10-31-2005 05:49 AM - edited 02-21-2020 12:29 AM
We are in the process of building out our infrastucture to support 3rd parties. In the design we will be adding either 525s for asa's. I am interested in hearing peoples experiences with the ASA, being they are a new product. Specifically the kinds of problems you may have run into.
Thanks,
marcus
11-02-2005 09:51 PM
Marcus,
I dont think you will have any problems using ASA. ASA's are replicas of PIX V7.0 products. The biggest advantage of ASA will be a converged/scalable solution for your network, with the same box doing multiple functionalities. You can definitely save cost if you have an ASA box with SSM , instead of having a PIX and an IPS appliance...
I would advice you to go to ASA. The only drawback i could see in ASA is the cost of the secondary box. YOu need to invest the same money as the primary box, which isnt the case in PIX. The positive side of this is, in case of emergencies, you can plug off the secondary ASA and use it as a fully functional box in any other network, unlike PIX failover unit (which cannot be used as a primary box)
Hope this helps.. all the best..
Raj
11-04-2005 03:49 PM
one more quesiton on ASA. We are planning to setup one small dedicated network in datacenter.
Can we use ASA appliace without need of border router device? our datacetner provides fast ethernet feed to our cage and no intelligent routing needed.
Thanks
regards
Rakesh
======
11-10-2005 05:14 PM
Rakesh,
Yes you can use it as a border device since your just accepting an ethernet connection and are basically a stub network.
Patrick
11-14-2005 09:53 AM
Actually, if you compare the price of a primary PIX 525 to an ASA 5540, the PIX is quite a bit more, but the secondary unit is much less. Whereas the ASA is less expensive but there is no 'Primary/Secondary' pricing. It ends up about the same for a redundant PIX or ASA (without the SSM).
12-08-2005 09:37 PM
Hi Marcus,
May be my response is bit late but I think you might find it useful in your context. Some time back I wrote some comments on nww and they are given below:-
NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
12/06/05
Today's focus: Is Cisco's ASA a headache-in-waiting?
_______________________________________________________________
Today's focus: Is Cisco's ASA a headache-in-waiting?
By M. E. Kabay
Reader Noman Bari wrote to me some time ago from Karachi,
Pakistan, with a thoughtful comment on Cisco's new
multifunctional ASA security appliance.
Bari has a B.S. in Electronics and has the certifications CCNA,
CCDA, CCNP, CCDP, CCSA,CIW Security Analyst, CompTIA Linux+
Certified and MCSE. With his kind permission and collaboration,
here are his thoughts:
* * *
I am writing this e-mail to learn your views on a new security
box from Cisco. Adaptive Security Appliance (ASA) is a
multi-function security appliance which integrates firewall,
IPSec and SSL VPN, intrusion prevention, virus filtering and
network quarantine in a single device.
I have been thinking about this development from Cisco. Surely
putting all the eggs in one basket is never a good idea.
If all the functionality of security is taken care of by one
single box and if that box gets compromised then it will be a
serious problem. It is widely known that there is no such thing
as 100% security. At some time in the near or distant future we
will hear that there are security holes found in the working of
ASA and they can lead to a security breach.
There will be critics who will say that since ASA comes with all
the bells and whistles it will be extremely hard if not
impossible to compromise its security. But what if a person with
malicious intent is able to do it? And this will happen - it's
just a matter of time.
The job of the marketing guys is to show everyone a rosy
picture. I am not blaming them; it's what they get paid for. But
it's our job as techies to filter out useful stuff from what
they say.
My analysis is that ASA is an excellent device for small to
midsize companies to save costs, for ease of management and so
on, depending upon the nature of their mission-critical work.
However, for enterprise-level security, I would rather go with a
layered approach with multiple defenses to protect my network.
Although I am here in Karachi I believe that effective security
requirements are valid for every organization in any part of the
world. What you and Bruce Schneier write in your security
newsletters is equally useful for me here in Pakistan. My vision
gets broadened.
* * *
Need I [MK] say more? My only comment is "Wow! I got mentioned
in the same sentence as Bruce Schneier! Cool!" Well, OK, that's
not very useful for readers, so here's a link
<http://www.cisco.com/en/US/products/ps6120/index.html> to the
Cisco page describing their ASA 5500 product.
Now take two of those and a glass of water and I'm sure you'll
be fine in the morning.
_______________________________________________________________
To contact: M. E. Kabay
M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor in the
Division of Business and Management at Norwich University in
Northfield, Vt. Mich. and his Web site is
<http://www2.norwich.edu/mkabay/index.htm>.
New information assurance journal - Norwich University Journal
of Information Assurance (NUJIA). See
___________________________________________
Hope this helps.
Regards,
Noman Bari
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide