08-14-2013 05:36 AM - edited 03-11-2019 07:25 PM
Hi,
Currently, I have Cisco ASA 5510, with CSC-SSM module.
With CSC-SSM, I can do the following:
- block certain URL
- filter certain type of URL
- filter certain categories of URL
- web reputation filtering
- block certain type of HTTP file type
- detect malware
I need to do Tech Refresh for my ASA 5510.
Understand that the new firewall CISCO 5525-X series will no longer support CSC-SSM module.
Is there any feature from CISCO 5525-X series new generation firewall which can do similar / complete function of CSC-SSM?
I aware that there is WSE for 5525-X series, can WSE cover full set of features from CSC-SSM?
Anybody have link to demonstrate full feature of WSE?
Solved! Go to Solution.
08-14-2013 06:45 AM
Hi,
Well for example we bought an ASA5515-X SSD120 model for testing ASA-CX
So that ASA model comes with the SSD already. If you have a model without the SSD120 I think you need to buy it separately.
Our model for example had the ASA-CX ready in it and they have a evaluation license for both WSE and AVC.
You will have to get a license for WSE and AVC.
The options are
We got the 3 year WSE and AVC license for out unit.
I have still to setup the ASA-CX properly in the network for testing purposes so I havent done much with it yet.
- Jouni
08-14-2013 11:52 PM
Let me try to summarize my understanding on Cisco Next Generation Firewall X series.
You are welcome to point out my error if there is.
The latest ASA Firewall from Cisco are ASA 5500-X Series Next-Generation Firewalls.
There are models such as 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X.
IPS:
All these models come with build-in IPS, but seperate license is required to to use IPS feature in the device.
CX - Context Aware Security Feature:
Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.
It is hardware based with purchase of additional module for 5585-X. The module are "ASA 5585-X CX SSP-10" and "ASA 5585-X CX SSP-20"
Application Visibility Control (AVC):
This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.
Web Security Essentials (WSE):
This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".
When buying X-Series ASA Firewall, users has following options:
1) Base Firewall without any additional feature enabled - the firewall will act as Layer-3 Stateful Firewall.
2) Base Firewall + IPS
3) Base Firewall + SSD (to enable CX Context Aware Security Feature)
3.1) Base Firewall + SSD + AVC
3.2 ) Base Firewall + SSD + WSE
3.3 ) Base Firewall + SSD + AVC + WSE
As of now, "Base Firewall + IPS + SSD" is not supported.
08-15-2013 03:55 PM
limlayhin,
That's pretty much correct.
You can run IPS on a 5500-X that has an SSD - but you have to choose either loading the CX software module or the IPS module. If you load the IPS module, the SSD will essentially remain unused.
If you run a CX without AVC or WSE licenses, it will be very limited in usefulness. Same thing if you start with the license(s) but let it expire.
08-14-2013 05:48 AM
Hi,
I have not played around much with the ASA modules.
To my understanding the ASA has the ASA-CX which does Web and Application filtering.
There is also IPS which to my understanding will be incorporated to the ASA-CX at some point.
Neither of the above are actual physical modules on the ASA but require an additional SSD120 model of the ASA (or getting the SSD separately) and the software. I have just gotten ASA-CX but havent had much time to try it out yet.
Here are some links to ASA-CX related information
Q&A
Datasheet
Application listing
Hope these help
- Jouni
08-14-2013 06:20 AM
Hi Jouni,
Thanks for your reply.
Just want to confirm, for cisco Content Aware Security feature, I just need to buy the SSD and enable CX license.
I can skip AVC and WSE, am I right?
08-14-2013 06:45 AM
Hi,
Well for example we bought an ASA5515-X SSD120 model for testing ASA-CX
So that ASA model comes with the SSD already. If you have a model without the SSD120 I think you need to buy it separately.
Our model for example had the ASA-CX ready in it and they have a evaluation license for both WSE and AVC.
You will have to get a license for WSE and AVC.
The options are
We got the 3 year WSE and AVC license for out unit.
I have still to setup the ASA-CX properly in the network for testing purposes so I havent done much with it yet.
- Jouni
08-14-2013 11:52 PM
Let me try to summarize my understanding on Cisco Next Generation Firewall X series.
You are welcome to point out my error if there is.
The latest ASA Firewall from Cisco are ASA 5500-X Series Next-Generation Firewalls.
There are models such as 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X.
IPS:
All these models come with build-in IPS, but seperate license is required to to use IPS feature in the device.
CX - Context Aware Security Feature:
Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.
It is hardware based with purchase of additional module for 5585-X. The module are "ASA 5585-X CX SSP-10" and "ASA 5585-X CX SSP-20"
Application Visibility Control (AVC):
This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.
Web Security Essentials (WSE):
This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".
When buying X-Series ASA Firewall, users has following options:
1) Base Firewall without any additional feature enabled - the firewall will act as Layer-3 Stateful Firewall.
2) Base Firewall + IPS
3) Base Firewall + SSD (to enable CX Context Aware Security Feature)
3.1) Base Firewall + SSD + AVC
3.2 ) Base Firewall + SSD + WSE
3.3 ) Base Firewall + SSD + AVC + WSE
As of now, "Base Firewall + IPS + SSD" is not supported.
08-15-2013 03:55 PM
limlayhin,
That's pretty much correct.
You can run IPS on a 5500-X that has an SSD - but you have to choose either loading the CX software module or the IPS module. If you load the IPS module, the SSD will essentially remain unused.
If you run a CX without AVC or WSE licenses, it will be very limited in usefulness. Same thing if you start with the license(s) but let it expire.
08-15-2013 07:26 PM
Hi Marvin,
Thanks you for your great feedback. It helps...
09-08-2013 12:08 AM
Amazing information from all of you
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide