Solved

Sonicwall vs Cisco ASA, comparing capabilities

Posted on 2013-06-10
2
3,525 Views
Last Modified: 2013-11-29
I have a client that has been using Sonicwall for years now.  They love the integration of things such as virus and spam download filtering, as well as the protocol and content filtering that is all built into that device.

If I want to replace their current Sonicwall with a Cisco 5505 of EQUAL capability, I have a few questions.

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)



Thank you,
Jeff
0
Comment
Question by:jgrammer42
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
May be better to go for 5510 or 5512. below are inputs inline

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

>Taking the below example for comparison for quick start to address the web/content threat.

http://techluminati.com/networking-and-security/firewall-networking-and-security/sonicwall-vs-cisco-sonicwall-tz-105-vs-cisco-asa-5505-firewall-comparison/

Basically as you already stated. In short, it is
- AV/URL filter/Content Filter is in CSC SSM
(runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. Include scanning of FTP, HTTP, POP3, and SMTP traffic)
- IPS/IDS is in AIP SSM
(runs advanced IPS software that provides further security inspection)

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ssm.html

Note that with a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. While with a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering.


2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

>SSC-5 is for 5505. SSM-10 is for 5510 or 5520. But note that SSC-5 does have limitation as stated in the link spec. Likewise for 50-AIP5-K9, the info is as in the link too for 50 users and for unlimited user is U-AIP5P-K9 with Security Plus License.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

For info on Security Plus License vs base, pls see below but basically is more VLAN, has more VPN session, has more FW concurrent connection, has enabled failover, has enabled Trunk etc. Also base license does not allow traffic to be forwarded from one VLAN to another; this restriction is removed in the security plus license. However, the base license does allow that particular VLAN to respond to requests.

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html

More detailed comparison 5505 and 5510
http://packetpushers.net/cisco-asa-licensing-explained/

But note the EoS and ELA for AIP SSC for 5505 already. There is no replacement available for the AIP SSC for the Cisco ASA 5505 at this time. They encouraged customer to evaluate the Cisco ASA 5512 IPS, a 1-rack-unit multiservice firewall that includes enhanced, context-aware IPS capabilities.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_c51-711120.html


3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)

The AIP SSM license has nothing to do with manual or auto updating.
 E.g. Automatic signature updates direct from Cisco were introduced in IPS release 6.1.

You have to purchase something called 'Cisco Services for IPS which is basically Smartnet + Signature Updates bundled into a single support offering.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml
http://tools.cisco.com/security/center/ipshome.x

This is solely as per the security/business requirement of the end-user. The Cisco IPS does however provide both options (manual or auto), one may choose whichever method is more suitable. Irrespective of the method you choose, you would need to have a valid license installed to download and install sig. updates.

For CSC SSM, the base licence would have included automatic updating. Automatic updates of all CSC-SSM components, including scanning engines and pattern files. See table 2 in the link below on the support service available - the additional is in SMartnet service. Both base and SMartnet services are required to ensure that your Cisco ASA 5500 Series CSC-SSM is up to date and operating at optimal performance. The first year of the software update services is included in the purchase price of the product.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e_ps9774_Products_Q_and_A_Item.html

Good to check with your potential vendor.
0
 

Author Closing Comment

by:jgrammer42
Comment Utility
breadtan,
Superior response!  Thank you very, very much.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now