Solved

Sonicwall vs Cisco ASA, comparing capabilities

Posted on 2013-06-10
2
3,621 Views
Last Modified: 2013-11-29
I have a client that has been using Sonicwall for years now.  They love the integration of things such as virus and spam download filtering, as well as the protocol and content filtering that is all built into that device.

If I want to replace their current Sonicwall with a Cisco 5505 of EQUAL capability, I have a few questions.

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)



Thank you,
Jeff
0
Comment
Question by:jgrammer42
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39236817
May be better to go for 5510 or 5512. below are inputs inline

1) Does the Cisco ASA SSM and ASA SSC have ALL of the same features that the Sonicwall does?  (including the ability to protect against downloading files with a virus through the web or ftp)

>Taking the below example for comparison for quick start to address the web/content threat.

http://techluminati.com/networking-and-security/firewall-networking-and-security/sonicwall-vs-cisco-sonicwall-tz-105-vs-cisco-asa-5505-firewall-comparison/

Basically as you already stated. In short, it is
- AV/URL filter/Content Filter is in CSC SSM
(runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. Include scanning of FTP, HTTP, POP3, and SMTP traffic)
- IPS/IDS is in AIP SSM
(runs advanced IPS software that provides further security inspection)

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ssm.html

Note that with a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. While with a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering.


2) Is the Cisco ASA AIP SSC-5 module with part number ASA5505-50-AIP5-K9 the one that I need to order?

>SSC-5 is for 5505. SSM-10 is for 5510 or 5520. But note that SSC-5 does have limitation as stated in the link spec. Likewise for 50-AIP5-K9, the info is as in the link too for 50 users and for unlimited user is U-AIP5P-K9 with Security Plus License.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

For info on Security Plus License vs base, pls see below but basically is more VLAN, has more VPN session, has more FW concurrent connection, has enabled failover, has enabled Trunk etc. Also base license does not allow traffic to be forwarded from one VLAN to another; this restriction is removed in the security plus license. However, the base license does allow that particular VLAN to respond to requests.

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/license_management/license.html

More detailed comparison 5505 and 5510
http://packetpushers.net/cisco-asa-licensing-explained/

But note the EoS and ELA for AIP SSC for 5505 already. There is no replacement available for the AIP SSC for the Cisco ASA 5505 at this time. They encouraged customer to evaluate the Cisco ASA 5512 IPS, a 1-rack-unit multiservice firewall that includes enhanced, context-aware IPS capabilities.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_c51-711120.html


3) What do I need to do to make sure that the Cisco SSM is able to get updates and stay license current?  (subscription service?)

The AIP SSM license has nothing to do with manual or auto updating.
 E.g. Automatic signature updates direct from Cisco were introduced in IPS release 6.1.

You have to purchase something called 'Cisco Services for IPS which is basically Smartnet + Signature Updates bundled into a single support offering.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml
http://tools.cisco.com/security/center/ipshome.x

This is solely as per the security/business requirement of the end-user. The Cisco IPS does however provide both options (manual or auto), one may choose whichever method is more suitable. Irrespective of the method you choose, you would need to have a valid license installed to download and install sig. updates.

For CSC SSM, the base licence would have included automatic updating. Automatic updates of all CSC-SSM components, including scanning engines and pattern files. See table 2 in the link below on the support service available - the additional is in SMartnet service. Both base and SMartnet services are required to ensure that your Cisco ASA 5500 Series CSC-SSM is up to date and operating at optimal performance. The first year of the software update services is included in the purchase price of the product.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e_ps9774_Products_Q_and_A_Item.html

Good to check with your potential vendor.
0
 

Author Closing Comment

by:jgrammer42
ID: 39237335
breadtan,
Superior response!  Thank you very, very much.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques. This attack comes as a nightmare trifecta for email filtering services; sent from a familiar contact, using authentic tone and verbi…
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question