Cisco ASA 5505 or 5510

By ohm.paul ·
What are the main advantages of the 5510 over the 5505? Does it justify the extra $1000+?

We are about to host our own site, and currently, the plan is to just have the web server on our internal network behind a ASA 5510. However, for the same price, we could set up a 5505 and a 2811 or something, and then have the web server on a DMZ between the two devices. Is this a better idea or should we stick with the 5510 plan?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by ohm.paul In reply to Follow the link

Thanks for the reference, but I've seen the comparison, I was looking for more of an opinion than anything. Our site will need to be available for 50 or so simultaneous connections. As for a VPN, we don't really have a need for one right now, but it's a possibility for the future I suppose.

What I am really looking for is anyone that has experience with one or the other or both and can attest to how secure or effective each one is with a light amount of configuration.

Collapse -

Requirements first... opinions doesn't really count

by SYNner In reply to opinions

First and foremost you need to meet your requirements and then forecast out to see of you'll outgrow the capabilities of the devices. Opinions do not meet requirements.

A 5505 will meet your requirement, but you have no room for future expansion. If you decide down the road, you need threat mitigation, or content security, the 5505 doesn't support it. If you don't need the other fancy addons (content security, IDS/IPS, HA) a 5505 will do, but then again, a router will some ACL will do the same thing.

As to the other posts regarding DMZ, the 5505 will support 3 vlans (inside, outside, dmz), so you got that covered.

Collapse -

My opinion..

by Fregeus In reply to Cisco ASA 5505 or 5510 simple. DO NOT GIVE ACCESS TO ANY SERVER ON YOUR INTERNAL NETWORK.

A 5505 is a good option if you are not hosting any web services. The second you need to host something, you need a DMZ. That`s a must. Go with the 5510 and setup the DMZ.

Why? Because if someone hacks into your web service server, it doesn`t have immediate access to your internal systems.


Collapse -


by ohm.paul In reply to My opinion..

well, if we are going to set up a DMZ, then we'll need more than just one 5510. Also, since the database that drives the web application has sensitive information on it, we would probably have to set up an internal database server for the web server to access constantly. This would mean either getting two 5510s or one 5510 and a 5505, or two 5505s...just having one wouldn't really provide any protection between the DMZ and the internal network, correct?

Collapse -

Yes it would

by Fregeus In reply to DMZ

The idea is that if someone compremises your server, he/she does not have access to your internal network without going through your firewall once more.

If someone compremises your firewall, it doesn't matter how many you have in a row, he/she will compremise the other just as easily.

Compremising a firewall is a lot harder than compremising a server. Nature is that the hacker will attempt to use the easiest route possible, which means he/she will attack your server first.

Sure two firewalls are better than one, but it depends on how sensitive your information is. In my experience, only highly sensitive situations (banks, financial institutions, military installations) call for a two firewall infrastructure. You should be fine with just one.


Collapse -

Better yet

by ohm.paul In reply to Cisco ASA 5505 or 5510

I see what you mean would certainly make most sense to set up the web server on a DMZ, then if someone were to hack it, they would still get the sensitive info on the web server, but at least they wouldn't get to the internal network.

What would be a good way to keep the sensitive information separate from the web server so that in such a situation, the database would not be compromised?

Collapse -

Thats the best solution by far

by Dumphrey In reply to Better yet

but its also a matter of risk management, how much are you willing to risk vs how much is the company willing to spend? thats the question.
A basic asa as a lan edge and another asa on the wan edge would create a very nice DMZ, but it could be total overkill.
using a router at the wan edge, you can create acls that only allow access to the web server from specific ip ranges (if its only for internal use.) Also if its only for internal use, using the asa to set up a permanent vpn between locations and it will just be accessable using its ip.
But, if its to be public accessed, a dmz is the normal security practice. But, once again, its all a matter of risk. If you have sensitive data, a DMZ should be considered. It may be from a financial perspective that you will have to do this in "steps" and not all at once.

Collapse -

For Now

by ohm.paul In reply to Thats the best solution b ...

I think for now we will just use a single 5510 to set up the internal and dmz networks. This seems like it will be a pretty easy configuration that could even be done strictly through Cisco's ASDM. Then, whenever we can, we will move the database to an internal server so that it is inaccessible by someone who could break out of the web server on the DMZ

Collapse -

MY PIX and ASA is way below

by Dumphrey In reply to For Now

my router skills, I completely forgot about using one of the other interfaces as a DMZ. Sheesh.. SYNer is da man here.

Related Discussions

Related Forums