Network security basics: A Buyer's Guide
A collection of articles that takes you from defining technology needs to purchasing options
Editor's Note: This Cisco ASA firewall product overview is part of a series on buying network security products for the enterprise. The series explores the evolution of network security and lays out some major use cases. It also looks at the buying criteria for network security products and compares the leading network security vendors in the market.
Cisco is well-known for purchasing smaller network technology companies and using them to fill a void in its portfolio. Such is the case with Cisco's next-generation firewall (NGFW) technology. With its acquisition of security company Sourcefire in 2013, Cisco has integrated Sourcefire's threat protection software into its latest line of Adaptive Security Appliances (ASAs) with FirePower firewalls. This includes features such as:
- FirePower NGIPS: A real-time, next-generation intrusion prevention system (IPS) with contextual awareness.
- Advanced threat protection (AVP): A feature that uses global threat intelligence to protect against zero-day threats.
- Rapid threat containment: A tool that, in the event a threat is identified, automatically applies special security policies on other security and network devices to mitigate the threat.
NGFW platform options
The Cisco ASA firewall lineup spans 11 different models, based on performance and connectivity options. This overview will compare low-, medium- and high-end ASA with FirePower models on the market today.
The entry-level Cisco ASA firewall is engineered with eight 1 GbE interfaces for connecting different network zones. In terms of performance, the base 5506-X with IPS and Layer 7 application control enabled provides up to 125 Mbps of IPS throughput. It also supports a maximum 5,000 connections per second. It's a good option for small to medium-sized branch offices.
The ASA 5545-X with FirePower is in the middle of the Cisco ASA firewall family. Designed for larger corporate offices and campus networks, the 5545-X includes eight 1 GbE interfaces. In addition, there is an expansion slot to add six more additional copper ports or six small form-factor pluggable (SFP) interfaces for either copper or fiber connectivity. A full gigabit of throughput is achieved when IPS and Layer 7 application control is enabled. It's rated at 30,000 connections per second.
At the upper end of the Cisco ASA firewall lineup is the ASA 5585-X with FirePower. These firewalls are designed for large data centers and service provider networks. While it's a small form factor compared to competitor firewalls that use much larger chassis, the two-rack unit appliance performs well. One slot houses the ASA stateful inspection and firewall module, while the second slot is for the FirePower feature module. Up to 16 5585-X firewalls can be combined to act as a single, high-performance firewall. A single 5585-X with the FirePower module can provide a maximum throughput of 10 Gbps with IPS and Layer 7 application control enabled. Up to 160,000 new connections per second can be processed. The model is equipped with either 16 10/100/1000 Mbps copper Ethernet interfaces and two 10 Gbps SFP+ interfaces, or 12 10/100/1000 Mbps copper Ethernet Interfaces and four 10 Gbps SFP+ interfaces.
Pricing and support
Cisco ASA firewall hardware and support is available through Cisco partners, which also set the purchase price for hardware and software. Cisco's list price for ASA with FirePower appliances ranges from $1,000 for the 5506-X to $225,000 for a fully loaded 5585-X firewall.
SmartNet support can include phone and email support, remote troubleshooting, firmware upgrades and defective hardware replacement. Prices are based on how quickly replacement hardware is shipped to a customer.
Integrate an NGFW into your existing security architecture.
NGFW features: What you need