The Self-Defending Network
Outgrowing your current firewall is much like graduating from school: exciting, frightening, a beginning and an ending, all rolled into one. Cisco Systems has done some graduating of its own and now offers the Cisco Adaptive Security Appliance series, which is suited for creating a self-defending network.
For years, the top tier in firewalls has been the Cisco Private Internet Exchange (PIX) series of security devices. Users who are familiar with Cisco’s Internetwork Operating System (IOS) were pleased with the power of the command-line configuration on the PIX firewalls.
The PIX was crippled, however, by its own strength. It had to rely on a multitude of additional devices to round out a good security plan. Meanwhile, business needs, especially those of smaller companies, were growing faster than Cisco could affordably keep up. Not to mention that administrators were tiring of the clumsy command-line IOS, and increasingly demanding a graphical interface to simplify things. Enter the new Adaptive Security Appliance.
ASA is the next evolutionary step from Cisco, combining many applications into one device. It has the proven firewall technology of the PIX, the intrusion and attack prevention features of the Cisco Intrusion Prevention System, the multilayered, virtual private network powers of the Cisco VPN 3000 and the intelligent administration of Cisco’s Adaptive Security Device Manager (ASDM). Add this together and you’ve got a comprehensive security solution of immense value to your business that is geared toward reducing operating costs.
ASA for Small Business
For some time, Cisco has been directed at midsize to large businesses, leaving small businesses to competitors, such as SonicWall. With the recent purchase of Linksys, Cisco has announced its intention to enter the small business market as well. The recent creation of a base model 5510 (“base” here in no way should be interpreted as “stripped bare”) puts the power of Cisco in reach of the little guy. The base 5510 is comparable to the PIX 515E and features maximum firewall throughput of 300 megabits per second, maximum VPN throughput of 170Mbps, and 32,000 maximum connections with 50 IP security VPN peer licenses.
Why It Works for IT
Several firewalls are on the market, so why choose the ASA? None can match it feature-for-feature at such a low price point. You get several full-powered network devices in one box. Once this fat little pumpkin is in place, a few minor updates a year are all you’ll need to sleep soundly. The Cisco training you’ll want to get will look great come review time. And Smartnet puts the full expertise of Cisco at your fingertips should you somehow get in over your head.
Cisco’s IOS is still an option for administrators, although by nature the command set has been expanded. The initial configuration is done by connecting a computer to the ASA through a console cable connected to the console port in the rear of the unit. Once some basic configuration is completed, including assigning a host name and IP address at the very least, much of the rest of the configuration can be accomplished through the ADSM software, which comes with the ASA. ADSM provides a GUI for the many features and log charts of the ASA. To install and use ADSM, point a Web browser at the ASA’s IP Address (make sure to use https:// or it won’t work) and follow the links to install the software.
ADSM is a bit overwhelming at first, because the ASA itself has an overwhelming array of features, even though Cisco tried to arrange the interface as logically as possible. Upon login, you are greeted with a home page offering an at-a-glance overview of what an administrator needs to see.
Use the ADSM to drill down and monitor more specific features or to configure the ASA to suit your needs.
Don’t expect administration to be simple. No books on administering the ASA could be found at the local bookstores, so your best bet for education remains taking a class through an approved Cisco training facility. Follow the Training & Events link from Cisco’s Web site for more information, www.cisco.com/web/learning/index.html.
The 5510 goes a long way toward creating a self-defending network. But some features were removed to lower the total cost. Intrusion detection and prevention and antivirus features must be purchased additionally through the built-in expansion bay. Secure Sockets Layer VPN licenses, sold in packs of 10 for around $835, must be purchased separately but are highly recommended.
The GUI is also busy, cluttered and can be frustrating when you’re looking for a feature with which you are unfamiliar.
Cisco’s SMARTnet can be a bit pricey, enough to put some people off. There is little room for negotiation here. Technically you don’t need to renew your subscription, but heaven help you if you don’t have it when you need it. When you outgrow it, trade it in for a discount toward a 5520, or maybe you’ll need a 5540 by then.
Features Available in the ASA 5500 Series
- central management, along with other Cisco devices, through the ADSM console;
- user, network and URL access control;
- application and protocol inspection;
- site-to-site virtual private network with support for Open Shortest Path First (OSPF) and Quality of Service (QoS);
- IP security client-based VPN;
- Secure Sockets Layer, clientless Web-based VPN;
- attack and intrusion prevention via application inspection and control services;
- virus, spyware and malware inspection and prevention;
- IPv4 and IPv6 support;
- IEEE 802.1q virtual LAN tagging for easy network trunking;
- USB ports for future expansion with additional Cisco devices;
- expansion bays for adding physical modules to enhance the device’s current feature set;
- multiple 10/100/1000 Ethernet ports (typically configured as WAN, LAN, DMZ and optional)
- The ASA could replace existing devices in your network, thus saving you money. Review the features and see what it can do for you. Talk to experts. Consultants are generally happy to inspect your current setup if you hire them to upgrade it.
- Cisco has a high learning curve on their products. They expect you to have training. Ensure that your IT team has at least one trained expert.
- Know what you want from the device before you buy it. The ASA is a feature-rich device. Package deals can save money or waste it: Features you’ve paid for waste money if they aren’t being used; features not purchased waste money if they’re badly needed.
CDW Price: The 5500 Series includes the base model 5510, starting at $2,298; the enterprise-class 5520, starting at $5,220; and the large-enterprise 5540, starting at $11,527.
Jeremy Dotson is a local-area network administrator for Tronair (www.tronair.com), a manufacturer of aircraft ground-support equipment in Holland, Ohio.