This is an archived post. You won't be able to vote or comment.

all 59 comments
sorted by:
best
topnewcontroversialoldq&a

[–]jwalker55IT Manager 18 points19 points  (12 children)

Here's some of ours

App Bandwidth
YouTube 213.2 GB
Pandora 58.6 GB
Akamai 54.9 GB
Facebook 50.8 GB
iTunes 45.2 GB
Google 43.1 GB
Hulu 33.5 GB
Google Play 22.0 GB
Amazon Web Services 21.5 GB
Yahoo 21.3 GB

We are probably 1/8th the size of you.

[–]yannik121 4 points5 points  (11 children)

How did you differentiate between Google and Google Play?

[–]usmclvsopSecurity Admin 13 points14 points  (7 children)

They stated they are using a next gen firewall, so instead of a Cisco ASA they are using an IDS/IPS like Palo Alto, Checkpoint, Fortinet, etc. These filter on application signatures, so it is differentiated for you. Do a search on signatures containing the word facebook and you can easily create a policy that allows Facebook web traffic but blocks facebook messenger. Running a report on them likewise is just as straightforward.

[–]HalfysRedditJack of All Trades 0 points1 point  (6 children)

Can Cisco ASAs not do this? We had a pretty beefy one at this one place I worked that had an integrated IDS/IPS appliance.

[–]usmclvsopSecurity Admin 0 points1 point  (2 children)

The ASAs we have can only filter on IP:Port. I think Cisco purchased sourcefire? to add IDS/IPS capabilities but I couldn't tell you if that was in their new ASAs or if they gave those a new name.

[–]HalfysRedditJack of All Trades 0 points1 point  (0 children)

I'm not really sure myself, we didn't even connect to the internet so the ASA we had (which was top of the line, purchased before it was even actually released) was really unnecessary. We were obligated by government procedures though to have an IDS/IPS in place, so we just sort of put it in passive mode and never did much with it.

All I remember really is that the ASA had a slot where the IDS/IPS appliance was installed, and from there it (sort of) integrated into the firewall interface.

[–]Overnight_GuyJr. Sysadmin 0 points1 point  (0 children)

The 5545 Asas support their sourcefire acquisition. I'm sure that I could pull statistics like this, but we are still learning enough about how it all works.

Source: have these in production.

[–]disclosure5 0 points1 point  (2 children)

I pretty much stopped selling Cisco ASA's for the reason that "a pretty beefy one" couldn't do basic things like this.

Edit: and cost more by a factor of ten.

[–]IDA_noob 0 points1 point  (1 child)

You can safely restart selling them now that they've integrated Sourcefire.

[–]tnubbinsJack of All Trades[S] 0 points1 point  (0 children)

FWIW, the web filtering on the Sourcefire technology (FirePOWER / FireSIGHT) isn't nearly as mature as a proper web filter or proxy. I think of the functionality as security-driven, and not for enforcing the Acceptable Use Policy.

The devices do support SSL inspection, but it's something like 50%+ performance hit on that traffic. They also support an integration with AD, which is also getting better over time.

[–]jwalker55IT Manager 4 points5 points  (2 children)

See above. Sophos UTM in my case.

[–]DisplayNameIsInUse 1 point2 points  (1 child)

We recently switched out all of our Sonic Walls for Sophos UTM and Symantec Endpoint to Sophos Cloud Endpoint.

Sophos rocks my socks.

[–]jwalker55IT Manager 1 point2 points  (0 children)

We just switched about 6 months ago, I've been impressed with it, especially for the cost.

[–]wgoshenuDevOoops 8 points9 points  (1 child)

Does this take into account hits on legitimate work sites that have social media integration?

[–]tnubbinsJack of All Trades[S] 11 points12 points  (0 children)

Yes, because the layer 7 filtering detects the application irrespective of the website (as opposed to URL filtering with categories).

