cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
0
Helpful
1
Replies

Choosing between ASA and FWSM

branfarm1
Level 4
Level 4

Hi there,

I've been searching these forums trying to research which security device I want to implement at a new datacenter, either the ASA or the FWSM.

It seems that I've read quite a few opinions where people say that the ASA is better suited as an external/gateway firewall, where the FWSM is better suited to internal security issues. Can someone please help me understand why this is the case? It seems like having a FWSM inside a 6500 chassis would give you many options over the ASA, as long as you didn't need a specific ASA feature I guess.

My new datacenter will be handling real-time data, both unicast and multicast. I don't have any need for many advanced IPS/IDS features -- I just need basic firewalling with routing. I expect to handle connections from variuos extranet providers as well as the internet.

What do you guys think?

Thanks in advance

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

As always with these things the answer is it depends :-)

"It seems like having a FWSM inside a 6500 chassis would give you many options over the ASA, as long as you didn't need a specific ASA feature I guess."

Not necessarily. Basically the FWSM gives you 5Gbps throughput and saves on space as it is integrated into the 6500 chassis. Most other things you can do on an ASA as easily as you could on an FWSM - contexts, multiple vlans etc..

And it also worth bearing in mind that the FWSM Is just a firewall and that's it. If you want to do IDS/IPS then there is a separate module for that. IPSEC VPN's - separate card. The ASA has all these things available within the same platform.

Having said that i personally think the FWSM is a good solution if you have 6500 switches in your distribution/core layer. In addition if you are looking to use other service modules in your 6500's then they are a nice fit eg.

ACE modules for load-balancing using contexts in the 6500 aligned with FWSM contexts - very good solution if you support, for example, multiple customers on the same physical infrastructure.

I have used both solutions. Personally i like the FWSMs but they are expensive, especially if you factor in the context licenses. Of course depending on your DC costs some of this can be written off against space savings.

If your architecture is based around 6500 switches and you really are sure you don't need anything other than firewalling then the FWSMs are worth consideration.

Jon

Review Cisco Networking for a $25 gift card