Solved: Difference between ASA-X AVC + WSE vs Cisco Cloud Web Security (

Ken Yoon · ‎08-27-2013

Hi,

It's not clear for me that what the functional difference is between implemting ASA-X with Application Visibility and Control (AVC) + Web Security Essentials (WSE) vs Cisco Cloud Web Security (CWS).

I am aware of that CWS is SaaS web secuirty solution, which can centralize the web security without backhauling beb traffic from branch offices.

On the other hand, ASA-X is in-house solution and AVC + WSE is subscription based addon to the ASA-X series.

I'd like to know the functional difference between the two setup. For instance, thing that one can do while the other can't.

Thank you so much in advance.

Ken Stieers · ‎09-17-2013

Ken,

This is a pretty good write up. The one other thing I'd add to his write up is that if you already have ASA's or another firewall solution that you're happy with in place, it may not make sense to buy ASA-CX boxes...

Ken

View solution in original post

Ken Stieers · ‎08-27-2013

The engines running in the SaaS app vs the engine running locally are definitely different, but they are becoming more or less interchangeable. The categories are synced so reporting can be compared, I think at some point the goal is to be able to roll the reporting all together in one place (maybe already done?)

The big differences are in where the work is done, how you get the traffic there, and there rest of the things that differentiate between a cloud app and an on-premise app.

Ken Yoon · ‎08-29-2013

Hi Ken,

Thank for your answer. However, it still doesn't give me firm answer / guidance for me to choose between the two solution.

We have 10 branch offices(w ISR2) going out to internet locally, and use MPLS to access internal server in data center. I think we can implement both solution.

1. CWS using each routers in branch offices for direct internet connection.

2. ASA-X AVC+WSE by re-routing all internet traffic to datacenter thru MPLS and using central ASA at datacenter.

While CWS offeres no backhauling the traffic to datacenter, ASA-X AVC + WSE subscition offeres better price advantage over Cloud Web Security (CWS) solution as CWS is per/ user licensing.

What would be the best approach for us?

Ken Stieers · ‎08-29-2013

Ken,

You can implement both solutions, but I can't make that decision for you...

Do you care more about the cost or more about the backhaul wan load? Does your CIO love cloud or hate it? Does the rest of the IT group agree with him? Do you have a stack of sales guys that are working remotely all the time? Does their web traffic need to be filtered? Is your company more centralized or distributed in your thought process? Would you rather just manage this in 1 place, on one piece of hardware?

Lots of other questions to dig into that are really more about how your company works than about the tech....

Ken

Ken Yoon · ‎09-17-2013

Hi Ken,

Thanks for taking time answering my question. My question was answered from the link below. Although it's the comparison between CX vs Ironport. It tells that CX is limited in Anti-virus and Malware scan. On the other hand, Ironport(or scansafe) is merely proxy which inspect http, https traffics.

http://www.thesecurityblogger.com/?p=1337

Ken Stieers · ‎09-17-2013

Ken,

This is a pretty good write up. The one other thing I'd add to his write up is that if you already have ASA's or another firewall solution that you're happy with in place, it may not make sense to buy ASA-CX boxes...

Ken

Ken Yoon · ‎09-17-2013

I agree. Thanks again for your contribution.

Difference between ASA-X AVC + WSE vs Cisco Cloud Web Security (CWS)