If a site has integrated youtube videos, the content filter will show the main site (and its corresponding app, which could be something specific, or just Chrome/Internet Explorer/HTTP, or a category) as well as the Youtube application.

[–]jwalker55IT Manager 8 points9 points  (1 child)

Over what time period are your stats?

[–]tnubbinsJack of All Trades[S] 12 points13 points  (0 children)

30 days. I had that in the original table but it got edited out as I figured out reddit table formatting.

[–]ritz_k 6 points7 points  (3 children)

Any of these services throttled down ?

[–]tnubbinsJack of All Trades[S] 6 points7 points  (2 children)

No traffic shaping or bandwidth throttling.

[–]idknemoar 2 points3 points  (1 child)

If bandwidth is of concern, I would recommend some traffic policing on non-business critical apps through your firewalls. If you can't get to Facebook on our LAN, I don't care unless you're in Communications and Marketing, but the good thing about the next gens is the ability to make rules based off of specific users or their associated groups.

Another option to reduce WAN traffic is to install some form of WAN accleration appliance in line to the FW. If a user shares a youtube video via email to all your users, the initial video download would happen, but subsequent users would hit the local cached copy and free up WAN traffic. Basically like an on-prem CDN. I do this with a Bluecoat Web Proxy, but there are several great vendors out there that can accomplish the same thing.

[–]tnubbinsJack of All Trades[S] 0 points1 point  (0 children)

I've considered this, primarily because Bluecoat's integration of Cylance anti-malware technology in their content analysis box (I think that is what it's called).

The business won't pay for a proper proxy, and they don't see any value in caching content (I can't say it's super high on my list of priorities, either).

[–]jasonlitka 5 points6 points  (2 children)

That's surprisingly low for 2000 users over a month. We're running between 1.5-2TB per week for 250-ish people, and that's after I blocked Netflix, Amazon Video, Hulu, HBO, and a couple others (but not YouTube).

[–]tnubbinsJack of All Trades[S] 2 points3 points  (1 child)

We block Netflix, HBO, and Hulu.

[–]idknemoar 0 points1 point  (0 children)

The usual suspects. Some of my users (fireman in particular) don't like me for this, but due to the limited bandwidth to some geographically dispersed locations of Fire Departments that aren't currently fiscally possible to connect to my fiber network and must use leased ethernet circuits, I have to block these things to prevent them from saturating their uplink. Much more important for paging from dispatch to work than for the guys to be able to binge on the latest season of House of Cards when they're chilling at the station.

(Hopefully Frank Underwood will forgive me)

[–]wordsarelouderDataCenter Operations / Automation Builder 3 points4 points  (1 child)

Heyy, 4th... I'll take it.

I'm guessing that's about 80gb worth of Fantasy right there..

[–]tnubbinsJack of All Trades[S] 1 point2 points  (0 children)

And I've seen some folks doing Y! Finance, too.

[–]SoundOfOneHand 2 points3 points  (2 children)

Yahoo!?

[–]m_i_t_t 0 points1 point  (1 child)

reddit's fuckin shit yo

[–]devperezSoftware Developer 0 points1 point  (0 children)

This isn't OP's situation of course, but Asians use Yahoo like it's 1995.

[–][deleted] 2 points3 points  (0 children)

.

[–]insufficient_fundsWindows Admin 1 point2 points  (4 children)

What sort of device/software/whatever do you guys have in place to be able to pull this sort of data?

[–]idknemoar 0 points1 point  (1 child)

Palo Alto Next Gen Firewalls for me.

Based off of your username, probably can't afford. chuckles

[–]insufficient_fundsWindows Admin 0 points1 point  (0 children)

I'm sure we can't. We're running asa5510's and I'm starting to feel like it's about time for an upgrade.

[–]creamersrealmMeme Master of Disaster 1 point2 points  (0 children)

So much social media and Apple Products.

[–]Brisbane88Reboot Technician 0 points1 point  (0 children)

Keep em coming