11-05-2014 01:39 AM - edited 03-12-2019 05:35 AM
hi
currently we are using asa 5510 without firepower feature. our aim is to publish web servers and microsoft lync with reverse proxy method. control internet traffic , apply particular extensions file not to download , bandwidth management etc.
Is it possible when we add firepower on asa 5510 ..... please guide me.... thanks
Solved! Go to Solution.
11-09-2014 08:14 AM
Firepower has to be installed on the new ASA X series. 5512x, 5515x, 5525x, etc.
If you have a 5510, then you would probably want a 5512x with a SSD drive. Cisco has firepower bundles which include the ASAx with SSD and the Firepower license.
Add to that you also need the Firesight Management Software, and there is a 2 device bundle license for under $500 that you can install on VMWare.
Firepower doesn't do reverse proxy, it does transparent in-line packet inspection, analysis, and filtering by URL / Application / and Threat mitigation.
If you want a reverse proxy, you should look into Microsoft ISA server, or a dedicated Web Reverse Proxy Server. Cisco discontinued their Web Director product, which did this function.
You can host websites behind the ASA Firewall without a reverse proxy. And the ASA does have an application inspection for HTTP traffic, which will monitor the HTTP requests. The Firepower System in the ASA also has specific signatures that monitor traffic to web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the Firepower module would likely cover your needs.
Keep in mind that until next Quarter the Firepower system does not have on-box decryption, and you may want to wait until that feature is released and established, so you know what size firewall you need to protect your network with the SSL decryption. I believe the ASA5512x is currently testing at 75 mbps of decrypted flows through the Firepower module, which is about half of what the CX was doing before, so you could use the CX sizing numbers and extrapolate until Cisco releases official decryption numbers.
11-10-2014 04:56 PM
Okay let me clarify.
If this is for internal users, you have two options on the ASA :
Option1: Anyconnect VPN which would be a VPN client that installs itself on their system and provides access to whatever internal server you want to give them access too.
Option2: Clientless VPN you can create a portal page, add bookmarks to internal servers, and even pass through authentication from an SSO server to a back end system. Or if they are internal you can just use LDAP to authenticate them.
If these users of the Web Server are external to your company and you are trying to protect the server from non-authenticated users, or web server vulnerabilities from botnet scanning engines and outside hackers, then you should go with something other than the ASA.
I would suggest you could put the Sophos UTM in the ASA's DMZ, and reverse proxy the websites there. You don't want to get rid of the ASA or remove it from the picture, as it is very good at VPN and complex networking, which I'm sure the Sophos device will fall short. However it is not as good at providing a reverse proxy function, for unauthenticated users.
11-09-2014 08:14 AM
Firepower has to be installed on the new ASA X series. 5512x, 5515x, 5525x, etc.
If you have a 5510, then you would probably want a 5512x with a SSD drive. Cisco has firepower bundles which include the ASAx with SSD and the Firepower license.
Add to that you also need the Firesight Management Software, and there is a 2 device bundle license for under $500 that you can install on VMWare.
Firepower doesn't do reverse proxy, it does transparent in-line packet inspection, analysis, and filtering by URL / Application / and Threat mitigation.
If you want a reverse proxy, you should look into Microsoft ISA server, or a dedicated Web Reverse Proxy Server. Cisco discontinued their Web Director product, which did this function.
You can host websites behind the ASA Firewall without a reverse proxy. And the ASA does have an application inspection for HTTP traffic, which will monitor the HTTP requests. The Firepower System in the ASA also has specific signatures that monitor traffic to web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the Firepower module would likely cover your needs.
Keep in mind that until next Quarter the Firepower system does not have on-box decryption, and you may want to wait until that feature is released and established, so you know what size firewall you need to protect your network with the SSL decryption. I believe the ASA5512x is currently testing at 75 mbps of decrypted flows through the Firepower module, which is about half of what the CX was doing before, so you could use the CX sizing numbers and extrapolate until Cisco releases official decryption numbers.
11-10-2014 02:55 AM
Thanks for your detailed reply brother. actually we have deployed lync server 2013 with reverse proxy so it is must. see the comparison . i should go with Sophos UTM Firewall what you advice me...
Feature | Cisco Firepower | Fortinet | Sophos Utm |
Firewall | ✓ | ✓ | ✓ |
IPS | ✓ | ✓ | ✓ |
Antivirus Gateway |
| ✓ | ✓ |
AntiMalware* | ✓ | * | ✓ |
Antispam |
| ✓ | ✓ |
HTTP Proxy |
| ✓ | ✓ |
Reverse Proxy | Partially | ✓ | ✓ |
Web Filtering | ✓ | ✓ | ✓ |
Email Protection |
| ✓ | ✓ |
Wireless Controller |
|
| ✓ |
Bandwidth Control | Expected in Next Year | Limited | ✓ |
Application Visibility and control | ✓ | ✓ | ✓ |
Data Loss Prevention |
| ✓ | ✓ |
Advance Threat Prevention | ✓ | ✓ | ✓ |
On BOX reporting |
| Limited | ✓ |
External Reporting | ✓ | ✓ | ✓ |
Web Reputation defence | ✓ | ✓ | ✓ |
Failover | ✓ | ✓ | ✓ |
11-10-2014 04:56 PM
Okay let me clarify.
If this is for internal users, you have two options on the ASA :
Option1: Anyconnect VPN which would be a VPN client that installs itself on their system and provides access to whatever internal server you want to give them access too.
Option2: Clientless VPN you can create a portal page, add bookmarks to internal servers, and even pass through authentication from an SSO server to a back end system. Or if they are internal you can just use LDAP to authenticate them.
If these users of the Web Server are external to your company and you are trying to protect the server from non-authenticated users, or web server vulnerabilities from botnet scanning engines and outside hackers, then you should go with something other than the ASA.
I would suggest you could put the Sophos UTM in the ASA's DMZ, and reverse proxy the websites there. You don't want to get rid of the ASA or remove it from the picture, as it is very good at VPN and complex networking, which I'm sure the Sophos device will fall short. However it is not as good at providing a reverse proxy function, for unauthenticated users.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: