Solved: URL / Web content filter

MooreIT01 · ‎03-09-2012

hello all! We are currently looking to replace our PIX 515e's with something newer. The hang up is we want to look at something else besides Websense for our URL / Web Content filtering specifically because of price on renewal's. We do not currently have IDS / IPS in place unless you count the Websense as doing that (maybe just a little bit?) and it would be nice to add that capability. I've had experience with the Palo Alto box as a UTM in the past however we want to stick with Cisco where I'm at presently. So what we're looking at is the new ASA 5515-X or 5525-X (HA pair) with IPS plus something else for the web filtering side (besides Websense). We're getting quotes on the IronPort S160 however my guess is it's going to be just as pricy as Websense, probably the same for Scan Safe. Right now we're at about 300 users but are looking to double that in the next year. What are some other good solutions out there? Easey to manage would be nice, less expensive would be nice, effective would be nice. Can we get that all together?

Marcin Latosiewicz · ‎03-09-2012

Looking at your post on other threats it seems like you did your reserach before opening this thread.

Yes, the long run looks a great in regards to features coming in - but as you said price is a factor, and most likely (I don't know for sure because nothing has been shared with me) the new functionalities will be licensed in one way or another.

Every ASA has some sort of "IPS" functionality built in, it's nothing advanced - called IP audit.

I'm sorry I'm out of ideas at 11:30 PM :-)

M.

View solution in original post

Mark^ · ‎03-14-2012

Don't know about traffic from multiple networks. Offhand, I can't think of why this would be a problem for squid itself, other than it may complicate the config a little bit -- but it may not. I did a quick Google and didn't see anything that indicated it may be a problem, but I probably didn't click as many links as you did

Squid is just one option. The disadvantage of squid compared to a paid-for service, in my opinion, is that you either have to get lists from somewhere or manually create your own block and allow lists. Because of that, I use a combination of OpenDNS to block the obvious like porn, and then I use squid for more granular control like managament can view job searching sites, but other users cannot.

With squid, you have so many options though. For example, you could setup a scheduled task to download current lists from your source of choice and apply them to squid ACLs.

I am a much smaller shop though, so this works for me. 300-600 users changes things up a little depending on what you want to accomplish.

Mark

View solution in original post

Marcin Latosiewicz · ‎03-09-2012

Consider this it's late, so I'm not at the top of my game:

- CSC module (instead of IPS)

- ASA + WCCP + Squid + dansguardian (although ASA's WCCCP implmentation is limited)

I think you can only pick two of the three: good, fast, easy to manage :-)

M.

MooreIT01 · ‎03-09-2012

No problem, thanks for the reply. I thought about the CSC-20 module however that's been dropped on the new ASA line (no module slot at all) so if I wanted to do that I'd have to stay with the current generation of ASA's (like the 5510 or 5520). That's a possibilty however it would stink to refresh on something that's being phased out. Well, I guess it's not being phased out however the newer generation seems to be the direction Cisco is going. It does have IPS built-in without the need for a module which is good however for the URL / web filtering with Cisco the choices are IronPort or Scan Safe.

There's several open source type solutions that interest me however we don't currently have any dedicated security / firewall staff and for me to implement something like that would take a lot of time. I know enough linux to get to the command line...

Marcin Latosiewicz · ‎03-09-2012

Looking at your post on other threats it seems like you did your reserach before opening this thread.

Yes, the long run looks a great in regards to features coming in - but as you said price is a factor, and most likely (I don't know for sure because nothing has been shared with me) the new functionalities will be licensed in one way or another.

Every ASA has some sort of "IPS" functionality built in, it's nothing advanced - called IP audit.

I'm sorry I'm out of ideas at 11:30 PM :-)

M.

MooreIT01 · ‎03-09-2012

No prob, I appreciate your thoughts.

I've looked at the Untangle stuff before but from what I've read it poops all over tagged VLAN traffic (http://forums.untangle.com/networking/2832-trunking-problem-untangle.html) and that wouldn't work for us. What about smoothwall i.e. the actual pay for appliance, anybody have any experience with that? Seems pretty popular in Europe.

Mark^ · ‎03-14-2012

Why not just a transparent squid implementation between users and the ASA? there is plenty of documentation, and if you're not fully comfortable with Linux, there is always Webmin to put a web management GUI on the box. You can configure squid with Webmin and handle any kind of maintenance, updates, scheduled tasks, file transfers, etc.

I am doing similar running squid here, just not transparently.

Mark

MooreIT01 · ‎03-14-2012

Thanks, I'll start reading up on it. Do you know if it handles traffic from multiple networks ok? First couple of google results don't look promising...

Mark^ · ‎03-14-2012

Don't know about traffic from multiple networks. Offhand, I can't think of why this would be a problem for squid itself, other than it may complicate the config a little bit -- but it may not. I did a quick Google and didn't see anything that indicated it may be a problem, but I probably didn't click as many links as you did

Squid is just one option. The disadvantage of squid compared to a paid-for service, in my opinion, is that you either have to get lists from somewhere or manually create your own block and allow lists. Because of that, I use a combination of OpenDNS to block the obvious like porn, and then I use squid for more granular control like managament can view job searching sites, but other users cannot.

With squid, you have so many options though. For example, you could setup a scheduled task to download current lists from your source of choice and apply them to squid ACLs.

I am a much smaller shop though, so this works for me. 300-600 users changes things up a little depending on what you want to accomplish.

Mark

MooreIT01 · ‎05-09-2012

Thanks for your help with all of this Mark, we wound up renewing with Websense since we ran out of time. They did get aggressive on the pricing however. Essentially we've postponed out decision for one more year, my guess is that next year we'll do something different altogether. Maybe Cisco will have an "IronPort" module for their new line of ASA's .