03-09-2012 10:31 AM - edited 03-11-2019 03:40 PM
hello all! We are currently looking to replace our PIX 515e's with something newer. The hang up is we want to look at something else besides Websense for our URL / Web Content filtering specifically because of price on renewal's. We do not currently have IDS / IPS in place unless you count the Websense as doing that (maybe just a little bit?) and it would be nice to add that capability. I've had experience with the Palo Alto box as a UTM in the past however we want to stick with Cisco where I'm at presently. So what we're looking at is the new ASA 5515-X or 5525-X (HA pair) with IPS plus something else for the web filtering side (besides Websense). We're getting quotes on the IronPort S160 however my guess is it's going to be just as pricy as Websense, probably the same for Scan Safe. Right now we're at about 300 users but are looking to double that in the next year. What are some other good solutions out there? Easey to manage would be nice, less expensive would be nice, effective would be nice. Can we get that all together?
Solved! Go to Solution.
03-09-2012 02:38 PM
Looking at your post on other threats it seems like you did your reserach before opening this thread.
Yes, the long run looks a great in regards to features coming in - but as you said price is a factor, and most likely (I don't know for sure because nothing has been shared with me) the new functionalities will be licensed in one way or another.
Every ASA has some sort of "IPS" functionality built in, it's nothing advanced - called IP audit.
I'm sorry I'm out of ideas at 11:30 PM :-)
M.
03-14-2012 06:55 AM
Don't know about traffic from multiple networks. Offhand, I can't think of why this would be a problem for squid itself, other than it may complicate the config a little bit -- but it may not. I did a quick Google and didn't see anything that indicated it may be a problem, but I probably didn't click as many links as you did
Squid is just one option. The disadvantage of squid compared to a paid-for service, in my opinion, is that you either have to get lists from somewhere or manually create your own block and allow lists. Because of that, I use a combination of OpenDNS to block the obvious like porn, and then I use squid for more granular control like managament can view job searching sites, but other users cannot.
With squid, you have so many options though. For example, you could setup a scheduled task to download current lists from your source of choice and apply them to squid ACLs.
I am a much smaller shop though, so this works for me. 300-600 users changes things up a little depending on what you want to accomplish.
03-09-2012 01:13 PM
Consider this it's late, so I'm not at the top of my game:
- CSC module (instead of IPS)
- ASA + WCCP + Squid + dansguardian (although ASA's WCCCP implmentation is limited)
I think you can only pick two of the three: good, fast, easy to manage :-)
M.
03-09-2012 01:24 PM
No problem, thanks for the reply. I thought about the CSC-20 module however that's been dropped on the new ASA line (no module slot at all) so if I wanted to do that I'd have to stay with the current generation of ASA's (like the 5510 or 5520). That's a possibilty however it would stink to refresh on something that's being phased out. Well, I guess it's not being phased out however the newer generation seems to be the direction Cisco is going. It does have IPS built-in without the need for a module which is good however for the URL / web filtering with Cisco the choices are IronPort or Scan Safe.
There's several open source type solutions that interest me however we don't currently have any dedicated security / firewall staff and for me to implement something like that would take a lot of time. I know enough linux to get to the command line...
03-09-2012 02:38 PM
Looking at your post on other threats it seems like you did your reserach before opening this thread.
Yes, the long run looks a great in regards to features coming in - but as you said price is a factor, and most likely (I don't know for sure because nothing has been shared with me) the new functionalities will be licensed in one way or another.
Every ASA has some sort of "IPS" functionality built in, it's nothing advanced - called IP audit.
I'm sorry I'm out of ideas at 11:30 PM :-)
M.
03-09-2012 08:42 PM
No prob, I appreciate your thoughts.
I've looked at the Untangle stuff before but from what I've read it poops all over tagged VLAN traffic (http://forums.untangle.com/networking/2832-trunking-problem-untangle.html) and that wouldn't work for us. What about smoothwall i.e. the actual pay for appliance, anybody have any experience with that? Seems pretty popular in Europe.
03-14-2012 05:41 AM
Why not just a transparent squid implementation between users and the ASA? there is plenty of documentation, and if you're not fully comfortable with Linux, there is always Webmin to put a web management GUI on the box. You can configure squid with Webmin and handle any kind of maintenance, updates, scheduled tasks, file transfers, etc.
I am doing similar running squid here, just not transparently.
03-14-2012 06:30 AM
Thanks, I'll start reading up on it. Do you know if it handles traffic from multiple networks ok? First couple of google results don't look promising...
03-14-2012 06:55 AM
Don't know about traffic from multiple networks. Offhand, I can't think of why this would be a problem for squid itself, other than it may complicate the config a little bit -- but it may not. I did a quick Google and didn't see anything that indicated it may be a problem, but I probably didn't click as many links as you did
Squid is just one option. The disadvantage of squid compared to a paid-for service, in my opinion, is that you either have to get lists from somewhere or manually create your own block and allow lists. Because of that, I use a combination of OpenDNS to block the obvious like porn, and then I use squid for more granular control like managament can view job searching sites, but other users cannot.
With squid, you have so many options though. For example, you could setup a scheduled task to download current lists from your source of choice and apply them to squid ACLs.
I am a much smaller shop though, so this works for me. 300-600 users changes things up a little depending on what you want to accomplish.
05-09-2012 02:07 PM
Thanks for your help with all of this Mark, we wound up renewing with Websense since we ran out of time. They did get aggressive on the pricing however. Essentially we've postponed out decision for one more year, my guess is that next year we'll do something different altogether. Maybe Cisco will have an "IronPort" module for their new line of ASA's .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide