Dear Zubair,
I prepared answer on the basis of question .It is not necessary to only
CSC-SSM but AIP-SSM can do that job.
If we consider about throughput for enterprise and ISP,Cisco ASA is not
right choice as UTM box . :) Juniper and checkpoint
I agree IPS has lower throughput but positioning of external IPS is depends
upon customers requirement(VPN/Multiple Internal Segments) and If blade IPS
which traffic need to inspect with lower througput IPS module .However blade
IPS has lower throughput first firewalling happens for incoming internet
traffic so unnecessary traffic should be dropped and some trusted traffic
inspected at next level .
Can you highlight figure what is throughput of CSC-SSM ?documents says its
significantly less than ASA and I am unable to fine it :( .Cisco ASA AIP SSM
throughput is from 75 to 650Mb (depends upon card) and for small-mid range
organization how much max ISP bandwidth used by customer ,I think it is less
than 650Mb. :)
Again Choice is yours and customer has to pay and agree on it .
Thanks
Shahid Ansari
Solution Architect
CCIE#20017
Kuwait
On Wed, Jan 12, 2011 at 8:52 AM, Zubair Ansari <Zubair_at_mhdinfotech.com>wrote:
> I agree with you shahid, but though modular policy you have to work on
> each P2P and make policy for each. Some P2P are very dynamic in nature.
They
> change port if the port is block.
>
>
>
> In addition, IPS is for deep packet inspection. Normally the throughput on
> IPS is limited and we send limited traffic to IPS. If you want all outgoing
> traffic through IPS and inspect them then it�s your choice.
>
>
>
> Finally the right way to do this work is through CSC module.
>
>
>
>
>
> --
>
> Best Regards,
>
> Muhammad Zubair Ansari.
>
> Sr. Network Consultant
>
> CCIE # 23556
>
> GSM : +968 96043105
>
>
>
> *From:* Shahid Ansari [mailto:shahid1357_at_gmail.com]
> *Sent:* Monday, January 10, 2011 10:29 AM
> *To:* Zubair Ansari
> *Cc:* Khurram Noor; Cisco certification
> *Subject:* Re: P2P block using ASA
>
>
>
> Not necessary Zubair ,
>
> You can control P2P traffic by using modular policy framework and If you
> have an IPS module even better.There are several signatures in IPS that
> address bittorrent, 11031, 11030, 11020
>
> Thanks
>
> Shahid Ansari
>
>
>
> On Sun, Jan 9, 2011 at 7:40 AM, Zubair Ansari <Zubair_at_mhdinfotech.com>
> wrote:
>
> You need CSC-SSM to block P2P traffic.
>
>
> --
> Best Regards,
> Muhammad Zubair Ansari.
> Sr. Network Consultant
> CCIE # 23556
> GSM : +968 96043105
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Khurram Noor
> Sent: Sunday, January 09, 2011 8:35 AM
> To: Cisco certification
> Subject: OT: P2P block using ASA
>
> Hello everyone,
>
> I would like to know, what is the possibility of blocking P2P traffic using
> ASA firewall. The firewall does not have any AIP-SSM.
>
> --
> Khurram Noor
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
*****************************************************************************
*****************************************************************************
***********************************************************
> * This Communication is Private & Confidential. This message and any
> attachments may contain information that is privileged and / or
confidential
> and is the property of MHD InfoTech LLC. *
> * It is intended solely for the person to whom it is addressed. If you are
> not the intended recipient, you are hereby notified that you are not
> authorized to read, print, retain copy, disseminate, distribute, or *
> * use this message & any attachments or any part thereof. If you have
> received this message in error, please notify the sender immediately and
> delete the message and any attachments from your system. *
>
>
*****************************************************************************
*****************************************************************************
***********************************************************
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
*****************************************************************************
*****************************************************************************
***********************************************************
> * This Communication is Private & Confidential. This message and any
> attachments may contain information that is privileged and / or
confidential
> and is the property of MHD InfoTech LLC. *
> * It is intended solely for the person to whom it is addressed. If you are
> not the intended recipient, you are hereby notified that you are not
> authorized to read, print, retain copy, disseminate, distribute, or *
> * use this message & any attachments or any part thereof. If you have
> received this message in error, please notify the sender immediately and
> delete the message and any attachments from your system. *
>
>
*****************************************************************************
*****************************************************************************
***********************************************************
Blogs and organic groups at http://www.ccie.net
Received on Thu Jan 13 2011 - 10:56:57 ART