Seeking Enterprise URL/Content Filter Solution

[Cooky]

We're looking for possible new content/URL filter solution to replace our aging, crappy SmartFilter.

It's a long story, but quick, high-level requirements are:
-Inline (no IFP, or WCCP redirection)

-Citrix Integration
All connections are sourced from XenApp servers.
Any solution can tell which sessions are from which users?

-QoS Marking
We'd like to mark different URL categories w/ different DHCP markings, so that downstream WAN routers can do WRED based on them.

-AD Integration
Every vendor's solution can do it, but question is how well?
BYOD users don't login to the domain to gain access.
Is there anyway to identify their uname/group, w/o explicit captive portal?

Can any vendor's solution do federated SSO w/ our RADIUS server (Cisco ACS 5.4), so that users don't have to login multiple times? (once for network wired/wifi, and second time for content filter)
========================

We're looking at Cisco's CX, and Palo Alto Networks PA-5000.
CX is preferred, since we can just stick an extra module into our ASA's, but it's relatively new, and not as mature as PAN.

If anyone could provide some recommendations I'd really appreciate it.

 

[Cooky]

any body?

 

[drebo]

I like what I've seen from Palo Alto.

They have an agent that runs on your AD or Exchange server that correlates users to IP addresses so you don't have to worry about authenticating users against the PA. However, it does also support authentication via form against a RADIUS database.

They have a Terminal Services agent that identifies users based on their session as well, but I don't know about their compatibility with Citrix in a similar manner (multi-session server.)

It is completely transparent to the users if their login is captured by one of the agents. If not, they're prompted to authenticate. You can create multiple policies and tie them to AD users/groups. It supports custom whitelists and blacklists.

It can be deployed either in NAT mode, routed mode, or L2 transparent mode and content filtering works in all three.

I don't have any experience with Cisco's CX. But, I do strongly recommend PA's solution...they're very easy to configure, the web interface is very powerful for reporting (management types love that) and the CLI is somewhat Junos-like, so if you're familiar with Junos, you can fit right in.

 

[Cooky]

Thank you drebo.
anyone else?

 

[m1ldslide1]

I haven't directly configured either PA or Cisco CX, but the marketing materials for both are very similar. The AD integration that Drebo mentioned is also supported on Cisco ASA (and juniper as well).

Cisco does some interesting integration with Scansafe and Ironport WSA as well. Scansafe is the cloud-based content security solution, which is useful if you have a mobile workforce (especially if using Anyconnect VPN). Ironport WSA does content filtering and reputation-based filtering (which is kind of a big deal IMO), plus AV and DLP-redirection if desired.

Out of curiosity - why inline-only? No love for WCCP?

 

[drebo]

I looked at Cisco's solution based on Scansafe before we settled on PA, but it was much more expensive and from what I understand it's also now end-of-life.

CX is supposed to be very very similar to what PA is doing, so it's probably a safe-ish bet. For me, because our experience with the PA equipment has been so great, it's what we'd recommend moving forward.

Juniper's EWF is pretty decent as well, but not as robust in my experience as PA is.

 

[Cooky]

thanks for the replies.

Cisco's changing the ScanSafe name, but it doesn't mean it's EoL is it?
Has anyone used any cloud-based solution by the way? How did you like it?
We're worried about the performance & throughput, so didn't really give it much serious thought.

We're not against WCCP.
In fact we used to do WCCP to run Cisco content engines running ACNS many several years ago.
We're now running Riverbed WAN opt w/ WCCP as well.

It just so happens that it'll be harder to do WCCP for our Internet edge, due to its topology & equipment.
ASA's only do L3 GRE WCCP, so we'd have to worry about MTU along each hop.
Also I'm not too comfortable w/ non-firewall features on ASA's.
Once I tried to tweak our OSPF routes through ASA, and found out it wasn't possible.
Can't remember the details now, but there was something I needed to do in route-map, which wasn't an option on the ASA platform.

 

[m1ldslide1]

thanks for the replies.

Cisco's changing the ScanSafe name, but it doesn't mean it's EoL is it?
Has anyone used any cloud-based solution by the way? How did you like it?
We're worried about the performance & throughput, so didn't really give it much serious thought.

We're not against WCCP.
In fact we used to do WCCP to run Cisco content engines running ACNS many several years ago.
We're now running Riverbed WAN opt w/ WCCP as well.

It just so happens that it'll be harder to do WCCP for our Internet edge, due to its topology & equipment.
ASA's only do L3 GRE WCCP, so we'd have to worry about MTU along each hop.
Also I'm not too comfortable w/ non-firewall features on ASA's.
Once I tried to tweak our OSPF routes through ASA, and found out it wasn't possible.
Can't remember the details now, but there was something I needed to do in route-map, which wasn't an option on the ASA platform.

Scansafe is not end of life or anything similar, in fact they are working furiously to add new data centers around the globe and upgrade the existing ones. Someone told me recently that it is squarely in the leaders quadrant for Gartner cloud proxy services, but I haven't verified that myself. Performance is good, but how many concurrent web connections are we talking about from a single site? If it is thousands, you will want to talk with your cisco sales team and make sure that the solution will scale with you.

Honestly I wouldn't have even considered doing WCCP on the ASA. Not because its bad or whatever, but to me I think of that as a router feature. As for the GRE header, it is only 4B and you are only encapsulating between the web-security appliance and the redirecting router. So I don't know your topology, but perhaps there aren't that many hops to worry about just between the redirecting router and the appliance? Also someone who is a real expert in TCP might school me here, but I don't think that an extra 4B of header will be a problem. I would be surprised if any of your web traffic is able to send 1500B packets. Think of the end-to-end transport between a client and a remote web server - even the MPLS networks in between add more o/h than GRE, so you shouldn't see TCP trying to build packets that large for web traffic.

Last thing I'll cheerlead for WCCP - if it were me and my network, I would demo an appliance and use an ACL such that I'm only redirecting mine and maybe 30 of my co-workers traffic. Not a bad way to demo a couple of technologies at once...

Keep in mind I'm biased - I'm just leery of inline devices for services that aren't routers or switches. My $.02.

 

[re_young]

Hi Cooky,

www.iboss.com. Let me know if you're interested. 5 solutions included w/ purchase: URL filter, Application management, Bandwidth shaping, Threat protection, and multiple realtime report dashboards. We're on the Magic quadrant and have thousands of networks we work with. If anything, take a look at a webinar.

-Ross

Ross.Young@iboss.com