What is our primary use case?
The first time I deployed Cisco ASA was for one of our clients. This client had a Palo Alto firewall and he wanted to migrate. He bought an ASA 2505, and he wanted us to come in and deploy it and, after that, to put in high-availability. We deployed it and the high-availability means that in case one fails, there is a second one to take over.
I have deployed Cisco ISE and, in the same environment, we had a Cisco FTD. In that environment, we were using the ASA for VPN, and we were using the FTD like an edge device. The ASA was deployed as VPN facilitator and for the wireless part too, so that the wireless network was under the ASA firewall.
What is most valuable?
If we look at the Cisco ASA without Firepower, then one of the most valuable features is the URL filtering.
Also, it's easy to integrate ASA with other Cisco security products. When you understand the technology, it's not a big deal. It's very simple.
When it comes to threat visibility, the ASA is good. The ASA denies threats by using common ACLs. It can detect some DoS attacks and we can monitor suspicious ICMP packets using the ASA. It helps you know when an attack is detected.
Cisco Talos is good. It provides threat intelligence. It updates all the devices to be aware of the new threats and the new attacks out there, so that is a good thing. It's like having God update all the devices. For example, even if you have FTD in your company, malware can be very difficult to detect. There is a new type of malware called polymorphic malware. When it replicates, it changes its signature which makes it very difficult for a firewall to detect. So if your company encounters one type of malware, once, it is automatically updated in your environment. And when it is updated, Talos then updates every firewall in the world, so even if those other firewalls have not yet encountered those particular types of malware, because Talos automatically updates everything, they're able to block those types of malware as well. Talos is very beneficial.
When it comes to managing, with FMD (Firepower Management Device) you can only manage one device, but when you work with FMC (Firepower Management Center) you can manage a lot of sensors, meaning FTDs. You can have a lot of FTDs but you only have one management center and it can manage all those sensors in your company. It is very good.
What needs improvement?
One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't think that the ASA is enough. I think this is why they created FTD.
Also, Cisco is not so easy to configure.
For how long have I used the solution?
I have been using and deploying Cisco ASA for two to three years.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
It's scalable. You can integrate AD, you can integrate Cisco NAC. You can integrate quite a lot of things so that makes it scalable.
How was the initial setup?
When you configure the ASA, there is already a basic setup there. Based on your environment, you need to customize it. If you understand security and firewalls very well, you can create your own setup.
For me, the initial setup is easy, but is it good? Because from a security perspective, you always need to customize the initial setup and come up with the setup that fits with your environment. So it's always easy to do the initial setup, but the initial setup is for kids in IT.
The time it takes to set up the ASA depends on your environment. For a smaller deployment, you just have the one interface to configure and to put some policies in place and that's all. If you are deploying the ASA for something like a bank, there are a lot of policies and there is a lot of testing to do, so that can take you all night. So the setup time really depends on your environment and on the size of the company as well.
What's my experience with pricing, setup cost, and licensing?
When it comes to Cisco, the price of everything is higher.
Cisco firewalls are expensive, but we get support from Cisco, and that support is very active. When I hit an issue when I was configuring an FTD, as soon as I raised a ticket the guy called me and supported me. Cisco is very proactive.
I had the same kind of issue when I was configuring a FortiGate, but those guys took two or three days to call me. I fixed the issue before they even called me.
Which other solutions did I evaluate?
I have used firewalls from Fortinet, Palo Alto, and Check Point. To configure an ASA for VPN, there are a lot of steps. When it comes to the FortiGate, it's just a few clicks. FortiGate also has built-in templates for configuring VPN. When you want to create a VPN between FortiGate and FortiGate, the template is already there. All you need to do is enter an IP address. When you want to configure a VPN with a third-party using the FortiGate, and say the third-party is Cisco, there is a VPN template for Cisco built into the FortiGate. So FortiGate is very easy to configure, compared to Cisco. But the Cisco firewall is powerful.
Check Point is something like Cisco but if I have to choose between Cisco and Check Point firewalls, I will choose Cisco because of all the features that Cisco has. With Cisco you can do a lot of things, when it comes to advanced malware protection and IPS. Check Point is very complicated to manage. They have recently come out with Infinity where there is a central point of management.
Palo Alto has a lot of functionality but I haven't worked on the newer models.
What other advice do I have?
Cisco firewalls are not for kids. They are for people who understand security. Now I know why people with Cisco training are very good, because they train you to be competent. They train you to have ability. And when you have ability, their firewall becomes very easy to configure.
When Cisco is teaching you, Cisco teaches you the concept. Cisco gives you a concept. They don't focus on how to configure the device. With Fortinet, for instance, Fortinet teaches you how to configure their device, without giving you the concepts. Cisco gives you the concepts about how the technology is working. And then they tell you how you are going to configure things on their box. When you are an engineer and you understand the technology from Cisco, it means that you can drive everything, because if you understand Cisco very well, you can work with FortiGate. If you understand security from Cisco, it means that you can configure everything, you can configure every firewall. This is why I like Cisco.
When it comes to other vendors, it's easy to understand and it's easy to configure, but you can configure without understanding. And when you configure without understanding, you can't troubleshoot. To troubleshoot, you need understanding.
I'm a security analyst, so I deal with everything about firewalls. I'm talking about ASA firewalls, and I'm talking about ASA with Firepower, FTD, and Cisco Meraki MX. When it comes to security tools I am comfortable with Cisco and everything Cisco.
One of our clients was using Cisco ASA. They got attacked, but I don't think that this attack came from outside their company. They were managing their firewall and configuring everything well, but they were still getting attacks. One of their employees had been compromised and his laptop was infected. This laptop infected everything in the organization. So the weakest link can be your employees.
Which deployment model are you using for this solution?