Re: ASA vs PIX

mgaysek · ‎10-31-2005

We are in the process of building out our infrastucture to support 3rd parties. In the design we will be adding either 525s for asa's. I am interested in hearing peoples experiences with the ASA, being they are a new product. Specifically the kinds of problems you may have run into.

Thanks,

marcus

sachinraja · ‎11-02-2005

Marcus,

I dont think you will have any problems using ASA. ASA's are replicas of PIX V7.0 products. The biggest advantage of ASA will be a converged/scalable solution for your network, with the same box doing multiple functionalities. You can definitely save cost if you have an ASA box with SSM , instead of having a PIX and an IPS appliance...

I would advice you to go to ASA. The only drawback i could see in ASA is the cost of the secondary box. YOu need to invest the same money as the primary box, which isnt the case in PIX. The positive side of this is, in case of emergencies, you can plug off the secondary ASA and use it as a fully functional box in any other network, unlike PIX failover unit (which cannot be used as a primary box)

Hope this helps.. all the best..

Raj

egain.com · ‎11-04-2005

one more quesiton on ASA. We are planning to setup one small dedicated network in datacenter.

Can we use ASA appliace without need of border router device? our datacetner provides fast ethernet feed to our cage and no intelligent routing needed.

Thanks

regards

Rakesh

======

Patrick Laidlaw · ‎11-10-2005

Rakesh,

Yes you can use it as a border device since your just accepting an ethernet connection and are basically a stub network.

Patrick

fernandess · ‎11-14-2005

Actually, if you compare the price of a primary PIX 525 to an ASA 5540, the PIX is quite a bit more, but the secondary unit is much less. Whereas the ASA is less expensive but there is no 'Primary/Secondary' pricing. It ends up about the same for a redundant PIX or ASA (without the SSM).

nomanbari · ‎12-08-2005

Hi Marcus,

May be my response is bit late but I think you might find it useful in your context. Some time back I wrote some comments on nww and they are given below:-

NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY

12/06/05

Today's focus: Is Cisco's ASA a headache-in-waiting?

_______________________________________________________________

Today's focus: Is Cisco's ASA a headache-in-waiting?

By M. E. Kabay

Reader Noman Bari wrote to me some time ago from Karachi,

Pakistan, with a thoughtful comment on Cisco's new

multifunctional ASA security appliance.

Bari has a B.S. in Electronics and has the certifications CCNA,

CCDA, CCNP, CCDP, CCSA,CIW Security Analyst, CompTIA Linux+

Certified and MCSE. With his kind permission and collaboration,

here are his thoughts:

* * *

I am writing this e-mail to learn your views on a new security

box from Cisco. Adaptive Security Appliance (ASA) is a

multi-function security appliance which integrates firewall,

IPSec and SSL VPN, intrusion prevention, virus filtering and

network quarantine in a single device.

I have been thinking about this development from Cisco. Surely

putting all the eggs in one basket is never a good idea.

If all the functionality of security is taken care of by one

single box and if that box gets compromised then it will be a

serious problem. It is widely known that there is no such thing

as 100% security. At some time in the near or distant future we

will hear that there are security holes found in the working of

ASA and they can lead to a security breach.

There will be critics who will say that since ASA comes with all

the bells and whistles it will be extremely hard if not

impossible to compromise its security. But what if a person with

malicious intent is able to do it? And this will happen - it's

just a matter of time.

The job of the marketing guys is to show everyone a rosy

picture. I am not blaming them; it's what they get paid for. But

it's our job as techies to filter out useful stuff from what

they say.

My analysis is that ASA is an excellent device for small to

midsize companies to save costs, for ease of management and so

on, depending upon the nature of their mission-critical work.

However, for enterprise-level security, I would rather go with a

layered approach with multiple defenses to protect my network.

Although I am here in Karachi I believe that effective security

requirements are valid for every organization in any part of the

world. What you and Bruce Schneier write in your security

newsletters is equally useful for me here in Pakistan. My vision

gets broadened.

* * *

Need I [MK] say more? My only comment is "Wow! I got mentioned

in the same sentence as Bruce Schneier! Cool!" Well, OK, that's

not very useful for readers, so here's a link

<http://www.cisco.com/en/US/products/ps6120/index.html> to the

Cisco page describing their ASA 5500 product.

Now take two of those and a glass of water and I'm sure you'll

be fine in the morning.

_______________________________________________________________

To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor in the

Division of Business and Management at Norwich University in

Northfield, Vt. Mich. and his Web site is

<http://www2.norwich.edu/mkabay/index.htm>.

New information assurance journal - Norwich University Journal

of Information Assurance (NUJIA). See

<http://nujia.norwich.edu/>

___________________________________________

Hope this helps.

Regards,

Noman Bari