Cisco hits on firewall/VPN, misses on ease of use

With its first iteration of the Adaptive Security Appliance a year ago this week, Cisco shipped its first new stand-alone enterprise firewall/VPN combination in nearly five years. Since then, Cisco has followed through on its integrated-appliance road map, providing an updated SSL VPN module and adding optional anti-virus and intrusion-prevention services to the ASA line. See the results of our Clear Choice Test.

Advanced SSL VPN technology in ASA

ASA forum – Have you deployed it? Discuss.

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

In our exclusive test of Cisco’s ASA 7.1 software running on a high-availability pair of ASA 5540 systems, we ran these boxes on a live network for more than a month. These models are focused strictly on the enterprise with 650Mbps of firewall and 325Mbps of VPN throughput. We mainly tested the ASA’s firewall and VPN capabilities as well as the management wares supplied to drive these features (see “How we tested Cisco ASA 5540”). Cisco did not supply the anti-virus module to test, and because Network World has an intensive test of intrustion-prevention system (IPS) products in progress, we didn’t look in detail at the Cisco IPS.

All ASA 5500 units have a single slot for a security service module (SSM). Cisco has released three SSMs: a four-port Gigabit Ethernet card, a content-filtering SSM (anti-virus/anti-spyware) and an IPS SSM. Additionally, all models come with either four Gigabit Ethernet and one 10/100Mbps Ethernet port (in the case of the higher-end 5520 and 5540 models) or five 10/100 Ethernet interfaces (as is the case with the entry-level ASA 5510).

Overall, we found that as a replacement for the venerable PIX and 3000-series IPSec VPN concentrators, the ASA boxes are lean, fast and bring a well-rounded approach to perimeter network security.

We also used Cisco’s Adaptive Security Device Manager (ASDM) Version 5.1, a Web-launched Java-based GUI, to configure and monitor the systems. ASDM greatly simplifies defining firewall, site-to-site and remote-access VPNs, bringing firewall-configuration tools for the ASA to a level commonly expected in this product space.

Unfortunately, Cisco badly bungled its opportunity to build a management system that truly integrates the PIX, IPSec and SSL VPN and IPS capabilities. Overall, Cisco’s GUI mixes pieces from all of the system in some places, segregates them in others and offers an unnecessarily complex and difficult-to-use interface.

Start with the firewall

If you buy an ASA, you should do so primarily for its firewall features, as these are the most mature parts of the product. Cisco includes a multizone, stateful packet inspection firewall with 23 application-layer gateways, ranging from the normal and expected (such as FTP, DNS and HTTP) to the unusual (such as GPRS Tunneling Protocol, obviously put in for the carrier-class telecom customer). As might be expected, the ASA includes application-layer gateways for newer VoIP protocols, such as Session Initiation Protocol (SIP), Media Gateway Control Protocol, H.323 and even Cisco’s own Skinny Call Control Protocol. While this is not a VoIP-specific firewall, our tests show that you can run SIP traffic through the firewall without problems.

The ASA software we tested isn’t fully compatible with Cisco’s new Network Admission Control (NAC) scheme (Cisco says full NAC integration will be available before July 1), but it does provide for identity-based access controls. For example, you can force outgoing users to authenticate with a Web page against an Active Directory server, and then use information in Active Directory to decide who can use the Internet, and where they can go. This kind of user-driven access control (as opposed to IP-driven access control, the only option in most other firewalls) is a good steppingstone to more comprehensive network access-control schemes, such as Cisco’s own NAC architecture. (For more about NAC architecture, see here and here).

Cisco’s historic strength in network address translation is in this version as well, making the ASA an especially appropriate system to protect perimeter networks.

The ASA can act as a traditional Layer 3 routing firewall (with support for Open Shortest Path First dynamic routing) and can be a bridging (Layer 2) transparent firewall, a new feature for Cisco with the ASA. Although the ASA firewall code has a few remaining rough edges – such as an SMTP mail proxy that reduces security by refusing to allow encrypted connections – most security managers will find its capabilities are more than enough for a typical perimeter deployment.

Where the ASDM and ASA combination really shines is in the new monitoring and reporting capabilities joined with longer-term event storage provided by the ASA software. These devices can be configured to save five days of statistics, including 11 interface-specific statistics (such as bandwidth and dropped packets), which it then can easily graph for a short-term peek at loads and behaviors. On the monitoring side, you can point to a “deny” log entry and with a single click, create a rule to allow that traffic instead. As these inexpensive firewalls get deployed deeper within the network, the ability to jump between analysis and policy creation will be a big time saver and can reduce errors.

In integrating its PIX firewall and VPN 3000 Series Concentrators, Cisco has two very different IPSec styles to merge. While the 3000-series concentrator had a great deal of flexibility, the complexity of the management interface has been known to keep some customers from using most of the product’s capabilities. By jettisoning the complexity and building well-designed wizards to support both site-to-site and remote access VPN tunnels into ASDM, the ASA finally makes it easy to deploy basic VPN functionality for two different functions all in the same piece of hardware, something the other hardware VPN vendors have been unable to do.

We were able to configure, enable and test basic remote-access VPN features on the ASA in less than five minutes. This proves Cisco has not only kept track of the ease-of-use features of the original 3000-series, but has extended them to its new hardware and management platform.

While the ASA we evaluated is targeted more at enterprise deployments, this combination of firewall, site-to-site and remote access VPN will be especially useful to the small-to-midsize business network where a single device is expected to do triple duty.

It’s been said, though, that on every fine cheese, some mold will grow. While the ASA has developed into an enterprise-class firewall and IPSec VPN device, it was profoundly disappointing to see that Cisco didn’t take the opportunity of a new platform and a new version of the operating system to also revise its management tools. While some components, such as monitoring and VPN setup, are well done, there is no sense of holistic management brought to the table with the ASDM. It seems clear that the ASA hardware and its configuration GUI are not considered as a single, coherent whole, because the careful engineering that went into building the ASA is not evident in the ASDM GUI.

The ASA still has a command-line interface, and for some of Cisco’s service provider and many site enterprise customers, this will be the best way to control and monitor their firewalls. However, for the rest of us, Cisco has given us ASDM, the most opaque and poorly designed configuration user interfaces of any enterprise firewall on the market today. While a weak management interface was understandable in the first years of Cisco’s entry into the security market, it’s inexcusable that a company this large, with this many customers and with this kind of resources, cannot develop a better user interface to configure its products.

It’s not all bad. If you use the ASA only as a firewall, you will likely be satisfied with the ASDM user interface. The straightforward model of rules and objects used in the firewall part of the configuration interface is simple enough to use. More-advanced features, such as configuration of advanced rules for application-layer gateways such as HTTP traffic inspection, are easy enough for any security manager to understand.

However, Cisco has gone out of its way to craft the configuration GUI to match the underlying command-line interface, which means that network managers will enter the same information twice – because you can’t, for example, allow traffic into a Web server and manage the HTTP inspection on that traffic on the same screen.

Where the ASDM configuration GUI really falls apart is in all of the peripheral services that Cisco has built into the ASA, such as the SSL VPN and the IPS (see full evaluation of SSL VPN). For example, in the SSL VPN, managing access controls is done with numbered, not named, access control lists (ACL), which cannot be combined. This means that the network manager has to remember that ACL 129 is used for network access for IT staff, while 128 is used for the extranet, and 103 is the list of URLs that employees have access to.

Cisco, while providing a strong firewall and VPN combination, missed its chance to be a leader in simplifying network and system management with the ASA series.

Snyder is a senior partner at Opus One, a consulting firm, in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.