Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4214
Views
0
Helpful
4
Replies

Integration Cisco ASA and Websense DSS for DLP solution

aliverlex
Level 1
Level 1

‎02-07-2011 09:01 AM - edited ‎03-11-2019 12:45 PM

Good day!

We have two cisco ASA in active-passive mode as firewall solution between Internet and LAN

ASA connects by two links to Cisco 6506 (central LAN switch)

We want to deploy DLP-solution on Websense DSS. And want to have possibility to block untrusted traffic which goes to internet.

Can we integrate websense DSS with cisco ASA using ICAP? Or with 6506?

Or is there the way to put two websense dss servers to each link from 6506 to ASA only?

Or another solution?

Thanks!

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-07-2011 03:40 PM

Unfortunately Cisco ASA does not support ICAP, and the only integration with Websense that is supported with ASA is Web Filtering (URL Filtering):

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_filter.html#wp1045692

BTW, is there a need to actually integrate the Websense DLP solution into ASA as Websense should be providing the block instead of the ASA firewall. Websense being the DLP product should detect and block the outbound traffic accordingly, wouldn't it?

Cisco also has its own DLP solution called Cisco IronPort S-Series Web Security appliance:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps10164/data_sheet_c78-586408.html

0 Helpful

aliverlex
Level 1
Level 1
In response to Jennifer Halim

‎02-07-2011 11:37 PM

Cisco ASA should have firewall functions such as controlling inbound trafiic, websense dss - only one function - controlling outbound confidential data. It hasn't any firewall inside, as i know. So it can works as monitor (not blocks data) or can block data working "inline" or working through ICAP

If there is one ASA only it possible to "inline" websense between ASA and first corporate switch (6506 in our case)

Question - what to do with two ASA case? Which place in network is the best for dlp appliance in this case? Two dlp appliances? or is there solution with one dlp-appliance only? (two appliances is too expensive for us)

Jennifer, can you explain me some details about cisco ironport s-series. Where in network i should put it? before ASA, parallelly ASA or smwh else?

If we have 2 ASA in cluster, where to put Ironport?

Thanks a lot!

0 Helpful

aliverlex
Level 1
Level 1
In response to aliverlex

‎02-08-2011 05:06 AM

One more question about Ironport S-Series.

Is it provides web filtering and DLP-solution for web protocols only? What about E-mail? another protocols like IM?  How to protect by DLP these channels?

Thanks!

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to aliverlex

‎02-09-2011 02:30 AM

It should be placed behind the ASA (before the ASA). If your ASA is running in Active/Standby mode, then there is no reason why you can't just have 1 IronPort WSA as web traffic should be redirected towards the WSA first before even hitting the ASA.

WSA only protects web traffic, so to protect email, you will need IronPort ESA.

Here is more information on ESA for your reference:

http://www.ironport.com/resources/appliance_datasheets.html

http://www.cisco.com/en/US/products/ps10339/index.html

It would be best to speak to your local Cisco AM/partner/reseller for the best solution.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card