ASA MPF vs IPS vs WSA vs AMP

abhijith891 · ‎01-13-2018

Hello people,

I have been under the impression that an IPS was used in conjunction with an ASA because ASA can work only on L3/L4 and cant check the payload of a packet. But if ASA can do L7 inspection, URL filtering etc with the help of MPF, then why are the the devices like IPS, WSA being used to do the same?

Marvin Rhoads · ‎01-13-2018

The ASA can do L7 inspection but its capabilities are very limited. You have to know in advance the exact URLs you want to filter, you cannot filter on categories, there's almost no reporting of the filtering, etc. etc.

NGIPS like ASA with Firepower Services and URL Filtering license or ASA/Firepower appliance running FTD image can do much more with respect to URL filtering. All the things I mentioned above plus more. A WSA, as a purpose built appliance, has even more capabilities - very granular reporting, more categories etc.

AMP for Endpoints has very limited URL filtering functionality- it is primarily a malware protection tool (with Antivirus).

Cisco Umbrella is the other option. It is a very good URL filtering tool with the advantage that it can cover clients both on- and off-premises with the roaming client.

Ajay Saini · ‎01-13-2018

Hello,

ASA can do very basic stuff with L7 header, basically it can just make sure that l7 traffic is adhering to RFP for that particular protocol. We can do bare minimum with layer 7 policies even if we were to modify the default policy for the defined protocols. Also, ASA does not even handle all the well defined protocols at layer 7.

It can not deep analyze the traffic on l7 layer and is not aware of the attack patterns which ofcourse an additional module like IPS or Sourcefire can do.

HTH

-AJ