• United States

Is Cisco’s ASA a headache-in-waiting?

Dec 06, 20053 mins
Cisco SystemsNetworkingSecurity

* Reader weighs in on Cisco’s all-in-one security appliance

Reader Noman Bari wrote to me some time ago from Karachi, Pakistan, with a thoughtful comment on Cisco’s new multifunctional ASA security appliance.

Bari has a B.S. in Electronics and has the certifications CCNA, CCDA, CCNP, CCDP, CCSA,CIW Security Analyst, CompTIA Linux+ Certified and MCSE. With his kind permission and collaboration, here are his thoughts:

* * *

I am writing this e-mail to learn your views on a new security box from Cisco. Adaptive Security Appliance (ASA) is a multi-function security appliance which integrates firewall, IPSec and SSL VPN, intrusion prevention, virus filtering and network quarantine in a single device.

I have been thinking about this development from Cisco. Surely putting all the eggs in one basket is never a good idea.

If all the functionality of security is taken care of by one single box and if that box gets compromised then it will be a serious problem. It is widely known that there is no such thing as 100% security. At some time in the near or distant future we will hear that there are security holes found in the working of ASA and they can lead to a security breach.

There will be critics who will say that since ASA comes with all the bells and whistles it will be extremely hard if not impossible to compromise its security. But what if a person with malicious intent is able to do it? And this will happen – it’s just a matter of time.

The job of the marketing guys is to show everyone a rosy picture. I am not blaming them; it’s what they get paid for. But it’s our job as techies to filter out useful stuff from what they say.

My analysis is that ASA is an excellent device for small to midsize companies to save costs, for ease of management and so on, depending upon the nature of their mission-critical work. However, for enterprise-level security, I would rather go with a layered approach with multiple defenses to protect my network.

Although I am here in Karachi I believe that effective security requirements are valid for every organization in any part of the world. What you and Bruce Schneier write in your security newsletters is equally useful for me here in Pakistan. My vision gets broadened.

* * *

Need I [MK] say more? My only comment is “Wow! I got mentioned in the same sentence as Bruce Schneier! Cool!” Well, OK, that’s not very useful for readers, so here’s a link to the Cisco page describing their ASA 5500 product.

Now take two of those and a glass of water and I’m sure you’ll be fine in the morning.