Your opinion about ASA/ASDM

Unanswered Question
Aug 13th, 2007

Hello,

in the near future we will have to look for a firewall/IDS combination. But it is difficult to compare the vendors, because all you get are marketing brochures but no real neutral reviews. What are your experiences with the ASA + Adaptive Security Device Manager? Would you buy it again? Do you have experience with multiple vendors so you can compare them?

p.k.

P.S.: The network which the devices have to protect are a medium one (administration network with about 1000 clients) and a large one (university).

P.S.S.: I read that the ASAs have one SSC/SSM expansion slot and that there are several modules, with AIP-SSM for IPS and CSC-SSM for Anti-Virus'n'stuff.

But what do I do when I want an ASA for IPS AND Anti-Virus?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jfgobin01 Thu, 08/16/2007 - 21:52

Hello there,

I'm relatively new to ASA, but not to cisco's equipments, having used both switches, routers, pix, fwsm and IDS/IPS.

For a new project, we're planning to deploy ASAs with AIM for the IPS/IDS role as well as a VPN concentrator function, as we found the ASA being superior in the overall integration of all wished functions. The point that made the difference was that the IPS/IDS is an hardware extension and not a part of the firewalling software (as it was in the PIX appliance through the IP AUDIT command).

Currently, we're going to try CSM. If you have a really large network of firewall and security devices, it may help you.

PS-1 : those informations as well as the projected bandwidth is something really useful to determine which ASA appliance to choose and which AIM. -->

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

PS-2 : for the antivirus role on the www line, I would suggest using transparent proxying and antivirus using ICAP : large files can be a mess to handle and the FW has lots of other things to do!

PS-2bis : if you really want it, it is still possible to thing in term of a dual layer of firewalls with proxies and exposed servers in between.

PS-3 : in the past, Cisco lent us several pieces of equipments to review/test/analyze/prove it. Maybe you can ask your dealer to do the same ?

PS-4 : we're reporting to CS-MARS. A definite solution to ease the "log tasks".

Kind regards from Rainy Belgium,

Jean-Fran?ois

Actions

This Discussion