How to Choose a Cisco ASA 5500-X Series

Photo Credit: Aaron Paxson via Flickr CC

The Cisco ASA (Adaptive Security Appliance) is a family of enterprise-level firewalls for a network security infrastructure. When it comes to the ASA appliances, there are tons of models to sort through, all with different features. This post will compare several models in the ASA 5500-X series and offers insight to choose the best option for you.

Cisco’s ASA firewalls are generally best suited for enterprise setups. If you own a smaller business, there are options within this family that may suit your needs, but keep in mind their features are limited compared to higher end models. The following information does not include every model in the 5500-X series. I’ve included the ones that I felt were the most appropriate step up from the lower models while taking into account price and features.

Hardware Specs for Cisco ASA 5500-X Series

Features

Cisco’s ASA 5500-X series offers a lot of features. However many of them require further licensing. Take note that this chart is only listing the key features. If you want to do some heavy reading, check out Cisco’s licensing details for a comprehensive list of what each device offers. Otherwise, this chart should contain all the information you need.

Note: Optional licenses listed above are separate for each feature. For example, AnyConnect and IPS both require a separate optional license to enable these features.

If you’re going to pay for an ASA, you really should be making use of those additional features. I won’t go into all of them here.

BotNet Filtering

To put it in non-technical terms, BotNets are like an army of zombie computers directed by a malicious user. These are often used in DDoS (Distributed Denial of Service) attacks and can wreack havoc on your network. These work by overloading your network with traffic to the point that genuine traffic is being consistently dropped. These are targeted towards high profile web servers, but don’t assume you won’t become a victim of a DDoS attack just because you’re company is fairly low key.

Failover

Failover support is pretty simple. You have one of two scenarios. In an Active/Standby scenario, one ASA is sitting idle in case the active one goes down, in which case it automatically takes over the job of the failed firewall. You could also set up an Active/Active scenario, where each firewall has it’s own task, but if one fails the other takes over both jobs. This sort of redundancy is important in a network requiring high availability and let’s you carry on business as usual until your techs replace the faulty device.

IPS

IPS (Intrusion Prevention System) is software that is constantly monitoring network traffic for malicious activity. Not only does it monitor for this activity, but it can stop it as well. IPS can drop the traffic, block the offending IP, send out a warning to system admins, and reset connections. Threats are detected through signatures, anomalies, or through stateful protocol analysis. This is another safety mechanism to reduce the chance of dealing with security breach aftermath.

As you can see, these additional features are quite valuable. Don’t skimp on them if they are within budget. Cleaning up a network security breach is an involved process that takes a lot of time and resources away from your company.

Choosing A Firewall

To begin, look at your current setup. You don’t want to compare all these models, choose one, and then find out that it’s not compatible with your hyper-visor or existing switches. Since this information is so extensive  I’ll have to refer you to Cisco’s ASA compatability documentation. If you find something incompatible, you can either remove the incompatible device(s) or consider a different firewall option.

Next you should come up with a budget. These firewalls aren’t cheap, and certain features you may want could be out of your price range. In this case you’ll want to look into Cisco alternatives or try to rework the budget to make it affordable.

You should also look at scalability. Low end models that don’t support clustering could turn into a headache for your admins later on since they’ll need to configure each ASA individually. Keep in mind that the ASA’s listed here that can support clustering can only group two devices. If you require more, you’ll have to look to the 5580 and 5585-X models.

Another thing you need to consider is licensing costs. These devices have a lot of features, but you’ll have to pay to use them! Be sure to get input from your IT team on what they think will work best before making a purchasing decision. If you have any questions or comments you’d like to add, feel free to leave a comment below.