Item: Cisco ASA 5500-X with FirePOWER Services
Rating: 9
Author: Shephered Moyo

Use Cases and Deployment Scope

Cisco ASA 5500-X, we have deployed this firewall to most of our customers. We also run a pair of these in our data center and so far we have not experienced any issues with the setup. The firewalls are configured in an active/standby mode allowing connectivity back to the ISP via diverse routes and utilizing BGP. Direct peering with the ISP means we don't require managed layer 3 routers from the ISP, reducing the cost and removing another unneeded layer of hardware, and improving latency.

Pros and Cons

High Availability in Active/Acitve mode and the use of virtual context.
Straight forward software upgrades.
Provides robust AnyConnect remote access VPN for users.

The use of a VMware appliance to manage firepower is not really great, as this introduces another on-prem box to manage, this could all be done via the cloud.
Licensing is never straight forward, this could be improved.

Key Insights

Do you think Cisco ASA 5500-X with FirePOWER Services delivers good value for the price?

Yes

Are you happy with Cisco ASA 5500-X with FirePOWER Services's feature set?

Yes

Did Cisco ASA 5500-X with FirePOWER Services live up to sales and marketing promises?

Yes

Did implementation of Cisco ASA 5500-X with FirePOWER Services go as expected?

Yes

Would you buy Cisco ASA 5500-X with FirePOWER Services again?

Yes

Return on Investment

Once deployed and running, the firewall is very robust which means less downtime and more production with great ROI.
This firewall has a long life span and even if it's reaching the end of life cisco continues to support the product which means you can continue to rely on the firewall and also keep getting software updates, and security updates.
When managed centrally, management is improved, and policies can be changed once and applied to all firewalls in one go.

Systems Integrated With

Cisco Nexus switches as Core routers connecting a customer site to the datacenter via a private WAN.
Trunking between the 5508-X and a cisco 3750 switch to allow different VLANs access to the internet via the same firewall.
Cisco Meraki Access Points behind the 5508-X.

One of our customers required access to the internet when working from home via the office internet, as a result, we implemented AnyConnect for each and every user and forced their home traffic to go to the office and breakout to the internet via the office connection. This helps with possible traffic interception when using non-secure home wifi or internet cafes.

Performance

We have been using these firewalls for a long time now, and every day we can see hackers trying to break into them, trying to exploit different vulnerabilities and so far they have not been able to gain access. We also configured reporting which means that we get alerted when there is a brute force attack or a single IP address that keeps trying to break in, once we get these notifications we then add those offending IP addresses to the blacklist and they won't be able to continue malicious activities against our environment.

Support Rating

The firewall is great but there is always room for improvement. The use of VMWare to manage the firewall is not great, it's yet another expense that can be avoided. However, once the firewall is installed and running it just works with no issues. Also, it's very straightforward to install updates or upgrade the firewall software. The fact that there are different models means there is always a firewall for every budget.

Alternatives Considered

Palo Alto Networks Next-Generation Firewalls - PA Series

Palos are great but they are a bit more expensive. Cisco ASA 5500-Xs are very competitive budget-wise. Small to medium offices can easily afford Cisco ASA 5500-X with FirewPOWER services compared to Palo Altos. At the end of the day cisco even though more affordable still get the protection you need from a firewall.

Other Software Used

Palo Alto Networks Next-Generation Firewalls - PA Series, WatchGuard Network Security, SonicWall NSA Series, drayOS

Likelihood to Recommend

With a limited budget, this firewall can be deployed to do basic firewalling and routing as a starting point. Once in place with an improved budget firepower services can be activated with an additional license. Depending on the scenario an appropriate model can be bought to meet the needs of the business. These firewalls range from the small 5506-X to the massive 5585-X suitable for data center deployments.

Resilience

Instead of investing in a lot of products like IPS, IDS, and Email Proxies, Cisco ASA 5500-X with FirePOWER Services comes fully packed with all these features which only require licenses to activate and use. This also means collecting logs is made very easy since the logs will be coming from a single device. In all our deployments we are able to see and get notified when an IP address is running a scan or attempting to execute malicious code against our networks.

Leadership in Resilience

Deploying firewalls in High Availability (HA) and also making sure that the same Cisco ASA 5500-X with FirePOWER Services are deployed at the Disaster Recovery (DR) sites, so that when an attack happens the business can switch to the DR site and continue operating while the main site is dealing with a disaster.

Likelihood to Renew

Ever since we installed Cisco ASA 5500-X with FirePOWER Services we have never had to deal with an attack. We can see in the logs almost every day hackers attempting to break into our networks and failing. We also have the ability to blacklist every IP address that attempts to break into our firewalls.

Implementation Rating

We implemented a centralized management of all our Cisco ASA 5500-x with FirePOWER Services so that we can have a holistic view of all our sites in London and other European countries. This also helps when making changes, instead of login on to each firewall we can use Firepower Management Center (FMC) to central deploy changes across all devices.

Reliability and Availability

We have never had an outage caused by firewall failure. We have had a few outages caused by the internet failing or cloud applications going offline but never a firewall breaking down. When making changes we have a very strong change control, major software updates are always carried out out of working hours. At places where we have two firewalls in HA, we are able to do upgrades in working ours and the users will never know that an upgrade is taking place, that how great these firewalls are.

Ease of Integration

Like any other firewall the Cisco ASA 5500-X with FirePOWER Services requires knowledge to deploy and manage, but the Cisco ASA is very straightforward to work with. It integrates well with most switch vendors and we deploy FMC in VMware. Site-to-site VPN with the Azure cloud and AWS is very straightforward. It also works well with other vendors like Palo Alto and Juniper.

Innovative Uses

Integrated Cisco AnyConnect VPNs with SAML to allow single sing on with Office 365 accounts.
Integrated access to management with Duo to provide MFA for administrators
We are working on starting Ansible automation

Cisco ASA 5500-X still commanding Respect

Overall Satisfaction with Cisco ASA 5500-X with FirePOWER Services