Re: IOS Firewall vs. ASA

sonepar · ‎11-30-2012

Is there a document that compares the security funtionaly and features of the ASA and the IOS firewall. I need to document why I would want to deploy ASA's at branch locations versus the firewall feature set on the WAN routers.

julomban · ‎11-30-2012

Hello Sonepar,

It really depends on the engineer’s viewpoint. Some prefer to have a single device do their routing and their security, while others prefer to have dedicated security devices. This reasoning, however, does not really determine what the “best” solution for your network is.

One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. I will say the ASA typically offers faster performance, but that’s partially because the ASA is sort of a 1 trick pony and not doing any dynamic routing.

I think one of the main things to consider is the complexity of VPN features desired. The ASA’s feature set is relatively limited in this respect. If you want to leverage more advanced features like DMVPN or GET VPN, and IOS router is your only option as the firewall does not support those. Of course by default, the ASA performs a little faster on VPN tunnels.

If you’re looking for an appliance to just do traffic inspection, predominantly for a web DMZ or publicly accessible network, probably the ASA is your best bet. If however you have a highly decentralized -internal- network where branch offices frequently talk to each other, then you would benefit from something like DMVPN, thus your deployment would be greatly simplified using something like a 2800.

Policy Base Routing on ASA is not supported since it is a security device it only routes traffic through one active default gateway and it can not classify packets based on source/service like router does.

In my personal preference, I find myself moving away from the philosophy of this specialized device for routing and this specialized device for security. I prefer to simplify my deployments, and believe me w/ NAT, VPNs, Firewall, IPS, having an ASA sitting behind your border router…it can add a significant amount of complexity to your design…and ultimately, your troubleshooting.

Again; at the end all depends on your company requirements and what are you looking for.

Regards,

Juan Lombana

Please rate helpful posts.

lcaruso · ‎12-02-2012

One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. I will say the ASA typically offers faster performance, but that’s partially because the ASA is sort of a 1 trick pony and not doing any dynamic routing.

Remember that the development efforts of new IOS Firewall features are directed to the Zone-based Policy Firewall or Zone Policy Firewall (ZFW or ZPF).

The ZFW modifies IOS by introducing the concept of security zones, which enables easier definition of the degree of trustworthiness of a given interface.

Router interfaces are placed in security zones, and inspection is applied to packets crossing the firewall between two given zones. One interface residing on a certain security zone is forbidden from passing packets to interfaces that are members of different zones, unless an inter-zone policy is explicitly defined.

Also, no traffic is enabled to flow between zone and non-zone interfaces.

This results in a default blocking between zones, suggesting a simpler way to close the router than that provided by CBAC.