• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Blocking torrents- ASA

RadiclDreamer

RadiclDreamer

Diamond Member
Looking to be able to block torrents, hopefully with my asa5520. Would a Cisco ASA AIP SSM-10 module do this pretty well? If so what are your experiences with them?
 
You have to be careful with the SSMs. They absolutely destroy your throughput.

I'd see if you could have Cisco send you one to demo and see how it'll affect your environment. What I've seen is that the published specs are at least twice as fast as what's observed in production.

Maybe some of the newer image versions fix that stuff, though. 8.2 was the last time I really looked at it.

I use Juniper and Palo Alto for this stuff mostly, now.
 
Cisco's ASA architecture requires sending traffic to the service module, after the core firewall code completes the ACL, NAT, etc, and some say that's where the performance hit comes from.
Palo Alto claims their PAN firewalls handle everything through a single thread/process, thus cutting down the processing time, but I have no way of verifying that.

I've never used the ASA SSM to block torrent, but have tried w/ the NBAR feature set on their IOS code.
It blocked BitTorrent, but a few users found ways to go around it...probably encryption or other means.
 
NBAR is also fairly slow, but if you over-spec the router...like the new 3900 series or something...it should be sufficient for lots of places.

L7 firewalling is a tough nut to crack, that's for sure!
 
Im running a 100/100 internet connection to this guy and I only use it as an internet firewall and VPN endpoint for my remote sites and home users to use the anyconnect software. I was thinking an AIP-SSM-20 should be sufficient for that since the advertised traffic throughput is actually higher than my connection speed. Does anyone think it would be worth the price to go to an SSM-40? I havent been able to contact my vendor but a few google searches show it as a 5k option for the 20 and 12-15k for the 40. I assume I will also need 2 of these since i run in failover mode with an active/standby unit?
 
A few things:
1. ASA5520 has reached EoX status.
Even though it'll be supported for another five years, my recommendation is to cut your loss, and invest in its replacement now.

2. If you choose to stick w/ Cisco, I'd go w/ their ASA 5585-X series, which are capable w/ L7 firewall capability. (they call it CX/context aware, but it's the same as Palo Alto, or other vendors' next-gen firewall)
Yes, you'll need to get the same service module for the standby unit.

3. Vendors use a different math calculation for their marketing materials.
If Cisco claims their SSM can do 200M, it means 100M egress, and 100M ingress, thus the combined 200M, not 200M egress & ingress, unless they've changed the formula.

If most of your traffic pattern is only ingress for end users' download traffic, it's not as much of an issue. But if the same circuit & firewall need to also support your eCommerce & VPN traffic, you'll want to pay close attention to the actual traffic trend, and leave room for future growth.

4. I'm not sure what the order of operation is on the ASA's, but you may want to put VPN termination on a set of dedicated firewalls, behind the Internet edge firewalls for better protection, if your budget allows it.
 
I am well of aware that the ASA's days are numbered, however this is a need that arose recently and we dont really have the budget for a full on replacement yet, however it has been planned within the next two years.

As far as the ingress and egress, I figured as much and really that seems logical and would be fine for my environment.

I dont have ecommerce, just internet and VPN running on this unit.
 
p2p can use lot of ports so best bet is just block everything then open what is needed. That's fairly standard on corporate networks. Basically, you can connect to port 80, 443, maybe 22 and 21, and that's about it. It would not stop a torrent client to connect to a torrent "server" that is on port 80, but it would sure block a large portion of torrents.

I suppose there could be solutions that actually look at what the traffic is, but I imagine that would cause some latency to be analyzing every single packet like that.
 
I use many free VPNs and they don't allow P2P so they must be running some kind of firewall or only allowing port 80, 443 and 53.
 
Red Squirrel said:
p2p can use lot of ports so best bet is just block everything then open what is needed. That's fairly standard on corporate networks. Basically, you can connect to port 80, 443, maybe 22 and 21, and that's about it. It would not stop a torrent client to connect to a torrent "server" that is on port 80, but it would sure block a large portion of torrents.

I suppose there could be solutions that actually look at what the traffic is, but I imagine that would cause some latency to be analyzing every single packet like that.
Click to expand...

Thats what something like the IPS is for, In a corporate environment its hard to say "this should block some of it." My boss typically wants to hear this will block all or close to all of it.
 
Cooky said:
A few things:
1. ASA5520 has reached EoX status.
Even though it'll be supported for another five years, my recommendation is to cut your loss, and invest in its replacement now.

2. If you choose to stick w/ Cisco, I'd go w/ their ASA 5585-X series, which are capable w/ L7 firewall capability. (they call it CX/context aware, but it's the same as Palo Alto, or other vendors' next-gen firewall)
Yes, you'll need to get the same service module for the standby unit.
Click to expand...

A couple of thoughts:

The 5585-X is WAY overkill for what is being described here. A 5515-X will provide 350Mbps of CX (L7 firewall) throughput at like 1/20th the cost of a 5585-X with CX module. I won't read off all the specs, but they can be found here for all models:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html

Since you appear to have some limited budget for hardware, I would really look into this new option since it should be about the same price as those SSM modules you are looking into. I agree with Cooky - It is a far better investment than those old modules.

Keep in mind this same box will do VPN, IPS, and botnet traffic filtering as well - licensing will apply, but in my experience they aren't all that expensive.
 
m1ldslide1 said:
A couple of thoughts:

The 5585-X is WAY overkill for what is being described here. A 5515-X will provide 350Mbps of CX (L7 firewall) throughput at like 1/20th the cost of a 5585-X with CX module. I won't read off all the specs, but they can be found here for all models:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html

Since you appear to have some limited budget for hardware, I would really look into this new option since it should be about the same price as those SSM modules you are looking into. I agree with Cooky - It is a far better investment than those old modules.

Keep in mind this same box will do VPN, IPS, and botnet traffic filtering as well - licensing will apply, but in my experience they aren't all that expensive.
Click to expand...

I dont really have a limited budget, its just needs to be planned. As this was a spur of the moment need, I'm trying to get by on the cheap
 
Cisco firewalls aren't as expensive as some may think.
You just need the right discount or AM.
When we looked into Palo Alto, their firewalls were actually not cheap either.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top