Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
3
Replies

FW- Basic question

saquib.tandel
Level 1
Level 1

‎01-08-2013 02:08 AM - edited ‎03-11-2019 05:44 PM

Hi

I got a basic question -  what is the recommended placement for a firewall on the network. If the firewall is Stateful Firewall and what if its an Application firewall.  which model of cisco asa supports application layer firewall

Lets assume the network consist of inside / outside / dmz 1 / dmz 2 / dmz3

thanks

Saquib

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎01-08-2013 03:43 AM

All ASAs support Application-layer-inspection. But it is quite CPU-intensive. So better plan for a bigger device if you want to use Application-inspections. And you need a very deep understanding of the protocols that should be inspected.

The firewall is in generall placed between all the networks. So the ASA has five interfaces for the attached networks (inside, outside, dmz 1-3). With that this central ASA can control all access between these networks. For the "normal" security-needs that should be fine.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

shillings
Level 4
Level 4

‎01-08-2013 04:35 AM

If a device can inspect a single application, then you could call it an appication firewall. Problem is there are tens of thousands of applications, so no single vendor can encompass them all. Obviously, some are more important than others, such as HTTP. Certainly, companies like Palo Alto seem to be comfortably ahead of Cisco, and cheaper, offering things like fully embedded IPS and ability to proxy HTTPS so that it can be inspected.

If Microsoft applications are very important, then their TMG firewall has an obvious advantage too, because no one will better understand how their own applications should function. I think it can publish applications such as Sharepoint, so it can better secure connectivity.

Cisco does have the CX module, but it's quite expensive and, at least for the time being, only available on their top of range 5585-X series appliance. I could be wrong, but don't think the CX will proxy HTTPS connections.

If I've misunderstood and you're actually thinking more along the lines of outbound web filtering, then the Cisco IronPort Web Security Appliance (WSA) is very good.

0 Helpful

danielciscoswart
Level 1
Level 1
In response to shillings

‎01-08-2013 05:22 AM

Well I know Cisco is pumping a whole lot into their R&D for the next gen firewalls/security aplliances. To try and play catch up with what some other vendors offer.

Regards

Daniel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card