When we tested next-generation firewalls last May, at least one important security vendor wasn't there: Cisco, because they weren't ready to be tested. Now that the ASA CX next-generation firewall has had a year to mature, we put the product through its paces, using the same methodology as our last NGFW test.
We found that Cisco has an outstanding product, with good coverage and strong application identification and control features. Enterprise security managers who have upgraded to the "-X" versions of the ASA firewalls (announced at the RSA Conference in March 2012) can add next-generation features to the hardware in their data centers and branch offices and gain immediate benefits.
Network managers who haven't upgraded their hardware or who are considering a switch from a different vendor should make a competitive scan before deciding on the Cisco ASA. We found the ASA CX to be a solid "version 1" effort, but Cisco still has significant work to do in improving the management, integration, threat mitigation and application controls, leaving the ASA CX a work in progress.
Introducing the ASA CX
When Cisco decided to add next-generation features to its ASA firewall, it must have faced a daunting task: how to take a mature firewall architecture and add the next-generation features, especially application identification and control, that security managers were asking for. And by next-generation features, we mean application identification and control. Cisco took a stab at this in 2009, when it added the Modular Policy Framework, which brought many application-layer controls to the ASA. Rather than touch the delicately constructed NAT and policy rules of existing ASA firewalls, the MPF layered on top of existing security policies.
The ASA 5515-X is a standard ASA firewall with an additional processing module, called "CX" (for "context") that handles application identification and control. In the ASA 5512-X through 5555-X, the CX next-generation firewall runs as a software module. In the high-end ASA 5585-X, Cisco has two hardware accelerators available today (the SSP10 and SSP20) with two additional models (the SSP40 and SSP60) targeted for end-of-year release, designed to take ASA throughput to 10Gbps and beyond.
Running CX does come with a performance penalty. For example, the ASA 5515-X we tested is rated for 1.2Gbps of raw firewall throughput, but only 350Mbps of next-generation throughput. With a list price of $5,600, the 5515-X delivers very competitive price/performance compared to other next-gen firewalls.
For Cisco engineers, adding the CX set of next-generation features meant either going back to the drawing board on the ASA or wedging the next-generation feature set in without tipping the boat too much. Cisco took a little of each option: the next-generation features are glued on the side of the ASA in a way that leaves the core firewall completely undisturbed. This is the approach Cisco has taken when adding other security features to the ASA, such as IPS and anti-malware scanning, and will continue to take, as add-ons like web security make their way into the ASA.
Sign up for CIO Asia eNewsletters.