cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
5
Helpful
9
Replies

Cost-effective enterprise IDS/IPS solution?

The enterprise needs an

The enterprise needs an IDS/IPS solution that will decrypt SSL/TLS encryption to inspect layer 7 signatures.

Because the financial cost to buy an ASA for each of 15 branch locations is unappealing, it seems the best strategy is to purchase Firepower licensing for existing 4 hub ASAs, then route all www traffic incoming from the branches to an ASA location that will perform the layer 7 inspection.

Considering routing, and bandwidth utilization, is this a suggested solution?

What are your thoughts about the best solution here?

Thank you.

1 Accepted Solution

Accepted Solutions

@jmaxwellUSAF if you are running the ASA image on the ASA 5525 then there is a separate Firepower Services Module that runs the L7 functionality, traffic is redirected from the ASA to this module. Alternatively you can run the combined FTD image which merges the ASA image and Firepower Services Module functionality. https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/asa-fp-services/asafps-local-mgmt-config-guide-v66/get_started_using_asa_with_firepower_services.html

6.6 will support what you require, however it is old and much better in newer versions. I would personally recommend using the FTD image on newer hardware.

 

View solution in original post

9 Replies 9

@jmaxwellUSAF you will need to use the FTD software image to support the latest L7 threat/IPS features you require. The ASA hardware is legacy and will not support the latest FTD software images. I would suggest replacing the 4 hub ASA with newer Firepower hardware model (1000, 2100, 3100, 4200 series etc), this will future proof the implementation and provide the functionality you require.

Hi Rob.

Does the routing architecture solution I proposed seem sound? 

Thank you.

@jmaxwellUSAF yes you should be able to tunnel all remote traffic over the VPN to the headend. Bare in mind that enabling L7 functionality (SSL decryption, IPS etc) does add overhead and decrease performance. If you must purchase new hardware make sure you spec accordingly.

2. Our company is stuck with the old ASAs until 1/2026. Can I attain a somewhat satisfactory IPS/IDS FTD module for my existing 5525s? What functionality will the best 5525 FTD provide? What functionality will it lack?

3. We also have an ASA 1120 at one hub. Is this a newer model that supports newer FTD software images?

@jmaxwellUSAF the ASA 5525 only support 6.6 of the FPR services module that supports IPS functionality or FTD software image 6.6 (requires a reimage, not using ASA software image). https://software.cisco.com/download/home/286271172/type/286306337/release/6.6.7.1 that's a very old image that does not have all the latest features. The Firepower Service Module is legacy and replaced with the FTD image. And as mentioned before enabling the advanced L7 features does impact performance, on older hardware this may cause you issues.

Yes that FPR1120 hardware will support the latest FTD image (7.4 currently).

 

Does this 6.6 image install independently of the main ASA OS?

(There are a lot of release notes to read there.) Our goal is party to satisfy an audit in which we must have IPS/IDS. Can you simply tell me if the 6.6 image can decrypt & inspect SSL/TLS packets?

Thank you.

@jmaxwellUSAF if you are running the ASA image on the ASA 5525 then there is a separate Firepower Services Module that runs the L7 functionality, traffic is redirected from the ASA to this module. Alternatively you can run the combined FTD image which merges the ASA image and Firepower Services Module functionality. https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/asa-fp-services/asafps-local-mgmt-config-guide-v66/get_started_using_asa_with_firepower_services.html

6.6 will support what you require, however it is old and much better in newer versions. I would personally recommend using the FTD image on newer hardware.

 

Because our situation is cost prohibitive, we will use the old hardware, and add the image that exists separate from the installed OS. 

I am confused which image this is that installed separately on the ASA 5525s. May you again link this correct separate image?

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: