ASA Content filtering
flares2
Member Posts: 79 ■■□□□□□□□□
I may be over my head with this ASA, but I'm looking for some advice.
Backstory: Third quarter last year the network admin at my place of business decided he wanted more security for a certain department and wanted to place them on a separate network. Rather than doing the fast and free plan of creating a separate VLAN and then implementing some ACLs, he built another physical network. Sadly, he left to a new job before anything was implemented. So we have this physical network just sitting there doing nothing.
Currently we route all of our traffic through an MPLS to our parent company where internet traffic is filtered and monitored through a proxy. The plan is to change the route of internet traffic, so rather than going to our parent company through the proxy, it will go through the separate network. Ie have phone and MAN traffic go through our parent company and have internet traffic go directly out.
On the separate network that internet traffic would be going through we need security of course. We have an ASA5510 between the other network's core switch and router. Not being a network security guru I'm looking for some ideas as how to keep this connection secure. We'd like it to be content filtered and monitored. The ASA has an SSM module but the license is expired. Should we renew the license and content filter through CSC SSM, or create an external AAA server, or use a third party software like Websense?
I got the routing and switching, that easy. I'm new to the ASA though, so any advice is very much appreciated.
Backstory: Third quarter last year the network admin at my place of business decided he wanted more security for a certain department and wanted to place them on a separate network. Rather than doing the fast and free plan of creating a separate VLAN and then implementing some ACLs, he built another physical network. Sadly, he left to a new job before anything was implemented. So we have this physical network just sitting there doing nothing.
Currently we route all of our traffic through an MPLS to our parent company where internet traffic is filtered and monitored through a proxy. The plan is to change the route of internet traffic, so rather than going to our parent company through the proxy, it will go through the separate network. Ie have phone and MAN traffic go through our parent company and have internet traffic go directly out.
On the separate network that internet traffic would be going through we need security of course. We have an ASA5510 between the other network's core switch and router. Not being a network security guru I'm looking for some ideas as how to keep this connection secure. We'd like it to be content filtered and monitored. The ASA has an SSM module but the license is expired. Should we renew the license and content filter through CSC SSM, or create an external AAA server, or use a third party software like Websense?
I got the routing and switching, that easy. I'm new to the ASA though, so any advice is very much appreciated.
Techexams.net - Job security for one more day.
Comments
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□The CSC module has content filtering built in via Trend Micro and you should be able to use that, there is a lot of documentation on module on Cisco's website. Basically it requires ytou to create a policy on the ASA that redirects the traffic you want to inspect to the CSC, only http, ftp, smtp and pop3 are supported.The only easy day was yesterday!
-
flares2 Member Posts: 79 ■■□□□□□□□□Thanks dt. From researching it seems that the CSC requires a license with Trend Micro. We have a base license which gives us Antivirus and Spyware blocking, but content filtering requires a Plus license. A two year renewal costs about $1600. So if we're spending that much cash, is there a better way to go.Techexams.net - Job security for one more day.
-
shednik Member Posts: 2,005dtlokee wrote:The CSC module has content filtering built in via Trend Micro and you should be able to use that, there is a lot of documentation on module on Cisco's website. Basically it requires ytou to create a policy on the ASA that redirects the traffic you want to inspect to the CSC, only http, ftp, smtp and pop3 are supported.
DT, you're still out there?? how's the CCIE Voice studying going for you?
to the OP as always I'd have to agree with DT on this one I have very limited experience with an ASA but have heard good things about this setup tho. -
dtlokee Member Posts: 2,378 ■■■■□□□□□□Yeah we use the CSC module for a couple customers because it does AV and content filtering on box (with the plus license), but if you're just looking for content filtering you may want to look at a bluecoat SG210 or maybe a 510 depending on the connection speed and users. They offer a web content rating service that is very good and costs like $0.50 per user when you figure it over 3 years. They don't yet have an on box AV solution, you need to buy an additional device or integrate it with you own AV server which I have yet to do.The only easy day was yesterday!