Solved

Sonicwall vs Cisco ASA, comparing capabilities

Posted on 2013-06-10
2
3,747 Views
Last Modified: 2013-11-29
I have a client that has been using Sonicwall for years now.  They love the integration of things such as virus and spam download filtering, as well as the protocol and content filtering that is all built into that device.

If I want to replace their current Sonicwall with a Cisco 5505 of EQUAL capability, I have a few questions.

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)



Thank you,
Jeff
0
Comment
Question by:jgrammer42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39236817
May be better to go for 5510 or 5512. below are inputs inline

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

>Taking the below example for comparison for quick start to address the web/content threat.

http://techluminati.com/networking-and-security/firewall-networking-and-security/sonicwall-vs-cisco-sonicwall-tz-105-vs-cisco-asa-5505-firewall-comparison/

Basically as you already stated. In short, it is
- AV/URL filter/Content Filter is in CSC SSM
(runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. Include scanning of FTP, HTTP, POP3, and SMTP traffic)
- IPS/IDS is in AIP SSM
(runs advanced IPS software that provides further security inspection)

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ssm.html

Note that with a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. While with a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering.


2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

>SSC-5 is for 5505. SSM-10 is for 5510 or 5520. But note that SSC-5 does have limitation as stated in the link spec. Likewise for 50-AIP5-K9, the info is as in the link too for 50 users and for unlimited user is U-AIP5P-K9 with Security Plus License.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

For info on Security Plus License vs base, pls see below but basically is more VLAN, has more VPN session, has more FW concurrent connection, has enabled failover, has enabled Trunk etc. Also base license does not allow traffic to be forwarded from one VLAN to another; this restriction is removed in the security plus license. However, the base license does allow that particular VLAN to respond to requests.

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html

More detailed comparison 5505 and 5510
http://packetpushers.net/cisco-asa-licensing-explained/

But note the EoS and ELA for AIP SSC for 5505 already. There is no replacement available for the AIP SSC for the Cisco ASA 5505 at this time. They encouraged customer to evaluate the Cisco ASA 5512 IPS, a 1-rack-unit multiservice firewall that includes enhanced, context-aware IPS capabilities.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_c51-711120.html


3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)

The AIP SSM license has nothing to do with manual or auto updating.
 E.g. Automatic signature updates direct from Cisco were introduced in IPS release 6.1.

You have to purchase something called 'Cisco Services for IPS which is basically Smartnet + Signature Updates bundled into a single support offering.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml
http://tools.cisco.com/security/center/ipshome.x

This is solely as per the security/business requirement of the end-user. The Cisco IPS does however provide both options (manual or auto), one may choose whichever method is more suitable. Irrespective of the method you choose, you would need to have a valid license installed to download and install sig. updates.

For CSC SSM, the base licence would have included automatic updating. Automatic updates of all CSC-SSM components, including scanning engines and pattern files. See table 2 in the link below on the support service available - the additional is in SMartnet service. Both base and SMartnet services are required to ensure that your Cisco ASA 5500 Series CSC-SSM is up to date and operating at optimal performance. The first year of the software update services is included in the purchase price of the product.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e_ps9774_Products_Q_and_A_Item.html

Good to check with your potential vendor.
0
 

Author Closing Comment

by:jgrammer42
ID: 39237335
breadtan,
Superior response!  Thank you very, very much.
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
A hard and fast method for reducing Active Directory Administrators members.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question