Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
5
Helpful
9
Replies

Cost-effective enterprise IDS/IPS solution?

Go to solution
jmaxwellUSAF
VIP
VIP

‎11-24-2023 05:53 AM

The enterprise needs an

The enterprise needs an IDS/IPS solution that will decrypt SSL/TLS encryption to inspect layer 7 signatures.

Because the financial cost to buy an ASA for each of 15 branch locations is unappealing, it seems the best strategy is to purchase Firepower licensing for existing 4 hub ASAs, then route all www traffic incoming from the branches to an ASA location that will perform the layer 7 inspection.

Considering routing, and bandwidth utilization, is this a suggested solution?

What are your thoughts about the best solution here?

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-24-2023 10:27 AM

@jmaxwellUSAF if you are running the ASA image on the ASA 5525 then there is a separate Firepower Services Module that runs the L7 functionality, traffic is redirected from the ASA to this module. Alternatively you can run the combined FTD image which merges the ASA image and Firepower Services Module functionality. https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/asa-fp-services/asafps-local-mgmt-config-guide-v66/get_started_using_asa_with_firepower_services.html

6.6 will support what you require, however it is old and much better in newer versions. I would personally recommend using the FTD image on newer hardware.

 

View solution in original post

9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎11-24-2023 06:00 AM

@jmaxwellUSAF you will need to use the FTD software image to support the latest L7 threat/IPS features you require. The ASA hardware is legacy and will not support the latest FTD software images. I would suggest replacing the 4 hub ASA with newer Firepower hardware model (1000, 2100, 3100, 4200 series etc), this will future proof the implementation and provide the functionality you require.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎11-24-2023 06:11 AM - edited ‎11-24-2023 06:22 AM

Hi Rob.

Does the routing architecture solution I proposed seem sound? 

Thank you.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-24-2023 06:21 AM

@jmaxwellUSAF yes you should be able to tunnel all remote traffic over the VPN to the headend. Bare in mind that enabling L7 functionality (SSL decryption, IPS etc) does add overhead and decrease performance. If you must purchase new hardware make sure you spec accordingly.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎11-24-2023 06:23 AM

2. Our company is stuck with the old ASAs until 1/2026. Can I attain a somewhat satisfactory IPS/IDS FTD module for my existing 5525s? What functionality will the best 5525 FTD provide? What functionality will it lack?

3. We also have an ASA 1120 at one hub. Is this a newer model that supports newer FTD software images?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-24-2023 06:31 AM - edited ‎11-24-2023 06:57 AM

@jmaxwellUSAF the ASA 5525 only support 6.6 of the FPR services module that supports IPS functionality or FTD software image 6.6 (requires a reimage, not using ASA software image). https://software.cisco.com/download/home/286271172/type/286306337/release/6.6.7.1 that's a very old image that does not have all the latest features. The Firepower Service Module is legacy and replaced with the FTD image. And as mentioned before enabling the advanced L7 features does impact performance, on older hardware this may cause you issues.

Yes that FPR1120 hardware will support the latest FTD image (7.4 currently).

 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎11-24-2023 10:14 AM

Does this 6.6 image install independently of the main ASA OS?

(There are a lot of release notes to read there.) Our goal is party to satisfy an audit in which we must have IPS/IDS. Can you simply tell me if the 6.6 image can decrypt & inspect SSL/TLS packets?

Thank you.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-24-2023 10:27 AM

@jmaxwellUSAF if you are running the ASA image on the ASA 5525 then there is a separate Firepower Services Module that runs the L7 functionality, traffic is redirected from the ASA to this module. Alternatively you can run the combined FTD image which merges the ASA image and Firepower Services Module functionality. https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/asa-fp-services/asafps-local-mgmt-config-guide-v66/get_started_using_asa_with_firepower_services.html

6.6 will support what you require, however it is old and much better in newer versions. I would personally recommend using the FTD image on newer hardware.

 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎11-24-2023 10:39 AM

Because our situation is cost prohibitive, we will use the old hardware, and add the image that exists separate from the installed OS. 

I am confused which image this is that installed separately on the ASA 5525s. May you again link this correct separate image?

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card