Solved

Sonicwall vs Cisco ASA, comparing capabilities

Posted on 2013-06-10
2
3,776 Views
Last Modified: 2013-11-29
I have a client that has been using Sonicwall for years now.  They love the integration of things such as virus and spam download filtering, as well as the protocol and content filtering that is all built into that device.

If I want to replace their current Sonicwall with a Cisco 5505 of EQUAL capability, I have a few questions.

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)



Thank you,
Jeff
0
Comment
Question by:jgrammer42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39236817
May be better to go for 5510 or 5512. below are inputs inline

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

>Taking the below example for comparison for quick start to address the web/content threat.

http://techluminati.com/networking-and-security/firewall-networking-and-security/sonicwall-vs-cisco-sonicwall-tz-105-vs-cisco-asa-5505-firewall-comparison/

Basically as you already stated. In short, it is
- AV/URL filter/Content Filter is in CSC SSM
(runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. Include scanning of FTP, HTTP, POP3, and SMTP traffic)
- IPS/IDS is in AIP SSM
(runs advanced IPS software that provides further security inspection)

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ssm.html

Note that with a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. While with a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering.


2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

>SSC-5 is for 5505. SSM-10 is for 5510 or 5520. But note that SSC-5 does have limitation as stated in the link spec. Likewise for 50-AIP5-K9, the info is as in the link too for 50 users and for unlimited user is U-AIP5P-K9 with Security Plus License.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

For info on Security Plus License vs base, pls see below but basically is more VLAN, has more VPN session, has more FW concurrent connection, has enabled failover, has enabled Trunk etc. Also base license does not allow traffic to be forwarded from one VLAN to another; this restriction is removed in the security plus license. However, the base license does allow that particular VLAN to respond to requests.

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html

More detailed comparison 5505 and 5510
http://packetpushers.net/cisco-asa-licensing-explained/

But note the EoS and ELA for AIP SSC for 5505 already. There is no replacement available for the AIP SSC for the Cisco ASA 5505 at this time. They encouraged customer to evaluate the Cisco ASA 5512 IPS, a 1-rack-unit multiservice firewall that includes enhanced, context-aware IPS capabilities.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_c51-711120.html


3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)

The AIP SSM license has nothing to do with manual or auto updating.
 E.g. Automatic signature updates direct from Cisco were introduced in IPS release 6.1.

You have to purchase something called 'Cisco Services for IPS which is basically Smartnet + Signature Updates bundled into a single support offering.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml
http://tools.cisco.com/security/center/ipshome.x

This is solely as per the security/business requirement of the end-user. The Cisco IPS does however provide both options (manual or auto), one may choose whichever method is more suitable. Irrespective of the method you choose, you would need to have a valid license installed to download and install sig. updates.

For CSC SSM, the base licence would have included automatic updating. Automatic updates of all CSC-SSM components, including scanning engines and pattern files. See table 2 in the link below on the support service available - the additional is in SMartnet service. Both base and SMartnet services are required to ensure that your Cisco ASA 5500 Series CSC-SSM is up to date and operating at optimal performance. The first year of the software update services is included in the purchase price of the product.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e_ps9774_Products_Q_and_A_Item.html

Good to check with your potential vendor.
0
 

Author Closing Comment

by:jgrammer42
ID: 39237335
breadtan,
Superior response!  Thank you very, very much.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Make the most of your online learning experience.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question