Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2695
Views
0
Helpful
3
Replies

What is the difference between CX, WSE, and CWS for ASA?

sossie
Level 1
Level 1

‎06-12-2013 02:13 AM

Hi all,

Can anyone give me a concise explination as to the differences between the following services running on/with a Cisco ASA 5500-X:

CX (running on an ASA)

Web Security Essentials (WSE)

Cisco Cloud Web Security (CWS)

What my clients and I are familair with is a standard proxy (either running inhouse, or in the cloud) where all internet browsing is inspected for malware, virus etc, rules can be created to permit or deny users or groups to certain websites. Which one of the above services provide this sort of functionality?

Thanks, Simon.

Labels:
0 Helpful
3 Replies 3

Aaron Lamey
Level 1
Level 1

‎06-12-2013 06:12 AM

The difference lies in the traffic flows:

ASA CX: Traffic enters the ASA and is redirected based on a Service Policy to the ASA's sw-module(5512-X through 5555-x) or SSP(5588-X). There, a permit/deny decision is made based on context.

IronPort WSA: (Web Security Essentials is a license for a type of traffic inspection. It can be bought for any of the mentioned products. I believe you meant to ask about the Web Securitiy Applicance) The IronPort Web Security appliance either sits in-line (transparent) or off to the side of a router or ASA, using WCCP to tunnel traffic to it, make a decision, and then tunnel the traffic back to the ASA for normal flow.

CWS: I've never used it, but the premise is that a firm would need not buy hardware to gain web security, but would instead send traffic metadata to Cisco's datacenters to have the decisions made.

The major difference is between CX and IP WSA is a matter of generations. The WSA has differed little since bought by Cisco (mostly because it was a rock-solid product to begin with). The ASA CX represents Cisco bringing that intellectual property they bought directly into the product line, dropping the IronPort name along the way.

Hope I wase concise enough!

Aaron

0 Helpful

Aaron Lamey
Level 1
Level 1

‎06-12-2013 06:25 AM

I just realized that I assumed you meant WSA, when you clearly said you were asking about WSE. It is too early!

WSE and AVC are licenses you buy for the ASA CX(as well as IP WSA). From the ASA CX User Guide:

  • Application Visibility and Control license—This subscription-based license allows the use of application-based access control. Specifically, you need this license if you want to create access policies based on applications or application types, including application or application services policy objects.
  • Web Security Essentials license—This subscription-based license allows the use of URL filtering and the use of web-reputation-based policies. Specifically, you need this license if you want to use URL objects or web reputation profiles in policies.

I apologize if I'm all I'm doing is confusing the matter!

Aaron

0 Helpful

Ken Stieers
VIP
VIP

‎06-12-2013 09:17 AM

A couple of other notes, since Aaron hit the high points:

     Cloud Web Security is/was ScanSafe.  Over the past couple of years Cisco has been aligning the url filters so that categories across the products match.  I think its all lined up now.  You can use CWS on a firewall that ISN'T a CX box. 

     The Anyconnect Secure Mobile client can also be pointed at the Cloud Web Security so your laptops are covered, even when not in the office.

0 Helpful
Customers Also Viewed These Support Documents