Executive summary for replacing PIX with ASA

Unanswered Question
Oct 23rd, 2009
User Badges:

Does anyone have a link for a document that highlights the features of an ASA appliance over a PIX? We want to replace our PIXs but want to put together an executive summary with the advantages to go with the proposal. I have not seen a compare / contrast document on CCO so am working off the ASA feature guides and things.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
francisco_1 Fri, 10/23/2009 - 06:53
User Badges:
  • Gold, 750 points or more


While the PIX is an excellent firewall, the landscape of security has changed over the years. It's no longer sufficient to protect your network with a stateful packet filtering firewall. There are so many new threats to a network-including viruses, worms, unwanted applications (e.g., P2P, games, instant messaging), phishing, and application-layer attacks.

When a device does protect against this variety of threats, we say it offers "anti-X" capability or "multi-threat" protection. But the PIX just hasn't been able to offer this level of protection.

Most organizations don't want to have a PIX performing stateful firewall filtering and some other appliance protecting you from other threats. Instead, they want an "all-in-one" device-or a unified threat management (UTM) device.

The ASA does offer protection from these different types of attacks. It can even be more of a UTM device-however, it needs a Content Security and Control Security Service Module (CSC-SSM) to be a real UTM. This is the module in an ASA that performs the anti-X functions. Without the CSC-SSM, the ASA functions more like a PIX.

So which one is right for your organization? As always, the answer lies with your organization's unique needs. However, I would choose the ASA over the PIX any day. First of all, an ASA typically costs less than a similarly featured PIX. Besides the cost incentive, it just seems like a logical choice to choose the newer and faster technology.

ASA could take the place of three separate devices-a Cisco PIX firewall, a Cisco VPN 3000 Series Concentrator, and a Cisco IPS 4000 Series Sensor.

hope that provides you the infomation you need..


bberry Fri, 10/23/2009 - 06:56
User Badges:

Thanks .. I will see if I can incorporate these comments into what I am putting together. I am suprised that there is nothing as part of the EOS/EOL path for the PIX from Cisco.


bberry Fri, 10/23/2009 - 07:11
User Badges:

Thanks .. The more the better so that I can get it down to that non-techie level and not leave out the good stuff.



This Discussion