Filter/Security appliance recommendations?

M

MIPS64

n00b
Joined
Sep 1, 2012
Messages
41
I am looking for recommendations on a device to put at the forefront of our network, mainly for web content filtering. Our network is currently setup as this:

network1.jpg


We have two Internet providers. One for each network that are physically separate except a a Cisco 3560 which is used for failover. In the event one ISP goes down, one network can use the others ISP, however, it has no access to the other network beyond that switch.

Currently, each network has a web content filter (SmartFilter) server which is going end of life in a year. We would like to replace each server with a single box at the front of the network for filtering. Other bonuses would be things such as bandwidth control, virus protection, etc.

Perhaps the most important thing is to make sure our ISP bandwidth download speed does not get hampered by the device we choose to put at the front. We have 50mb download on one and 30mb on the other. If the device throttles the download at 10mb then it's useless to us.

So any suggestions on some products to try? First comes to mind to try is Barracuda but just looking for anything else you may have tried.
 
Depends on how big wallet you have and other demands like bandwidth and number of concurrent sessions.

I would recommend you to take a look at the gear provided by Palo Alto Networks (which includes AV, IPS, SSL-termination, URL-categorization, Application identification etc).

Looking at your bandwidth demands you should be fine with a PA-200 but I guess PA-500 would be a better option so you have something to grow with (PA-200 is more of a fanless desktop solution).

http://www.paloaltonetworks.com/products/overview/

By that you could also replace your ASA boxes at the same time.

So the design could end up with (for example):

ISP1 <-> C2960_1 <-> PA1

ISP2 <-> C2960_2 <-> PA2

and then setup 2 or 4 cables as a static trunk between C2960_1 and C2960_2.

Or you can skip the switches in between and connect each ISP straight to each box which is runned either as Active/Active cluster or each box is just VWIRE.

Oh and put each ISP on their own VLAN so ISP1 is VLAN101 and ISP2 is VLAN102 (or so).

The PA boxes can be runned in various types of modes. From common L2/L3 modes to the (today still) less common VWIRE (it wont have any ip addresses - it will inspect the traffic anyway).
 
Just place an Cisco SSC module in those ASA's more than enough IPS, Web, URL, the list goes on. Use and leverage what you have. Simplify and standardize to one specific branding if you can do so. It will far less expensive in a management standpoint than being all over the place with different hardware and contracts etc....

You would need Cisco AIP-SSC modules and Security Plus licenses which I am sure that you have. Plus you can have Active/Failover services.

http://www.cisco.com/en/US/prod/col...etin_c25-528621_ps6120_Products_Bulletin.html
 
Last edited:
tangoseal said:
Just place an Cisco SSC module in those ASA's more than enough IPS, Web, URL, the list goes on. Use and leverage what you have. Simplify and standardize to one specific branding if you can do so. It will far less expensive in a management standpoint than being all over the place with different hardware and contracts etc....

You would need Cisco AIP-SSC modules and Security Plus licenses which I am sure that you have. Plus you can have Active/Failover services.

http://www.cisco.com/en/US/prod/col...etin_c25-528621_ps6120_Products_Bulletin.html
Click to expand...

Thanks for that info. When I look at the link you gave me, it specifically states "network attacks, including worms, Trojans, viruses, and attacks against operating system and application vulnerabilities" but nothing about content filtering.

I see this CSC-SSM does that but its not for the 5505, just 5510 and 5520.

http://www.cisco.com/en/US/prod/col...2/ps6094/ps6120/prod_qas0900aecd8040397e.html
 
IIRC the 5505 does not have capability to support modules, e.g. no module bay. Afterall, it has about the same width as one of those SSM module....
 
Apachez said:
Depends on how big wallet you have and other demands like bandwidth and number of concurrent sessions.

I would recommend you to take a look at the gear provided by Palo Alto Networks (which includes AV, IPS, SSL-termination, URL-categorization, Application identification etc).

Looking at your bandwidth demands you should be fine with a PA-200 but I guess PA-500 would be a better option so you have something to grow with (PA-200 is more of a fanless desktop solution).

http://www.paloaltonetworks.com/products/overview/

By that you could also replace your ASA boxes at the same time.

So the design could end up with (for example):

ISP1 <-> C2960_1 <-> PA1

ISP2 <-> C2960_2 <-> PA2

and then setup 2 or 4 cables as a static trunk between C2960_1 and C2960_2.

Or you can skip the switches in between and connect each ISP straight to each box which is runned either as Active/Active cluster or each box is just VWIRE.

Oh and put each ISP on their own VLAN so ISP1 is VLAN101 and ISP2 is VLAN102 (or so).

The PA boxes can be runned in various types of modes. From common L2/L3 modes to the (today still) less common VWIRE (it wont have any ip addresses - it will inspect the traffic anyway).
Click to expand...

We have PA-200s, PA-500s and 5020s(way overkill for your needs). Great boxes all around.
 
That's way too complicated for an outbound only setup with such little bandwidth. Replace everything in the picture with a Fortinet 100D. You will be able to use the entire feature set and have plenty of head room.
 
I would also suggest Fortigate. You can easily cluster them and also have them do auto failover for multiple WAN links. I manage quite a few fortigates and they do well.
 
You must log in or register to reply here.
Back
Top