I'm looking for suggestions to replace an ASA 5520 that is currently acting as our main DC Firewall. My concern is that we currently do not have any sort of malware protection, no IPS features, and realistically our ASA is mainly a device we use to NAT public IPs into different servers. I am a CCIE Voice with little experience in Security so I will defer to you for solid advice.
Migration sheets indicate a 5525-X could be an obvious option, does anybody have any other suggestions?
As far as requirements, here's some details that may help.
- We have a 50 mb internet circuit.
- We have about 100 public IPs that NAT into our DC.
- I'd like something that provides deep packet inspection, and advance malware protection. Basically layer 7.
- Hopefully the device has some sort of management platform (web interface at least) where we can have some visibility into what's going on.
The 5525-X with FirePOWER services would fit the requirements you're talking about.
The services run in a software module which does the NGIPS, AMP etc. features. There is a performance hit when you turn on all of those, but a 5525-X with all available features active can easily handle 50 Mbps of throughput. One downside is we can't (currently) do SSL decryption on the ASA-based FirePOWER modules. That's coming later this year (of course with more performance hit depending on how much of your traffic requires decryption).
You also deploy a separate FireSIGHT Management Center on a VM (requires VMware ESXi). The FMC server is where you configure the policies and can drill down into the various operational views, extract reports etc.