Get to know Cisco's new security appliance: ASA 5500

In May, Cisco unveiled the Adaptive Security Appliance (ASA) 5500, an integrated security device and the latest in a long line of unified threat management (UTM) appliances. David Davis introduces you to UTM appliances, examines their pros and cons, and explains why he thinks the ASA 5500 has an advantage.

In early May, Cisco unveiled its new "multifunction appliance family for adaptive threat defense" at the Interop conference and exhibition in Las Vegas. Dubbed the Adaptive Security Appliance (ASA) 5500, the new offering combines numerous security functions, previously available only as separate products, into one box.

The fact that Cisco's latest device performs multiple functions is not new; Cisco routers have featured intrusion detection and prevention, firewall capabilities, and VPN services for a while. However, a router can't do all of these things well. Instead, this new dedicated appliance, which purportedly includes about 18 different security and network management functions, can bring you peace of mind about security concerns and leave your router free to do its own job.

What's a unified threat management device?

But the ASA 5500 isn't exactly a revolutionary idea. Rather, it's the latest in a long line of unified threat management (UTM) appliances, which have been around for quite a while. A number of vendors offer similar appliances to Cisco's ASA 5500, including Fortinet, Symantec, Secure Computing, SonicWALL, ServGate, Check Point Software, and Juniper Networks.

These other providers offer products that rival Cisco's ASA 5500 in some ways. For example, Fortinet's FortiGate UTM devices have been around for some time, and the company claims to have the largest market share in the UTM space.

What makes FortiGate unique is its "ASIC-based" design. That means it has dedicated hardware processors to perform various functions (e.g., firewall, IPS, VPN, AV), and it can do them faster than other vendors' products.

Industry analysts expect the demand for UTM devices to boom over the next few years. According to an IDC study, sales of these devices could reach $3.5 billion by 2008.

Let's look at some of the pros and cons of integrated UTM devices and examine what the ASA 5500 brings to the UTM table.

Advantages of UTM devices

Cost savings
By purchasing a single device, organizations can gain significant cost savings in comparison to buying multiple devices.

If your company uses firewall, VPN, and IPS products from multiple vendors, interoperability can quickly and easily become an issue. Using a single vendor can offer much greater interoperability.

Improved management
An integrated device typically features a single management console as well as streamlined administration. This means you'll save more administration time, not to mention money.

Drawbacks of UTM devices

Single point of failure
Like many IT managers, I'm still a little leery about anything that's "integrated," which immediately makes me think "single point of failure." In other words, if one component goes down, everything goes down.

Lack of "best of breed"
When using separate devices from various vendors, you can select the best product for the job and your organization's needs. However, when using a single vendor, you must accept the quality of the integrated products in the single device.

Another possible downside to an integrated appliance is whether it can handle the load and still perform all of the integrated tasks.

For more information, check out Cisco's "Deployment Considerations: Comparing Converged and Dedicated Security Appliances" white paper.

Why choose ASA 5500?

Cisco offers three versions of the ASA 5500 series device: 5510, 5520, and 5540. Each increases in performance and price as the model number increases.

In my opinion, the ASA 5500's biggest advantage is that it's a Cisco product. When I think of using a Cisco product, the following advantages come to mind.

  • It's interoperable with an existing Cisco network.
  • It involves less of a learning curve if you're already familiar with the Cisco IOS.
  • It involves more available training materials and third-party vendor support. For example, Cisco Press has already announced three books, which will be available this year, that cover the ASA 5500 family.

Over time, the ASA 5500 will likely take market share from Cisco's other security offerings, such as the IPS 4200 Series, the PIX 500 Series, and the VPN 3000 Series. However, I believe that the new consolidation of features into a single appliance will be a win-win situation for consumers.

For example, think about today's cell phones: They function as PDAs, phones, pagers, cameras, video players, and even play video games. For consumers, the "all-in-one" device offers more features for less money. Is it possible that Cisco will one day sell one piece of hardware that "does it all"?

What do you think?

What's your take on Cisco's ASA 5500? Do you agree that a single appliance offers a win-win situation for consumers? Post your thoughts in this article's discussion.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.