ASA Appliance or FW Service module for 6509?

Answered Question
Feb 5th, 2007

I have a new project that we are likely going to put a 6509 in the core of a new network. I am in need of a firewall for this network, but I am not sure if I want to just get a Firewall Services Module for the 6509 or if I should just get an external Adaptive Security applicance. I like the integration of the service module into the 6509 chassis but it seems like the new ASA's have more features, what do you think?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 8 months ago

Hi

Yes the ASA devices do have more functionality especailly when you consider the modules you can use in them. They are multipurpose security devices which can do firewalling/VPN's/IPS/Anti-virus.

The FWSM is pretty much just a firewall. It cannot do any of the additional things an ASA can do and it cannot terminate VPN's for users/remote sites. That is not to say it is not suitable in certain situations. Having the FWSM integrated into the switch gives it the ability to see any vlans. Yes you can do this with trunking on the ASA's, i just think it is more elegant on the FWSM. The other thing to be aware of is that it does not communicate directly, ie via the switch fabric, with any other modules eg the IDS/IPS module. To communicate between the 2 you need something like the CS-MARS software.

It really depends on your requirements. If high throughput is the major concern the FWSM could be the way to go.

What we need now is for Cisco to release an ASA blade :-)

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
varakantam Mon, 02/05/2007 - 10:47

It all boils down to your needs. FWSM has better throughput compared to any of the ASA Models and integrates seamlessly with CATC6K. But your would be missing out on the VPN, QoS capabilities of ASA

Correct Answer
Jon Marshall Mon, 02/05/2007 - 10:54

Hi

Yes the ASA devices do have more functionality especailly when you consider the modules you can use in them. They are multipurpose security devices which can do firewalling/VPN's/IPS/Anti-virus.

The FWSM is pretty much just a firewall. It cannot do any of the additional things an ASA can do and it cannot terminate VPN's for users/remote sites. That is not to say it is not suitable in certain situations. Having the FWSM integrated into the switch gives it the ability to see any vlans. Yes you can do this with trunking on the ASA's, i just think it is more elegant on the FWSM. The other thing to be aware of is that it does not communicate directly, ie via the switch fabric, with any other modules eg the IDS/IPS module. To communicate between the 2 you need something like the CS-MARS software.

It really depends on your requirements. If high throughput is the major concern the FWSM could be the way to go.

What we need now is for Cisco to release an ASA blade :-)

Jon

NPT_2 Mon, 02/05/2007 - 11:19

"What we need now is for Cisco to release an ASA blade :-)"

Amen to that, thanks for the good information.

Actions

This Discussion