Solved: Cisco ASA models features

S891 · ‎04-13-2015

Hi,

I am little confused with different models of Cisco ASA Firewalls. I am trying to understand the real benefit of ASA Next-GEN ASA Firewalls. I understand the next-gen has visibility up to layer 7 but:

- with CX the previous gen of ASA Firewall had same or similar capability?

- Is CX removed from Next-Gen FW?

- Is AVC something apart from CX and new featue in the Next-Gen FW?

- What is the real advantage of upgrading to next-gen FW from older gen ASA Firewalls?

Thanks

Marvin Rhoads · ‎04-13-2015

You're welcome.

On your last statement, I wouldn't say it quite that way. CX is a product name - some of its features (mainly context awareness) are included in NGFW without a CX module (i.e. in the ASA with FirePOWER module - a completely different set of software than the CX module). The CX's IPS was (even admittedly by Cisco) very basic and nowhere near as sophisticated and comprehensive as the IPS feature set in the FirePOWER modules.

If this has answered your question, please mark it as such. Thanks.

View solution in original post

Marvin Rhoads · ‎04-13-2015

Next Generation Firewall (NGFW) is partly a marketing term. Wikipedia has a definition (as does Gartner and a host of others). Typically it's understood to mean something more than a simple stateful firewall that only looks at packets up to the TCP session level.

Cisco ASA has had add-on features for years like IPS modules and the ability to use Identities in access-lists that could arguably called NGFW. More recently they had the CX module (now Approaching End of Sales). It had several NGFW features including AVC, Web Security Essentials (WSE) and IPS.

The current product lineup include the FirePOWER modules with technology acquired from Sourcefire being developed and integrated into the Cisco security portfolio, including ASAs. Those also have AVC (basically the ability to look deep into a flow and determine application-specific (or even "microapplication") information. You leverage that with the addition of IPS, Web filtering and/or Advanced Malware Protection (AMP) licenses on the FirePOWER modules.

The advantage is that you are able to protect your enterprise from modern-day threats. With the vast majority of malware being exploits from web pages (or at least carried over http/https), the traditional firewall with a rule allowing, say, only http from inside clients does nothing to protect against those threats. Client side anti-malware software can help, but it may be too late once the malware has been identified.

S891 · ‎04-13-2015

Thanks for the reply , Marvin. So it can be roughly assumed:

- Older gen FW + CX (with AVC) ~ Next-Gen FW

- Next-Gen FW provide better protection against current threats

_ Next-gen FWs have built-in AVC and CX capability

Marvin Rhoads · ‎04-13-2015

You're welcome.

On your last statement, I wouldn't say it quite that way. CX is a product name - some of its features (mainly context awareness) are included in NGFW without a CX module (i.e. in the ASA with FirePOWER module - a completely different set of software than the CX module). The CX's IPS was (even admittedly by Cisco) very basic and nowhere near as sophisticated and comprehensive as the IPS feature set in the FirePOWER modules.

If this has answered your question, please mark it as such. Thanks.