Cisco ASA5540 with SSM-20 IPS module

Score: 3.68

Editor’s note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across 10 UTM categories, please see our full coverage.

The ASA 5540 is one of a range of firewalls that together replace Cisco’s PIX and 3000-series VPN concentrator lines. With one faster model (that cannot do either IPS or antivirus filtering) and several slower ones, Cisco has continued its serious run at both the SMB and enterprise markets with this series of appliances.

While the ASA has strong built-in firewall, protocol inspection, and NAT features, the antivirus and IPS UTM features each require an add-in security services module. Because current models of the ASA have only a single slot, you can choose to implement either IPS or antivirus, but not both at the same time.

The ASA series can all be configured entirely from the command line, can be driven through a local GUI (called ASDM), or controlled through Cisco’s optional global-management tool, Cisco Security Manager (CSM), at an extra cost. We worked with CSM in this test and found that while Cisco has done a great job at bringing CSM where it needed to be for enterprise management, it is still not a full management solution for controlling all of the features a UTM has to offer. 

To manage your ASA firewall with an IPS installed you also need to use ASDM, the local GUI, because CSM doesn’t have tools for monitoring the status of the ASA. You also need a separate MARS appliance, Cisco’s security information-management system, because MARS is the only Cisco tool to receive and analyze IPS/IDS events. Without CSM, IPS and firewall management are not integrated, requiring not just another IP address but another Ethernet port.

With its heritage as a NAT device, the ASA carries a fair amount of configuration baggage. Cisco has not done a good job of bringing the NAT policy and firewall policy together. Indeed, the complexity of this issue is such that the Cisco engineers who helped install our system didn’t get the NAT policy right the first time around.

As a firewall, the ASA is hard to love unless you’ve had a longstanding affair with PIX. Cisco has been extraordinarily careful to maintain a consistent feel and model in a product that, fundamentally, is more than a decade old, which means the company has neglected to clean up rough edges. If you’ve learned the PIX, its idiosyncrasies and its convoluted security and NAT model, Cisco definitely won’t abandon you.

Don’t mistake this criticism for a claim that Cisco is not a leader making continual progress in firewalls — our testing showed that it is making progress. The ASA is definitely a sound product with a feature set that matches well with the enterprise market. The ASDM management system is a huge step forward for those who have only a single ASA. In addition, Cisco has also made enormous strides with CSM, especially in the areas of policy control and VPN configuration.

Where the ASA is truly lovable is in its remote-access VPN capabilities. By merging the feature set of the 3000-series VPN concentrators into the ASA, Cisco has made an elegant and easy-to-configure remote-access VPN device. In Version 8 of the ASA, which we did not test but which has just become available, Cisco reportedly goes further by focusing on SSL VPN features, strengthening a key area.

The ASA will not inspire awe, but it will inspire loyalty as a solid and dependable product backed by incredible support.

Learn more about this topic

Buyer's Guide: Unified threat management

Top trends in enterprise UTM market

08/30/07

How to select enterprise UTM firewalls

08/30/07

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies