Cisco's Firepower Next Generation Firewalls (NGFWs) provide a major performance boost over Cisco's popular ASA 5500-X firewalls and offer unified management and automation of modern security features and services such as application visibility and control (AVC), next-generation intrusion protection system (NGIPS) with intelligent prioritization of risks, advanced malware protection (AMP), URL filtering, distributed denial of service (DDoS) mitigation, and sandboxing. Progent's Cisco-certified CCIE firewall experts can help you plan and carry out an efficient migration to Firepower Series firewalls from ASA 5500-X, ASA 5500, or PIX appliances and show you how to integrate Firepower firewalls with Cisco's subscription-based security services to build and centrally manage environments that span branch offices, data centers, private clouds and public clouds. Progent can also help you manage and troubleshoot legacy Cisco firewalls so they deliver maximum business value. Progent's certified cybersecurity experts can help you with policy creation and tuning based on industry best practices in order to establish a consistent and effective security profile across all devices anywhere that access your IT ecosystem.
Cisco's Firepower NGFW Firewall Appliances
Cisco's family of Firepower NGFW firewalls include the 1000 Series, 2100 Series, 4100 Series, and 9300 Series of security appliances. This portfolio offers advanced protection and unified management at price points, performance levels, and scale suitable for environments ranging from home offices and small businesses to major enterprises and service providers. All Firepower NGFW firewalls have a single-pass architecture and support continuous analysis and retrospective detection, which makes it possible to provide outbreak controls and to pinpoint patient zero. Firepower NGFW firewalls also offer URL Filtering and subscription-free sandboxing for detecting evasive and sandbox-aware malware, actionable event correlations, behavioral indicators of compromise (IoCs), and malware artifacts. NGIPS rule tuning and network firewall policy are automated, requiring no manual intervention. All Firepower NGFW firewalls give you the option of running either Cisco Firepower Threat Defense (FTD) or Cisco Adaptive Security Appliance (ASA) software. Centralized configuration, logging, monitoring, and reporting functions can be controlled either by Cisco's Management Center or in the cloud with Cisco Defense Orchestrator.
Cisco Firepower 1000 Series Firewalls
Firepower 1000 Series Firewalls are intended for small businesses, home offices, or branch offices. Firewalls in this series offer better price/performance than comparable Cisco ASA 5506-X to ASA 5525-X firewalls, delivering 4-6X higher firewall throughput. Local management can be performed with Cisco Firepower Device Manager. These appliances include an integrated 10M/100M/1GBASE-T RJ-45 Ethernet port for network management, an RJ-45 console port, a USB 3.0 Type-A port, and 200 GB of storage. Active/active and Active/standby high availability is supported along with VPN load balancing.
Cisco's Firepower 1010 firewall is a desktop, fanless device that offers 890 Mbps throughput for Firewall (FW), Application Visibility/Control (AVC), and Next Generation Intrusion Prevention System (NGIPS). The appliance comes with 8 RJ45 integrated I/O ports, two of them POE+ capable. IPsec VPN throughput is 500 Mbps and the appliance supports 100K simultaneous sessions, 6,000 new connections per second, and a maximum of 75 VPN peers. The Firepower 1120 firewall is a 1RU rack device that delivers firewall throughput of 2.3 Gbps. The appliance comes with 8 integrated RJ45 I/O ports and four SFP interface ports. IPsec VPN throughput is 1.2 Gbps and the firewall supports 200K concurrent sessions, 15,000 new connections per second with AVC, and a maximum of 150 VPN peers.
The Firepower 1140 firewall is a 1RU rack appliance with firewall throughput of 3.3 Gbps. The firewall comes with 8 RJ45 I/O ports and four SFP interface ports. IPsec VPN throughput is 1.4 Gbps and the firewall supports 400K concurrent sessions, 22,000 new connections per second with AVC, and a maximum of 400 VPN peers. The Firepower 1150 firewall is a 1RU rack device that delivers firewall throughput of 5.3 Gbps. The appliance includes with 8 integrated RJ45 I/O ports, two SFP ports, and two 10G SFP+ ports. IPsec VPN throughput is 2.4 Gbps and the unit can handle 600K concurrent sessions, 28,000 new connections per second, and up to 800 VPN peers.
Cisco Firepower 2100 Series Firewalls
Cisco's Firepower 2100 Series Firewalls are 1RU rack units intended for deployment at the Internet edge or the data center. These firewalls have a dual multicore CPU architecture that allows them to deliver 3-6X faster performance than the Cisco ASA 5545-X to ASA 5555-X firewalls they are designed to replace. Local management can be performed with Cisco Firepower Device Manager. All Firepower 2100 Series Firewalls include 12 RJ45 and four SFP interfaces. These firewalls include one integrated 10M/100M/1GBASE-T RJ-45 Ethernet port for network management, an RJ-45 console port, and one USB 2.0 Type-A interface. Active/standby high availability is supported along with VPN load balancing.
Cisco's Firepower 2110 firewall includes four integrated 1 Gigabit SFP Ethernet interfaces and 100 GB of storage. The 2110 delivers 2.6 Gbps firewall throughput and 800 Mbps IPsec VPN throughput and allows 1 million concurrent sessions, 18,000 new connections per second, and up to 1,500 VPN peers. Cisco's Firepower 2120 firewall has 12 integrated 10M/100M/1GBASE-T Ethernet RJ-45 interfaces, four integrated 1G SFP Ethernet interfaces, and 100 GB of storage. The 2120 delivers 3.4 Gbps firewall throughput and 1 Gbps IPsec VPN throughput and allows 1.5 million concurrent sessions, 28,000 new connections per second and up to 3,500 VPN peers.
