• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2670
  • Last Modified:

Cisco ASA CX versus Websense

So not too long ago Cisco finally integrated a solution in to their ASA's which would allow for web security. At the moment, this post is only concerned with the URL filtering portion. It has been a long time running that when a customer compares firewalls (usually the smaller customers), they know they want the basic features of a firewall such as ACL's, NAT, VPN, but many wanted that one additional feature that Cisco couldn't seem to do within an SMB customer's budget: Web Filtering. Now the X series of ASA's can do this via minimal hardware and licensing (and not using a CSC which I've found to be very unreliable in my experience).

My problem is that I do not have one of these firewalls to play with, and I don't want to use any of my customers' networks as a playground unless they were to ask me specifically.

Has anyone used the ASA CX for url filtering? How was your experience on the configuration side, user experience side, and troubleshooting side of things? Do you know how it compares to products like Websense/Fortigate/Sonicwall/Palo Alto/etc.?

I do realize that each product has numerous feature differences that make the products unique, but I tend to have customers with a common goal: simple url filtering based on category/reputation that must be dynamically updated without administrator intervention. Policies based on user identity would be a bonus to some of my customers, but in many cases they only needed an ability to whitelist certain machines from having the filter apply.

Please don't respond if you don't have actual experience with the product as I can search Google for this as well, but would like to hear from anyone that might have recently had experience since most things I've found online so far date back much closer to the launch of the product and many features/bugs may have changed.
1 Solution
btanExec ConsultantCommented:
where i coming from is hopefully not another NGFW hype - All in one hype or even to be compared to UTM. Ppl will consider CX only if they already has Cisco in them and upgrade looks more feasible to to get budget for upgrade or refresh rather than try out another new technology - who is the incubment for URL filtering - I will ask instead for choice - why did you even consider one - Actually Bluecoat may be also considered with it recent acquisition of Solera (doing n/w forensic), they are into DPI ...

but instead of looking at capability, look at your business objectives.
-Can they handle SSL traffic not compromising performance and slowering the transaction
-Can they block specific facebook microsite but not the whole of facebook
-Can they allow scanning of traffic by offloading to my Enterprise AV (via ICAP or equ) and DLP solution
-Can it really prevent since it is not allowed to be inline (need to get approval) and if so, WCCP support or passive is effective ...doubt so
-Can it extend the feeds for cyber intelligences online or offline (that is cost and richness in the info, just look at which has the "big data" direction....)
-Can I scale up and attain high availability esp it is sitting inline breaking the SSL (inbound? and outbound?)

I do feel none may be the choice but if I really choose CX is new kid on the block and WS is a long runner ... just to keep it short... Probably Ironport is another candidate if Web security is really your concern...I see it far more than just appl aware which CX is trying to do...Oops... they are from the Cisco family :)

Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. Then again how comprehensive you will want .... if minimal both can do, but if comprehensive then should compared WebSense and IronPort WSA
We have been using the Cisco ASA 5555-x and ASA 5512-X with Prime security manager for 5 months.
It crashes constantly and code upgrades have been a nightmare, with every upgrade there is a new set of problems! Do not buy this product!It is a piece of garbage!

We have been working with CiSCo TAC through out the whole ordeal and the issues persist.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now