I have a new project that we are likely going to put a 6509 in the core of a new network. I am in need of a firewall for this network, but I am not sure if I want to just get a Firewall Services Module for the 6509 or if I should just get an external Adaptive Security applicance. I like the integration of the service module into the 6509 chassis but it seems like the new ASA's have more features, what do you think?
Yes the ASA devices do have more functionality especailly when you consider the modules you can use in them. They are multipurpose security devices which can do firewalling/VPN's/IPS/Anti-virus.
The FWSM is pretty much just a firewall. It cannot do any of the additional things an ASA can do and it cannot terminate VPN's for users/remote sites. That is not to say it is not suitable in certain situations. Having the FWSM integrated into the switch gives it the ability to see any vlans. Yes you can do this with trunking on the ASA's, i just think it is more elegant on the FWSM. The other thing to be aware of is that it does not communicate directly, ie via the switch fabric, with any other modules eg the IDS/IPS module. To communicate between the 2 you need something like the CS-MARS software.
It really depends on your requirements. If high throughput is the major concern the FWSM could be the way to go.
What we need now is for Cisco to release an ASA blade :-)