With its first iteration of the Adaptive Security Appliance a year ago this week, Cisco shipped its first new stand-alone enterprise firewall/VPN combination in nearly five years. Since then, Cisco has followed through on its integrated-appliance road map, providing an updated SSL VPN module and adding optional anti-virus and intrusion-prevention services to the ASA line.

In our exclusive test of Cisco's ASA 7.1 software running on a high-availability pair of ASA 5540 systems, we ran these boxes on a live network for more than a month. These models are focused strictly on the enterprise with 650Mbps of firewall and 325Mbps of VPN throughput. We mainly tested the ASA's firewall and VPN capabilities as well as the management wares supplied to drive these features (see "How we tested Cisco ASA 5540"). Cisco did not supply the anti-virus module to test, and because Network World has an intensive test of intrustion-prevention system (IPS) products in progress, we didn't look in detail at the Cisco IPS.

All ASA 5500 units have a single slot for a security service module (SSM). Cisco has released three SSMs: a four-port Gigabit Ethernet card, a content-filtering SSM (anti-virus/anti-spyware) and an IPS SSM. Additionally, all models come with either four Gigabit Ethernet and one 10/100Mbps Ethernet port (in the case of the higher-end 5520 and 5540 models) or five 10/100 Ethernet interfaces (as is the case with the entry-level ASA 5510).

Overall, we found that as a replacement for the venerable PIX and 3000-series IPSec VPN concentrators, the ASA boxes are lean, fast and bring a well-rounded approach to perimeter network security.

We also used Cisco's Adaptive Security Device Manager (ASDM) Version 5.1, a Web-launched Java-based GUI, to configure and monitor the systems. ASDM greatly simplifies defining firewall, site-to-site and remote-access VPNs, bringing firewall-configuration tools for the ASA to a level commonly expected in this product space.

Unfortunately, Cisco badly bungled its opportunity to build a management system that truly integrates the PIX, IPSec and SSL VPN and IPS capabilities. Overall, Cisco's GUI mixes pieces from all of the system in some places, segregates them in others and offers an unnecessarily complex and difficult-to-use interface.

	Cisco Adaptive Security Appliance 5540 OVERALL RATING 4.08 Company: Cisco Cost: Base price with 1GB RAM and five fixed 10/100/1000 interfaces: $17,000 (extra four Gigabit Ethernet ports, $5,000; IDS Module, $6,000; Anti-X module, $4,500). Pros: Strong firewall capabilities; dual site-to-site and remote-access IPSec VPN; enterprise-focused unified threat management (UTM) feature set. Cons: Integrated management poorly done; SSL VPN lacks maturity. The breakdown    Firewall function 35% 4.5 Hardware performance and flexibility 25% 4.0 Additional UTM and VPN features 15% 4.0 Scalability and suitability for enterprise deployment 15% 4.0  Management integration and manageability 1o% 3.0 TOTAL SCORE 4.08 Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar

Click to see: