01-08-2013 02:08 AM - edited 03-11-2019 05:44 PM
Hi
I got a basic question - what is the recommended placement for a firewall on the network. If the firewall is Stateful Firewall and what if its an Application firewall. which model of cisco asa supports application layer firewall
Lets assume the network consist of inside / outside / dmz 1 / dmz 2 / dmz3
thanks
Saquib
01-08-2013 03:43 AM
All ASAs support Application-layer-inspection. But it is quite CPU-intensive. So better plan for a bigger device if you want to use Application-inspections. And you need a very deep understanding of the protocols that should be inspected.
The firewall is in generall placed between all the networks. So the ASA has five interfaces for the attached networks (inside, outside, dmz 1-3). With that this central ASA can control all access between these networks. For the "normal" security-needs that should be fine.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-08-2013 04:35 AM
If a device can inspect a single application, then you could call it an appication firewall. Problem is there are tens of thousands of applications, so no single vendor can encompass them all. Obviously, some are more important than others, such as HTTP. Certainly, companies like Palo Alto seem to be comfortably ahead of Cisco, and cheaper, offering things like fully embedded IPS and ability to proxy HTTPS so that it can be inspected.
If Microsoft applications are very important, then their TMG firewall has an obvious advantage too, because no one will better understand how their own applications should function. I think it can publish applications such as Sharepoint, so it can better secure connectivity.
Cisco does have the CX module, but it's quite expensive and, at least for the time being, only available on their top of range 5585-X series appliance. I could be wrong, but don't think the CX will proxy HTTPS connections.
If I've misunderstood and you're actually thinking more along the lines of outbound web filtering, then the Cisco IronPort Web Security Appliance (WSA) is very good.
01-08-2013 05:22 AM
Well I know Cisco is pumping a whole lot into their R&D for the next gen firewalls/security aplliances. To try and play catch up with what some other vendors offer.
Regards
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide