Solved: Web Security Appliance

Asfandyar70754 · ‎09-20-2021

Hey guys,

Good day.

So guys I have been going through WSA and I was not sure why we need it if we have got a Cisco FTD/FMC, I mean FTD offers features like Web filtering and Deep packet inspection so why do we need Cisco WSA.

Can you guys please mention the features that differ WSA from FTD.

TIA

Milos_Jovanovic · ‎09-21-2021

Hi @Asfandyar70754,

There is a big difference on how these devices are working. FTD is doing inline inspection, meaning that it is acting as man-in-the middle for your connections (in your IP header you have PC IP as a source and some IP as destination, usually public one, e.g. of cisco.com). This can often be very tricky, as PC is unaware that someone/something is messing with their connections and can report some issues. On the other hand, WSA is working as a proxy (explicit or a transparent one), meaning that connections are coming to WSA as destined to WSA (in your IP header you have PC IP as a source and WSA as destination, and inside the packet, you are asking your WSA to proxy you to some URL, like cisco.com). This also means that you are talking only to your WSA, while your WSA is talking to the Internet, protecting you directly from certain exploits that could potentially target your PC directly otherwise (in this case, they would be destined to WSA, which is a security device, and much harder to be targeted).

Again, due to its nature, some things are much easier to be achieved if you have explicit proxy (e.g. file analysis for malware). Let's not forget SSL/TLS decryption also, which is normally quite demanding for devices such as FTD and degrading performance significantly, which is not something you would want from an edge device which is susceptible to DoS attacks.

I'm of an opinion that URL filtering on FTD is convenient for some smaller customers, which are not very demanding and are looking into some basic functionality. For customers who are interested in doing full blown URL filtering, I'm always advising WSA as a separate system meant for this functionality (and from recently Umbrella SIG, as it can do cloud-based proxy).

BR,

Milos

View solution in original post

Milos_Jovanovic · ‎09-21-2021

Hi @Asfandyar70754,

There is a big difference on how these devices are working. FTD is doing inline inspection, meaning that it is acting as man-in-the middle for your connections (in your IP header you have PC IP as a source and some IP as destination, usually public one, e.g. of cisco.com). This can often be very tricky, as PC is unaware that someone/something is messing with their connections and can report some issues. On the other hand, WSA is working as a proxy (explicit or a transparent one), meaning that connections are coming to WSA as destined to WSA (in your IP header you have PC IP as a source and WSA as destination, and inside the packet, you are asking your WSA to proxy you to some URL, like cisco.com). This also means that you are talking only to your WSA, while your WSA is talking to the Internet, protecting you directly from certain exploits that could potentially target your PC directly otherwise (in this case, they would be destined to WSA, which is a security device, and much harder to be targeted).

Again, due to its nature, some things are much easier to be achieved if you have explicit proxy (e.g. file analysis for malware). Let's not forget SSL/TLS decryption also, which is normally quite demanding for devices such as FTD and degrading performance significantly, which is not something you would want from an edge device which is susceptible to DoS attacks.

I'm of an opinion that URL filtering on FTD is convenient for some smaller customers, which are not very demanding and are looking into some basic functionality. For customers who are interested in doing full blown URL filtering, I'm always advising WSA as a separate system meant for this functionality (and from recently Umbrella SIG, as it can do cloud-based proxy).

BR,

Milos

Asfandyar70754 · ‎09-21-2021

Thanks a lot Milos.

I have been studying this for a financial organization, your points will help me a lot in convincing them.

Ken Stieers · ‎09-21-2021

If you need DLP for web traffic you want a WSA
If you need application level control in web apps (e.g. you can read a site, but not post), you need a WSA
If you need any sort of precise URL control, where you parse out parts of the URL whether to block/or allow... you need a WSA.

markanderson · ‎09-25-2022

The Cisco "Web Security Appliance" combines advanced malware protection, application visibility and control, acceptable use policies, insightful reporting, and secure mobility on a single platform, helping to address the growing challenges of securing and controlling web traffic.

amojarra · ‎09-26-2022

on the Other hand, if you need to have some policies related to UserName/UserGroups yo need to use WSA.

Application visibility and control : As mentioned Earlier.

Powerful Reporting
Also we have 3 scanning Engine except AMP : WebRoot, Sophos and McAfee.
Meanwhile you can have time based or quota based policy

the AsyncOS in WSA has been designed to to handle large amount of HTTP/HTTPS traffic with Decryption/re-Encryption capability which they are really resource consumer, so in large scale Networks ( high amount of requests per seconds ) that might be an issue if you chose something other than WSA.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++