-managed guest access with approval flow, which is essential for our business.
It has also allowed us to automate actions based on findings from StealWatch, Umbrella, AMP, etc.
I guess the user experience itself, it's sometimes a little bit slow, but this is also dependent on the platform and the scale of the deployment of course. But actually functionality-wise it's really, really good. But yeah, it could sometimes be a little quicker to react on the good front.
The shell is locked out and we can't run any general centos commands. The implementation and maintainence of the arch is very complex. Even with the right identifiers on log messages the log collection keeps failing. The warning messages on the device are ambiguous. The log messages on firemon are a bit confusing and don't show the exact issue.
For us the solution is very easily useable on its own. Perhaps that has to do because we started using ISE in the 1.2 days and have seen it grow during the years. Policy creation, etc. is all very visible and thus easy to use. Deployment of multiple nodes is also incredibly easy and flexible. You can easily add or remove nodes as you wish.
We do have to occasionally reboot the servers when they get low on memory, but we're also a few versions behind. Availability has generally been pretty good though with no major outages in the time that we've had it implemented.
FireMon has been relatively stable overall. However, there have been a handful of times where we had issues with the console. For example, we couldn't update which devices to include in a security assessment. The initial suggestion from support was to just reboot it. It seems like there weren't many other options available such as to restart services before going to the extreme of a complete reboot.
I'm not sure we have the largest implementation of FireMon out there but we do have a few 1000 devices being probed by FireMon. Overall, the system's performance has been rock solid. The console refreshes quickly and reports are generated within an expected timeframe.
Cisco support is second to none, both in terms of how you access support but also the knowledge of the individual support teams. If you focus on one technology and provide "manufacturer support" then you can rest assured that you are accessing Cisco's top individuals. I feel like this is a USP for Cisco support.
FireMon technical support is awesome! They respond quickly to our requests and they are well trained and very knowledgeable about the tool. Some issues have to be referred to the development team, but technical support largely provides solutions for any issues that we may have.
I did participate in the implementation of Cisco ISE and while there were times when it was confusing and we had a lot of trial and error, overall the experience was fine.
So the security team selected Forescout because of its inventory functionality. We have had to utilize Cisco ISE though to actually push the SGT Policies as well as the SGACL mappings and the SXP Propagation across the switch infrastructure. There is a lot more configuration that has to happen in Forescout in order for it to manage the switches.
I has worked with AlgoSec and while they are very similar product, I find the FireMon is easier to understand and get rolling with. While both require some learning, FireMon is by far the easier one. Once you have an understanding of how things are arranged and labeled you can easily import firewalls and begin to work on them to improve them
Firemon Is easily scalable and maintainable with any size team. Although it requires some tech debt, it is well worth the time to invest to ensure compliance is visible and reports are accurate. Although our environment is very large we do not fully utilize the scalability of the Firemon product.
Cisco ISE is fairly expensive, but I feel that the time it saves our team is well worth it.
We have been able to roll this our to all of our teams, and they can each manage their own device and it is really convenient to have each team mange their own devices
Once it is deployed and configured, it seems like there isn't much upkeep, so we don't have to hire someone to manage it we do it by committee.
