Improve company productivity with a Business Account.Sign Up


Cisco ASA CX versus Websense

Posted on 2013-06-20
Medium Priority
Last Modified: 2016-03-23
So not too long ago Cisco finally integrated a solution in to their ASA's which would allow for web security. At the moment, this post is only concerned with the URL filtering portion. It has been a long time running that when a customer compares firewalls (usually the smaller customers), they know they want the basic features of a firewall such as ACL's, NAT, VPN, but many wanted that one additional feature that Cisco couldn't seem to do within an SMB customer's budget: Web Filtering. Now the X series of ASA's can do this via minimal hardware and licensing (and not using a CSC which I've found to be very unreliable in my experience).

My problem is that I do not have one of these firewalls to play with, and I don't want to use any of my customers' networks as a playground unless they were to ask me specifically.

Has anyone used the ASA CX for url filtering? How was your experience on the configuration side, user experience side, and troubleshooting side of things? Do you know how it compares to products like Websense/Fortigate/Sonicwall/Palo Alto/etc.?

I do realize that each product has numerous feature differences that make the products unique, but I tend to have customers with a common goal: simple url filtering based on category/reputation that must be dynamically updated without administrator intervention. Policies based on user identity would be a bonus to some of my customers, but in many cases they only needed an ability to whitelist certain machines from having the filter apply.

Please don't respond if you don't have actual experience with the product as I can search Google for this as well, but would like to hear from anyone that might have recently had experience since most things I've found online so far date back much closer to the launch of the product and many features/bugs may have changed.
Question by:rauenpc
LVL 66

Accepted Solution

btan earned 2000 total points
ID: 39265774
where i coming from is hopefully not another NGFW hype - All in one hype or even to be compared to UTM. Ppl will consider CX only if they already has Cisco in them and upgrade looks more feasible to to get budget for upgrade or refresh rather than try out another new technology - who is the incubment for URL filtering - I will ask instead for choice - why did you even consider one - Actually Bluecoat may be also considered with it recent acquisition of Solera (doing n/w forensic), they are into DPI ...

but instead of looking at capability, look at your business objectives.
-Can they handle SSL traffic not compromising performance and slowering the transaction
-Can they block specific facebook microsite but not the whole of facebook
-Can they allow scanning of traffic by offloading to my Enterprise AV (via ICAP or equ) and DLP solution
-Can it really prevent since it is not allowed to be inline (need to get approval) and if so, WCCP support or passive is effective ...doubt so
-Can it extend the feeds for cyber intelligences online or offline (that is cost and richness in the info, just look at which has the "big data" direction....)
-Can I scale up and attain high availability esp it is sitting inline breaking the SSL (inbound? and outbound?)

I do feel none may be the choice but if I really choose CX is new kid on the block and WS is a long runner ... just to keep it short... Probably Ironport is another candidate if Web security is really your concern...I see it far more than just appl aware which CX is trying to do...Oops... they are from the Cisco family :)

Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. Then again how comprehensive you will want .... if minimal both can do, but if comprehensive then should compared WebSense and IronPort WSA

Expert Comment

ID: 40325188
We have been using the Cisco ASA 5555-x and ASA 5512-X with Prime security manager for 5 months.
It crashes constantly and code upgrades have been a nightmare, with every upgrade there is a new set of problems! Do not buy this product!It is a piece of garbage!

We have been working with CiSCo TAC through out the whole ordeal and the issues persist.

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
A basic introduction to Website Security and the absolute minimal steps that anyone should take in order to protect against hostile intrusions. This is offered as a guide to getting started, not an exhaustive list of all precautions. Enjoy...
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question