Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4052
  • Last Modified:

Sonicwall vs Cisco ASA, comparing capabilities

I have a client that has been using Sonicwall for years now.  They love the integration of things such as virus and spam download filtering, as well as the protocol and content filtering that is all built into that device.

If I want to replace their current Sonicwall with a Cisco 5505 of EQUAL capability, I have a few questions.

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)



Thank you,
Jeff
0
jgrammer42
Asked:
jgrammer42
1 Solution
 
btanExec ConsultantCommented:
May be better to go for 5510 or 5512. below are inputs inline

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

>Taking the below example for comparison for quick start to address the web/content threat.

http://techluminati.com/networking-and-security/firewall-networking-and-security/sonicwall-vs-cisco-sonicwall-tz-105-vs-cisco-asa-5505-firewall-comparison/

Basically as you already stated. In short, it is
- AV/URL filter/Content Filter is in CSC SSM
(runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. Include scanning of FTP, HTTP, POP3, and SMTP traffic)
- IPS/IDS is in AIP SSM
(runs advanced IPS software that provides further security inspection)

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ssm.html

Note that with a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. While with a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering.


2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

>SSC-5 is for 5505. SSM-10 is for 5510 or 5520. But note that SSC-5 does have limitation as stated in the link spec. Likewise for 50-AIP5-K9, the info is as in the link too for 50 users and for unlimited user is U-AIP5P-K9 with Security Plus License.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

For info on Security Plus License vs base, pls see below but basically is more VLAN, has more VPN session, has more FW concurrent connection, has enabled failover, has enabled Trunk etc. Also base license does not allow traffic to be forwarded from one VLAN to another; this restriction is removed in the security plus license. However, the base license does allow that particular VLAN to respond to requests.

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html

More detailed comparison 5505 and 5510
http://packetpushers.net/cisco-asa-licensing-explained/

But note the EoS and ELA for AIP SSC for 5505 already. There is no replacement available for the AIP SSC for the Cisco ASA 5505 at this time. They encouraged customer to evaluate the Cisco ASA 5512 IPS, a 1-rack-unit multiservice firewall that includes enhanced, context-aware IPS capabilities.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_c51-711120.html


3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)

The AIP SSM license has nothing to do with manual or auto updating.
 E.g. Automatic signature updates direct from Cisco were introduced in IPS release 6.1.

You have to purchase something called 'Cisco Services for IPS which is basically Smartnet + Signature Updates bundled into a single support offering.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml
http://tools.cisco.com/security/center/ipshome.x

This is solely as per the security/business requirement of the end-user. The Cisco IPS does however provide both options (manual or auto), one may choose whichever method is more suitable. Irrespective of the method you choose, you would need to have a valid license installed to download and install sig. updates.

For CSC SSM, the base licence would have included automatic updating. Automatic updates of all CSC-SSM components, including scanning engines and pattern files. See table 2 in the link below on the support service available - the additional is in SMartnet service. Both base and SMartnet services are required to ensure that your Cisco ASA 5500 Series CSC-SSM is up to date and operating at optimal performance. The first year of the software update services is included in the purchase price of the product.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e_ps9774_Products_Q_and_A_Item.html

Good to check with your potential vendor.
0
 
jgrammer42Author Commented:
breadtan,
Superior response!  Thank you very, very much.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now