What is the difference? ISR vs ASA?

Answered Question
Feb 5th, 2012

Can anyone tell me the technical differences and features between the ASA and ISR Firewall?  I am in a technical sales position and I find it difficult explaining the difference between the two, when pressed.  Especially in a ASA5505/5510 vs 1941/2911 scenario.

If someone could explain the security features ASA's do that ISR's do not that would be helpful also.

  1. Here is what I know already or so I think I know.
  2. The firewall/IPSec performance on an ASA is better than the ISR.
  3. They both run different IOS's
  4. The ASA does not support routing protocols
  5. ASDM is much better suited to analyze traffic, but with third party software the same could be achieved on an ISR.
  6. Routers have multiple interfaces and can perform many different tasks under the ISR umbrella.  WLAN controller, Gateway, Gatekeeer, CUBE etc etc
  7. You can add IPS and CSC modules to an ASA and they will outperform the NME and IOS filtering options for an ISR.
  8. Routers perform equal cost load balancing and ASA's do not, they only have failover as an option.

Thanks!

I have this problem too.
0 votes
Correct Answer by mayrojas about 2 years 2 months ago

From the top of my head:

Botnet traffic Filter

Smart call home

Sepparate trend micro support (Does not rely on ASA performance)

Sepparate IPS support (Does not rely on ASA performance)

Cisco Secure Desktop

Embedded Security policies based on security levels

Availability of Bypass stateful packet inspection for certain traffic

Stateful Failover

Firewall virtualization

Those are the most common ones, but im sure there are plenty more.

Mike Rojas,

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.5 (2 ratings)
Richard Burts Sun, 02/05/2012 - 12:53

The ASA is a purpose built security device while the ISR is a router. The primary focus of the ASA is security implementation including stateful inspection of traffic and very sophisticated inspection of traffic passing through the ASA. It has some (limited) ability to do layer 3 routing of packets. The primary focus of the ISP is to do layer 3 routing with some very sophisticated routing algorithms supported and the ability to implement some security screening. It can do some stateful inspection of traffic but does not support the deep inspection of traffic that an ASA could do.

So for example if a customer wants to run BGP to a provider they would want to choose an ISR over an ASA. Or if a customer wants to do some URL filtering they would choose an ASA and not an ISR.

HTH

Rick

crowe Sun, 02/05/2012 - 20:55

Ok.  So aside from what SPI, DPI and routing, is there anything else to add that you can think of? 

mayrojas Mon, 02/06/2012 - 08:36

Crowe,

Its hard to compare a Router with an ASA no matter of what platform we talk about, those are totally different platforms. The fact that they run on the same layer, does not mean that they can be compared.

Once is a security solution, which has A LOT of features and the other one is a Router used for Routing over an IP network. I mean, there is too much different features and some few that they shared (IE VPN, Multicast Routing, NAT).

Mike

crowe Mon, 02/06/2012 - 10:06

Sorry about that but I should have been more clear.   When it comes to security features, what makes an ASA far more superior than an ISR for security?  What security features does the ASA have, that the ISR does not? 

Thanks!

Correct Answer
mayrojas Mon, 02/06/2012 - 10:18

From the top of my head:

Botnet traffic Filter

Smart call home

Sepparate trend micro support (Does not rely on ASA performance)

Sepparate IPS support (Does not rely on ASA performance)

Cisco Secure Desktop

Embedded Security policies based on security levels

Availability of Bypass stateful packet inspection for certain traffic

Stateful Failover

Firewall virtualization

Those are the most common ones, but im sure there are plenty more.

Mike Rojas,

crowe Mon, 02/06/2012 - 12:11

Maykol Rojas wrote:

From the top of my head:

Botnet traffic Filter

Smart call home

Sepparate trend micro support (Does not rely on ASA performance)

Sepparate IPS support (Does not rely on ASA performance)

Cisco Secure Desktop

Embedded Security policies based on security levels

Availability of Bypass stateful packet inspection for certain traffic

Stateful Failover

Firewall virtualization

Those are the most common ones, but im sure there are plenty more.

Mike Rojas,

Thanks, I think the security contexts is the line in the sand.

Actions

Login or Register to take actions

This Discussion

Posted February 5, 2012 at 12:32 PM
Stats:
Replies:6 Avg. Rating:4.5
Views:4430 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446