ASA selection

dstehle · ‎02-19-2013

My customer is designing an architecture with two networks - internal and external. In between these two networks will be a DMZ where a layer 7 gateway device will reside. This layer 7 device (which could from Layer 7 - SecureSpan SOA Gateway - see http://www.layer7tech.com/products/soa-gateway) will act as a mediation and policy enforcement point between the internal and external networks using XML. This device as required as there is a requirement for different applications to send and receive different data. The XML is used to accomplish this.

My customer would want to use ASA firewalls to bookend the DMZ. Their question, "Do the ASA 55XX firewalls communication via XML and are they a layer 7 device?".

Also, are two firewalls required? Which ASA would work?

Thanks,

David Stehle

stojanr · ‎03-12-2013

While ASA can provide inspection of certain protocols, it does not provide XML inspection. If you configure your traffic policies correctly, you can allow XML communication from outside to DMZ and from DMZ to inside, depending on your requirements.

For your deployemnt, one firewall would be sufficient, but you could use two identical appliances to provide high availability.

Choosing the right firewall depends on other parameters:

- what is the bandwidth required across this firewall

- do you wish to terminate VPNs on this firewall ? if so, how many ?

- how many and which physical interfaces do you require

...

You can find the current datasheets at the links below:

Small and SoHo appliances:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html

Internet Edge appliances:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html