• United States

Cisco ASA 5500 has value

Jan 31, 20063 mins
Cisco SystemsNetworkingSecurity

* Reader explains where Cisco’s ASA 5500 makes sense

A reader responded to a recent article about the Cisco ASA 5500 unified security appliance with a different perspective from that of the original author, Norman Bari. With permission of the reader, who prefers to remain anonymous, here are his comments:

* * *

I too am a very strong believer of security in-depth. A layered approach is always the most secure approach. Unfortunately, the realities of business rarely allow for a complete implementation of this model.

Consider if you will my situation where I carry responsibilities for all networking and network security in an organization that: has zero technical security staff; a network that more than doubles in size every year; a severely shorthanded network staff that has not grown in four years; a budget that also has not grown even $1 in four years; computer rooms (I hesitate to call converted conference rooms “datacenters”) that are underpowered, under-cooled and out of space; an exponentially growing demand for VPN sessions; and firewalls so old (PIX 520) that many of your Cisco readers have probably never even heard of them.

We are by no means a small or even midsize company, having been listed on the Fortune Private 500 in all of my seven years here, and are one of the fastest growing companies in our industry. But when you consider that, for the cost of moving from 100 to 200 VPN sessions on my existing concentrator (Cisco 3015), I could instead purchase two ASA 5500 appliances giving me 600 simultaneous VPN sessions *and* two brand-new, and desperately needed, firewalls, then the choice is simple.

Do I like that choice? No. In fact some years ago I was quoted in a professional networking magazine espousing exactly the same philosophy as Mr. Bari. Unfortunately, the realities of supporting a growing business have made me realize that the best security choice isn’t always about best security practices. Many times it is a compromise between business needs and optimal security.

In this respect, the ASA 5500, coupled with vigilance, is that best compromise.

* * *

In my classes on security management, I emphasize that all of security involves tradeoffs. It is impossible to come down absolutely for or against a tool without knowing the context it will be used in. Is a Swiss Army knife better than a box of tools? Depends what you want to do, how often, how well and at what cost.

I thank our anonymous reader for taking the time to provide a different perspective on an interesting question.