01-13-2018 01:18 AM - edited 02-21-2020 07:07 AM
Hello people,
I have been under the impression that an IPS was used in conjunction with an ASA because ASA can work only on L3/L4 and cant check the payload of a packet. But if ASA can do L7 inspection, URL filtering etc with the help of MPF, then why are the the devices like IPS, WSA being used to do the same?
01-13-2018 06:05 AM
The ASA can do L7 inspection but its capabilities are very limited. You have to know in advance the exact URLs you want to filter, you cannot filter on categories, there's almost no reporting of the filtering, etc. etc.
NGIPS like ASA with Firepower Services and URL Filtering license or ASA/Firepower appliance running FTD image can do much more with respect to URL filtering. All the things I mentioned above plus more. A WSA, as a purpose built appliance, has even more capabilities - very granular reporting, more categories etc.
AMP for Endpoints has very limited URL filtering functionality- it is primarily a malware protection tool (with Antivirus).
Cisco Umbrella is the other option. It is a very good URL filtering tool with the advantage that it can cover clients both on- and off-premises with the roaming client.
01-13-2018 06:28 AM
Hello,
ASA can do very basic stuff with L7 header, basically it can just make sure that l7 traffic is adhering to RFP for that particular protocol. We can do bare minimum with layer 7 policies even if we were to modify the default policy for the defined protocols. Also, ASA does not even handle all the well defined protocols at layer 7.
It can not deep analyze the traffic on l7 layer and is not aware of the attack patterns which ofcourse an additional module like IPS or Sourcefire can do.
HTH
-AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide