×
< BLOG
Cyber Security

How to Choose a Cisco ASA 5500-X Series

February 12, 2016

Ashley Neu

Photo Credit: Aaron Paxson via Flickr CC

The Cisco ASA (Adaptive Security Appliance) is a family of enterprise-level firewalls for a network security infrastructure. When it comes to the ASA appliances, there are tons of models to sort through, all with different features. This post will compare several models in the ASA 5500-X series and offers insight to choose the best option for you.

Cisco’s ASA firewalls are generally best suited for enterprise setups. If you own a smaller business, there are options within this family that may suit your needs, but keep in mind their features are limited compared to higher end models. The following information does not include every model in the 5500-X series. I’ve included the ones that I felt were the most appropriate step up from the lower models while taking into account price and features.

Hardware Specs for Cisco ASA 5500-X Series

ASA 5505 ASA 5506-X ASA 5512-X ASA 5525-X ASA 5555-X
Approxomate Cost $350 + $400 + $2,000 + $2,800 + $8,500 +
Maximum Simultaneous
Sessions
10,000/25,000 20,000/50,000 100,000 500,000 1,000,000
Maximum VPN user
sessions, Cisco AnyConnect
IKEv2
25 2/50 2/250 750 5,000
Stateful Throughput
Inspection
Max. 150Mbps 750 Mbps 1 Gbps 2Gbps 4 Gbps
Multi-protocol Stateful
Throughput Inspection
N/A 250 Mbps 500 Mbps 1 Gbps 1.5 Gbps
VLANs 3/20 5/30 50/100 200 500
Built in Ports 8 ports fast ethernet
with 2 of those providing
power over ethernet
8 ports
Gb Ethernet
6 ports
10/100/1000
3 port
10/100/1000
8 ports 10/100/1000
Memory 4 GB 4 GB 8GB 16 GB
Hard Drive 50 GB SSD 1 slot, 120 GB self encrypting 1 slot
120 GB self
encrypting
2 slots (RAID 1)
120 GB self encypting

Features

Cisco’s ASA 5500-X series offers a lot of features. However many of them require further licensing. Take note that this chart is only listing the key features. If you want to do some heavy reading, check out Cisco’s licensing details for a comprehensive list of what each device offers. Otherwise, this chart should contain all the information you need.

ASA 5505 ASA 5506-X ASA 5512-X ASA 5525-X ASA 5555-X
Users/Nodes 10 (Base license)
50/Unlimited with
additional license
Unlimited Unlimited Unlimited Unlimited
Failover Security+ License Security + License Security + License Included Included
AnyConnect Optional License Optional License Optional License Optional License Optional License
BotNet Filtering No support Timed License Timed License Timed License
IPS No Support No Support Optional License Optional License Optional License
Clustering No support No support Security + License Included Included
GTP/GPRS No Support No Support No Support Optional License Optional License
VPN AnyConnect or
Apex License
AnyConnect or
Apex License
AnyConnect or
Apex License
AnyConnect or
Apex License
AnyConnect or
Apex License

Note: Optional licenses listed above are separate for each feature. For example, AnyConnect and IPS both require a separate optional license to enable these features.

If you’re going to pay for an ASA, you really should be making use of those additional features. I won’t go into all of them here.

BotNet Filtering

To put it in non-technical terms, BotNets are like an army of zombie computers directed by a malicious user. These are often used in DDoS (Distributed Denial of Service) attacks and can wreack havoc on your network. These work by overloading your network with traffic to the point that genuine traffic is being consistently dropped. These are targeted towards high profile web servers, but don’t assume you won’t become a victim of a DDoS attack just because you’re company is fairly low key.

Failover

Failover support is pretty simple. You have one of two scenarios. In an Active/Standby scenario, one ASA is sitting idle in case the active one goes down, in which case it automatically takes over the job of the failed firewall. You could also set up an Active/Active scenario, where each firewall has it’s own task, but if one fails the other takes over both jobs. This sort of redundancy is important in a network requiring high availability and let’s you carry on business as usual until your techs replace the faulty device.

IPS

IPS (Intrusion Prevention System) is software that is constantly monitoring network traffic for malicious activity. Not only does it monitor for this activity, but it can stop it as well. IPS can drop the traffic, block the offending IP, send out a warning to system admins, and reset connections. Threats are detected through signatures, anomalies, or through stateful protocol analysis. This is another safety mechanism to reduce the chance of dealing with security breach aftermath.

As you can see, these additional features are quite valuable. Don’t skimp on them if they are within budget. Cleaning up a network security breach is an involved process that takes a lot of time and resources away from your company.

Choosing A Firewall

To begin, look at your current setup. You don’t want to compare all these models, choose one, and then find out that it’s not compatible with your hyper-visor or existing switches. Since this information is so extensive  I’ll have to refer you to Cisco’s ASA compatability documentation. If you find something incompatible, you can either remove the incompatible device(s) or consider a different firewall option.

Next you should come up with a budget. These firewalls aren’t cheap, and certain features you may want could be out of your price range. In this case you’ll want to look into Cisco alternatives or try to rework the budget to make it affordable.

You should also look at scalability. Low end models that don’t support clustering could turn into a headache for your admins later on since they’ll need to configure each ASA individually. Keep in mind that the ASA’s listed here that can support clustering can only group two devices. If you require more, you’ll have to look to the 5580 and 5585-X models.

Another thing you need to consider is licensing costs. These devices have a lot of features, but you’ll have to pay to use them! Be sure to get input from your IT team on what they think will work best before making a purchasing decision. If you have any questions or comments you’d like to add, feel free to leave a comment below. 

subscribe by email

Stay Ahead