I have ASA 5525 x2, I have firepower & ISE servers available. Disclaimer - I'm one of those jack of all trades - master of none systems administrators. And no where else do I feel that more than when dealing with Cisco :(
What I'm looking at getting going is being able to create access control rules in firepower that take advantage of LDAP (AD) groups to restrict internet access & manage whitelists. In reality, this will be one group to start.
- Everyone will have filtered internet + global blacklists (already done in firepower for the internal network)
- Restricted_Internet (group) will have essentially no internet except for white listed sites.
My question here is more regarding what method to use for this and why?
Should I use ISE and Passive ID?
Or should I just use firepower and LDAP with the user agent installed on a server/ DC?
As with anything Cisco, it becomes overwhelming quick... This is a healthcare environment with a lot of task workers that simply do not need internet beyond specific, approved external applications, and we are trying to tighten up around here.
No comments:
Post a Comment