The firewall landscape is fairly cluttered these days. To make things more confusing, most devices in this class offer a very similar feature set. The most common features people look for in a firewall are dynamic nat, static nat, firewall rules, site to site vpn's and vpn server functionality. Almost every firewall vendor offers these features leading most network admins to get the cheapest device thinking that they are all the same.
For some people, this strategy works. But I would argue that these people are most likely running networks that are either extremely small with very few applications, minimal bandwidth, and just generally use the firewall to access the internet. I won't address those networks here. For the rest of us running modern networks under 250 users the requirements for the internet edge device (firewall) have changed to include the following…
- Clientless vpn's: Sometimes referred to as ssl vpn's, these vpn's allow users to connect from outside the network from anywhere securely to get to their applications.
- Advanced Authentication: As networks have grown, it is no longer effective or secure, to have local user accounts on devices. Users must be authenticated centrally and the best way is to authenticate against Active Directory (assuming you are running an A.D. domain). I can't tell you how many times I've looked at network devices only to see user accounts that nobody knew who they were for.
- Advanced application inspection: Applications have gotten more complex today. SIP witch is a protocol used for voice/video needs more than just standard nat translations for it to work. SIP puts network addresses inside the data portion of the packet, so when the packet passes through the firewall and nat is applied the application at the remote end of the connection still sees the private address thereby breaking the connection. Firewalls need to be able to see past the packet headers and translate those addresses as well.
- Malware prevention: Everybody (anyone with any sense) runs anti-virus on their desktops but we have seen that this doesn't stop everything. We tend to blame the anti-virus products but it's not all their fault. Malware has become very complex today and can circumvent many detection mechanisms. Obviously we need an effective product that has a balance between usability and protection but I don't think that is the complete solution and I don't think deploying additional software on workstations is effective either as it makes management complex and depends on the workstation having all those applications running and updated for it to be secure. What happens if you need to shut the software down for some reason or if you deploy a new pc that hasn't been updated yet? You are exposed! Today's firewalls need to have the ability to do some malware detection/prevention at the edge.
- Guest user access: Everyone has clients that need internet access. Most people just provide them with the key to their network with the expectation that they will just use the internet. You have also just handed them the keys to the front door. Networks have to be able to support secured logical partitions that allow guests to get to the internet without access to any corporate resources.
- Mobility support…
- Devices configured with dns names to access applications often break when they connect inside the firewall from the lan side. Almost every mobile phone today has the wifi capability and I have read articles that predict that the primary device for accessing the internet will be the mobile phone in a very short time. Users will want use their applications on their devices even when inside the network and they are going to expect even better reliability and performance.
- Remote phones: With the increase of voip deployments (they will become the standard in the very near future), users will expect to be able to take their phone anywhere and connect it up and have it work just like they were in the office.
- Devices configured with dns names to access applications often break when they connect inside the firewall from the lan side. Almost every mobile phone today has the wifi capability and I have read articles that predict that the primary device for accessing the internet will be the mobile phone in a very short time. Users will want use their applications on their devices even when inside the network and they are going to expect even better reliability and performance.
- Availability: Internet access is more important for business and bandwidth is cheaper. Therefore it is now an affordable option for even small businesses to have redundant internet access. I see a lot of bonded T1's out there backed up by cable/dsl internet access. Firewalls need to be able to handle this automatically with no IT intervention.
- Management & Monitoring: With increased emphasis placed on the internet, network admins will need to be able to easily manage and see what's going on in the firewall for troubleshooting, capacity planning, and security. Some networks will need to capture all logs/events at the internet edge for compliance reasons depending on the industry.
- Throughput! We have seen steady increases in internet bandwidth connectivity both due to the need for B2B applications and the general lower cost of bandwidth. This trend will continue at least in the short term. Firewalls will need to still be able to perform running the same services at higher rates.
As I mentioned before, there are many vendors out there that offer products that support all or most of these requirements. I have heard that Juniper has a very solid product and Sonicwall has improved but I will focus on Cisco here. The PIX firewall appliance, the predecessor of the ASA, was a solid firewall and offered tremendous reliability and consistent performance. But I was never really impressed with it as having much in the way of "bells and whistles". The ASA 5500 series has changed that. This is an impressive appliance that is very well thought out from a hardware & software design perspective. The software configuration and management is consistent across all the models and is much closer to IOS making management that much easier for those Cisco admins out there. Combined with, in my opinion, one of the best support programs in the industry providing true 24x7 support this device is very compelling and can easily justify any upgrade.
On the hardware side, the 5505 comes with 8 switch ports, 2 of which are poe capable. These would be used for access points or phones. The device supports vlans and the switch ports can be configured as access ports or trunks. Guest vlans can be configured for wired ports and when used with Cisco access points, you can create a second wireless network for guest access on the same access point as your production network. The 5505 has an expansion slot that currently supports an Intrusion Prevention (IPS) module that can provide inline attack prevention. Cisco also offers a licensable feature (Botnet Filter) that does dns inspection against known malware sites preventing access to those sites through the firewall. Between these two features, you can provide a fair amount of security at the network edge. One or multiple ports can be configured for redundant WAN connections.
The 5510 supports 4 physical interfaces. In contrast to the 5505 they are not switch ports but are actual separate interfaces that can be assigned ip addresses. Great for datacenters, shared hosting environments, handling redundant wan connections or providing transparent firewall services. Optionally, 2 of the ports can be converted to gigabit through a license upgrade. There is also a separate management port if required. The device also has an SSM slot that supports various modules providing Content Security (web & av) or IPS services.
If you have a CallManager/CallManager Express voice platform, you can easily leverage the Phone Proxy license to allow phones to connect to the CallManager securely from the internet without requiring any special vpn's setup. This is huge both for users and admins. The same applies for the ssl vpn's. Mobility is further enhanced by translating dns requests for public names to private ip addresses making the switch from 3G to wifi simple without breaking applications. SIP trunks will work from any application, pbx or video conference system.
In summary, the ASA 5500 series addresses several evolving issues at the internet edge that we all face today. It is a solid platform with feature set that continues to grow and the business case can be made for upgrading now.
For further technical information and comparisons please visit Cisco site at http://www.cisco.com/go/asa
