The last major piece of Cisco's remote access solution is a new addition: the Cisco IronPort S-series Web Security Appliance. The IronPort S-series is a secure Web gateway, with the primary goals of protecting Web-browsing end-users from malware and enforcing access controls on where people can browse.

We didn't do a full evaluation of the product, focusing only on its integration with the ASA and VPN clients. But the IronPort S-series has the expected feature set for a Web security gateway: malware scanning using multiple engines, URL filtering to avoid bad neighborhoods and enforce acceptable use policies, bandwidth management, and the ability to look at content to enforce general security policies, such as blocking PowerPoint attachments.

The IronPort S-Series includes "man-in-the-middle" SSL decryption, which lets it scan both encrypted and un-encrypted connections, and leverages the IronPort reputation service to do reputation-based lookup of URLs and Web servers. This feature set makes it a fairly complete Web security gateway, not all that different from the other market-leading products.

We focused on integrating the IronPort S-series with the ASA appliance, and applying Web security gateway policies to remote access VPN users. A cynic might say that Cisco requires network managers to buy a whole separate box — and an expensive one at that — because they don't have built-in Web security in the firewall. That's true, of course, but it's also true that the Web security in the IronPort S-series is more powerful than what you can get with the Web security feature built-in to unified threat management firewalls.