Item: Cisco Adaptive Security Appliance (ASA) Software
Rating: 8
Author: Verified User

Overall Satisfaction with Cisco ASA

Use Cases and Deployment Scope

We have about a dozen Cisco ASA models deployed from 5505-5545. We use them to separate traffic between internal organizations, for DMZ, and for VPN (both IPSEC and SSL). The problems these units address are two-fold: to protect our internal network from foreign networks that we have no control over, and to protect the foreign networks from the chance of getting infected by something on our internal network.

Pros and Cons

Pros

When sized appropriately, it can handle demanding traffic well.
Cisco is pretty good about putting out security-related updates so we can rest assured that the networks can be as safe as possible.
The hardware is very reliable and I don't recall any hardware related issues in the 5+ years of using them.
Software upgrades are smooth and I would recommend getting Cisco support assistance for them to review your current configuration and have them advise which stable and secure version you should move to. They may provide additional commands to enter prior to upgrading if you are moving from a very old version of the software.

Cons

Reporting, especially for VPN functionality, could use some improvements to be able to pinpoint when particular users log in/out.
The JAVA-based GUI could use some modernization. I currently have to use an older version of JAVA JRE to run the ASDM.
Some of the licensing structure could use some simplifying. You really have to size the appliance for growth before purchasing the initial license. The bare-bones license doesn't provide much flexibility.

Return on Investment

The ASAs have helped us meet compliance regulations in terms of security so that saved us from getting fined/decertified.
The flexibility of ASAs have allowed us to standardize on a common platform for the various use cases we have. This allowed us to not have to get other brands which the administrators would have to become familiar with.
The long support cycle with timely software updates to address security threats has also been positive on ROI.

Alternatives Considered

As Cisco is one of the top players in the network business, we can get answers to our questions from online communities along with 24/7 tech support from Cisco using our support contracts. We have considered other companies in the past, but the pricing for Cisco products has been competitive and would ultimately provide savings since we wouldn't have to retrain our staff on other brands.

Other Software Used

Proofpoint Email Security and Protection, Microsoft Exchange, CentOS

Likelihood to Recommend

DMZ firewall, general internet browsing, VPN (SSL and IPSEC). ASA can handle many firewall rules without slowing down. Some of them also offer PoE on the switchports of the firewall, which is convenient for small home office installations. One of the features is a high availability configuration in an active/standby mode. You can upgrade the software without any downtime.

Comments

Please log in to join the conversation