Well, I checked OpenDNS, and

tahscolony · ‎04-06-2016

I have been researching Firepower/Firesight and came across DLP, but it is not very informative what I have found so far. Currently our S370 will be coming up on EoL in 2019, and our current contract expire next year, so we are looking at alternatives. One other thing is our IPS/IDS is due for replacement. I am liking the Firepower NGIPS, and see it can also do URL Filtering, AMP, as well as the IPS/IDS.

But can it also do ICAP, and WCCP for the URL filtering like Ironport, or does it have to be inline for the URL filtering. What limitations does it have vs Ironport. Can it also be a direct replacement for MS Threat Management Gateway for Citrix?

The end goal is to have hardware capable of expanding on down the road. We would like to replace our existing IPS/IDS this year, then when Ironport contract expires, add the licensing to Firepower to enable the filtering to replace WSA, but it has to be able to do HTTPS Decryption and ICAP redirect for DLP like Ironport does.

The Configuration I have in mind, two 1Gb ports in an outside IPS inline context, then 1 GB interfaces internally on a span port for IDS in a few zones, such as DMZ, Internal, untrusted, etc. since there are 12 physical interfaces. One interface would be used for WCCP redirects/ICAP traffic for the Web Security.

Does this all sound feasible? I am referring to the 7125 appliance, not the ASA module if that matters.

nspasov · ‎04-06-2016

Hello-

1) There is nothing in the current FirePOWER suite that will do DLP

2) I could be wrong here but I don't believe the legacy Sourcefire appliances can support WCCP or ICAP.

3) The ASAs do support WCCP (In case you decide to go that route). However, if you plan on using the ASAs with WCCP and FirePOWER URL filtering then I would recommend doing the WCCP on another device (like a router or switch)

4) The FirePOWER URL filtering solution sits inline. It cannot act as an explicit proxy

5) While there is some overlap in features between the WSA (Ironport) and URL Filtering with FirePOWER, the WSA is still a solution that I recommend when it comes to URL and content filtering. It has better reporting, and a lot more features (Rate Limiting, Caching, Explicit Proxy, better HTTPs/SSL Decryption capabilities).

I hope this helps!

Thank you for rating helpful posts!

tahscolony · ‎04-06-2016

Well, there goes that idea. The CWS doesn't support DLP/ICAP either.

Marvin Rhoads · ‎04-06-2016

One thing to consider for URL filtering is OpenDNS Umbrella. It does a very nice job of allowing you to set and enforce polices for both on premises and off-premises users. When combined with AMP for Endpoints for anti-malware the two are a really nice and low overhead set of tools.

Neither helps with the DLP issue though.

tahscolony · ‎04-18-2016

Well, I checked OpenDNS, and tossed that out. They don't support two key critical components in our environment, Android and Citrix. Citrix is the main component that I am looking at replacements for. We did some testing with WSA and found it will not work for Citrix without impacting all other users, and doesn't provide the type if separation required. Still researching TMG replacements.

Ironport replacement, Firepower?