Your opinion about ASA/ASDM

Unanswered Question
Aug 13th, 2007
User Badges:

Hello,

in the near future we will have to look for a firewall/IDS combination. But it is difficult to compare the vendors, because all you get are marketing brochures but no real neutral reviews. What are your experiences with the ASA + Adaptive Security Device Manager? Would you buy it again? Do you have experience with multiple vendors so you can compare them?


p.k.


P.S.: The network which the devices have to protect are a medium one (administration network with about 1000 clients) and a large one (university).


P.S.S.: I read that the ASAs have one SSC/SSM expansion slot and that there are several modules, with AIP-SSM for IPS and CSC-SSM for Anti-Virus'n'stuff.


But what do I do when I want an ASA for IPS AND Anti-Virus?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jfgobin01 Thu, 08/16/2007 - 21:52
User Badges:

Hello there,


I'm relatively new to ASA, but not to cisco's equipments, having used both switches, routers, pix, fwsm and IDS/IPS.


For a new project, we're planning to deploy ASAs with AIM for the IPS/IDS role as well as a VPN concentrator function, as we found the ASA being superior in the overall integration of all wished functions. The point that made the difference was that the IPS/IDS is an hardware extension and not a part of the firewalling software (as it was in the PIX appliance through the IP AUDIT command).


Currently, we're going to try CSM. If you have a really large network of firewall and security devices, it may help you.


PS-1 : those informations as well as the projected bandwidth is something really useful to determine which ASA appliance to choose and which AIM. -->


http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


PS-2 : for the antivirus role on the www line, I would suggest using transparent proxying and antivirus using ICAP : large files can be a mess to handle and the FW has lots of other things to do!


PS-2bis : if you really want it, it is still possible to thing in term of a dual layer of firewalls with proxies and exposed servers in between.


PS-3 : in the past, Cisco lent us several pieces of equipments to review/test/analyze/prove it. Maybe you can ask your dealer to do the same ?


PS-4 : we're reporting to CS-MARS. A definite solution to ease the "log tasks".


Kind regards from Rainy Belgium,

Jean-Fran?ois

Actions

This Discussion