02-05-2007 10:31 AM - edited 03-11-2019 02:29 AM
I have a new project that we are likely going to put a 6509 in the core of a new network. I am in need of a firewall for this network, but I am not sure if I want to just get a Firewall Services Module for the 6509 or if I should just get an external Adaptive Security applicance. I like the integration of the service module into the 6509 chassis but it seems like the new ASA's have more features, what do you think?
Solved! Go to Solution.
02-05-2007 10:54 AM
Hi
Yes the ASA devices do have more functionality especailly when you consider the modules you can use in them. They are multipurpose security devices which can do firewalling/VPN's/IPS/Anti-virus.
The FWSM is pretty much just a firewall. It cannot do any of the additional things an ASA can do and it cannot terminate VPN's for users/remote sites. That is not to say it is not suitable in certain situations. Having the FWSM integrated into the switch gives it the ability to see any vlans. Yes you can do this with trunking on the ASA's, i just think it is more elegant on the FWSM. The other thing to be aware of is that it does not communicate directly, ie via the switch fabric, with any other modules eg the IDS/IPS module. To communicate between the 2 you need something like the CS-MARS software.
It really depends on your requirements. If high throughput is the major concern the FWSM could be the way to go.
What we need now is for Cisco to release an ASA blade :-)
Jon
02-05-2007 10:47 AM
It all boils down to your needs. FWSM has better throughput compared to any of the ASA Models and integrates seamlessly with CATC6K. But your would be missing out on the VPN, QoS capabilities of ASA
02-05-2007 10:54 AM
Hi
Yes the ASA devices do have more functionality especailly when you consider the modules you can use in them. They are multipurpose security devices which can do firewalling/VPN's/IPS/Anti-virus.
The FWSM is pretty much just a firewall. It cannot do any of the additional things an ASA can do and it cannot terminate VPN's for users/remote sites. That is not to say it is not suitable in certain situations. Having the FWSM integrated into the switch gives it the ability to see any vlans. Yes you can do this with trunking on the ASA's, i just think it is more elegant on the FWSM. The other thing to be aware of is that it does not communicate directly, ie via the switch fabric, with any other modules eg the IDS/IPS module. To communicate between the 2 you need something like the CS-MARS software.
It really depends on your requirements. If high throughput is the major concern the FWSM could be the way to go.
What we need now is for Cisco to release an ASA blade :-)
Jon
02-05-2007 11:19 AM
"What we need now is for Cisco to release an ASA blade :-)"
Amen to that, thanks for the good information.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: