Networking

Cisco administration 101: Learn the difference between PIX and ASA

While Cisco introduced the Adaptive Security Appliance (ASA) in 2005, its PIX firewall is still alive and kicking. Which one is best for your organization's needs? David Davis details each product's offerings and compares the two.

For many years, the Cisco PIX has been the established Cisco firewall. But in May 2005, Cisco introduced a new offering—the Adaptive Security Appliance (ASA). However, the PIX is still available. I've often heard people ask about the differences between these two product lines. Let's take a look.

What is a Cisco PIX?

A Cisco PIX is a dedicated hardware firewall appliance. All Cisco PIX versions have model numbers in the 500s. The most popular model for home offices and small networks is the PIX 501; many midsize companies use the PIX 515 as a corporate firewall.

PIX firewalls run the PIX operating system. While the PIX OS is quite similar to the Cisco IOS, there are enough differences to cause some frustration for users more familiar with IOS.

The firewall sports the PIX Device Manager (PDM) for a graphical interface. This GUI is a Java application downloaded through a Web browser.

Typically, a PIX firewall has an outside interface that connects to the inside of an Internet router and goes to the public Internet. It also has an inside interface that connects to a LAN switch, going to the private internal network.

What is a Cisco ASA?

A Cisco ASA is a new firewall and anti-malware security appliance from Cisco Systems. (Don't confuse this product with what a PIX uses for stateful packet filtering—the adaptive security algorithm, or ASA.)

ASA models are all in the 5500 series. The Enterprise Editions include four versions: Firewall, IPS, Anti-X, and VPN. There's also a Business Edition for small to midsize companies.

In total, there are five models of the Cisco ASA. All run the ASA version 7.2.2 software, and the interface is much like the Cisco PIX. Both the Cisco PIX and ASA models vary in performance, but the ASA's lowest model offers much more performance than the base PIX.

Like the PIX, the ASA can also serve as an intrusion prevention system (IPS) and VPN concentrator. In fact, the ASA could take the place of three separate devices—a Cisco PIX firewall, a Cisco VPN 3000 Series Concentrator, and a Cisco IPS 4000 Series Sensor.

Now that we've covered the basics of each security appliance, let's see how they compare.

PIX vs. ASA

While the PIX is an excellent firewall, the landscape of security has changed over the years. It's no longer sufficient to protect your network with a stateful packet filtering firewall. There are so many new threats to a network—including viruses, worms, unwanted applications (e.g., P2P, games, instant messaging), phishing, and application-layer attacks.

When a device does protect against this variety of threats, we say it offers "anti-X" capability or "multi-threat" protection. But the PIX just hasn't been able to offer this level of protection.

Most organizations don't want to have a PIX performing stateful firewall filtering and some other appliance protecting you from other threats. Instead, they want an "all-in-one" device—or a unified threat management (UTM) device.

The ASA does offer protection from these different types of attacks. It can even be more of a UTM device—however, it needs a Content Security and Control Security Service Module (CSC-SSM) to be a real UTM. This is the module in an ASA that performs the anti-X functions. Without the CSC-SSM, the ASA functions more like a PIX.

So which one is right for your organization? As always, the answer lies with your organization's unique needs. However, I would choose the ASA over the PIX any day. First of all, an ASA typically costs less than a similarly featured PIX. Besides the cost incentive, it just seems like a logical choice to choose the newer and faster technology.

For those who already use the Cisco PIX, Cisco has produced a Migration Guide (PDF) that addresses how to migrate from a Cisco PIX to an ASA. In my opinion, this offering foreshadows Cisco's impending discontinuation of the PIX. While the company has made no announcements to this effect, I think it's only a matter of time.

Remember, we can no longer rely solely on a firewall to protect our organizations from the varied threats of the Internet; a multifaceted approach is now necessary for complete protection. While the ASA is a good choice, it isn't your only option. Many vendors offer products to compare the ASA against before making that choice.

Do you use a PIX or ASA in your organization? Share your experiences in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Editor's Picks

Free Newsletters, In your Inbox