Cisco's Firepower 2130 firewall includes four integrated 10 Gigabit SFP+ interfaces and 200 GB of storage. The unit also accepts a network module with 8 additional interfaces. The 2130 offers 5.4 Gbps firewall throughput and 1.9 Gbps IPsec VPN throughput and allows 2 million concurrent sessions, 30,000 new connections per second, and up to 7,500 VPN peers. Cisco's high-end Firepower 2140 firewall includes four integrated 10 Gigabit SFP+ interfaces and 200 GB of storage. The unit also accepts a network module with 8 additional interfaces for a maximum of 24 Ethernet ports. The 2140 delivers 10.4 Gbps firewall throughput and 3.6 1Gbps IPsec VPN throughput and allows 3 million concurrent sessions, 57,000 new connections per second, and up to 10,000 VPN peers. Both the 2130 and 2140 model firewalls have the option of dual AC or DC power supplies.
Cisco Secure Firewall 3100 Series
Cisco's Secure Firewall 3100 Series are 1RU modular appliances intended for enterprises who need performance, high port density, and zero-trust security at the Internet edge, the data center, or a private cloud. For high availability, all Secure Firewall 3100 Series models support 8-chassis clustering and operate in Active/active or Active/standby mode. The appliances can run Cisco's ASA or Firewall Threat Defense (FTD) software. Integrated I/O for each model includes eight 10M/100M/1GBASE-T Ethernet ports (RJ-45) and eight 1/10 Gigabit (SFP) Ethernet interfaces. Available network modules support 1/10/25/40G options and all models come with 900 GB of storage plus a spare storage expansion slot.
Cisco's Secure Firewall 3110 device delivers 18 Gbps firewall throughput and 8 Gbps IPsec VPN throughput. The 3110 allows 2 million concurrent sessions, 64K new connections per second, and up to 3,000 VPN peers. Cisco's Secure Firewall 3120 model provides 22 Gbps firewall throughput and up to 10 Gbps IPsec VPN performance. The 3120 allows 4 million concurrent sessions, 98K new connections per second, and as many as 7,000 VPN peers. Cisco's Secure Firewall 3130 unit supports 42 Gbps firewall performance and 14 Gbps IPsec VPN throughput. The 3130 allows 6 million concurrent sessions, 200K new connections per second, and 15,000 VPN peers. Cisco's Secure Firewall 3140 firewall supports 49 Gbps firewall traffic and 17 Gbps IPsec VPN throughput. The 3140 firewall can handle 10 million concurrent sessions, 200K new connections per second, and 20,000 VPN peers.
Cisco Firepower 4100 Series Firewalls
Cisco's Firepower 4100 Series Firewalls are 1RU rack appliances intended for deployment at the Internet edge or high-performance data centers. These firewalls deliver 5-10X faster throughput than the Cisco ASA 5585-X firewall they are designed to replace. Local management can be performed with Cisco Firepower Device Manager. All Firepower 4100 Series Firewalls include 8 integrated SFP+ interfaces and all accept a selection of add-in network modules for a maximum of 24 interfaces. All Firepower 4100 Series Firewalls support VPN load balancing, Active/standby high availability, and clustering of up to 6 chassis. These firewalls include an integrated 1 Gigabit Ethernet port for network management, an RJ-45 console port, and one USB 2.0 interface.
Cisco's Firepower 4110 firewall includes 200 GB of storage and delivers 13 Gbps firewall throughput and 6 Gbps IPsec VPN throughput. The 4110 allows 10 million concurrent sessions, 64K new connections per second, and up to 10,000 VPN peers. Cisco's Firepower 4112 firewall includes 400 GB of storage and delivers 19 Gbps firewall throughput and 8.5 Gbps IPsec VPN throughput. The 4112 allows 10 million concurrent sessions, 98K new connections per second, and up to 10,000 VPN peers. Cisco's newer Firepower 4115 firewall has 400 GB of storage and delivers 27 Gbps firewall throughput and 8 Gbps IPsec VPN throughput. The 4115 allows 15 million concurrent sessions, 200K new connections per second, and up to 15,000 VPN peers. Cisco's Firepower 4120 firewall includes 200 GB of storage and delivers 22 Gbps firewall throughput and 19 Gbps IPsec VPN throughput. The 4120 allows 15 million concurrent sessions, 118K new connections per second, and up to 15,000 VPN peers. Cisco's newer Firepower 4125 firewall has 800 GB of storage and delivers 40 Gbps firewall throughput and 14 Gbps IPsec VPN throughput. The 4125 allows 25 million concurrent sessions, 265K new connections per second, and up to 20,000 VPN peers.
Cisco's Firepower 4140 firewall includes 400 GB of storage and delivers 32 Gbps firewall throughput and 13 Gbps IPsec VPN throughput. The 4140 allows 25 million concurrent sessions, 172K new connections per second, and up to 20,000 VPN peers. Cisco's newer Firepower 4145 firewall has 800 GB of storage and delivers 53 Gbps firewall throughput and 18 Gbps IPsec VPN throughput. The 4145 allows 30 million concurrent sessions, 350K new connections per second, and up to 20,000 VPN peers. Cisco's Firepower 4150 firewall includes 400 GB of storage and delivers 45 Gbps firewall throughput and 14 Gbps IPsec VPN throughput. The 4150 allows 30 million concurrent sessions, 263K new connections per second, and up to 20,000 VPN peers.
Cisco Secure Firewall 4200 Series
Cisco's Secure 4200 Series Firewalls are modular, single rack units designed for deployment at large enterprise campuses and data centers that require best-in-class performance, visibility, and scalability. Secure 4200 Series Firewalls deliver over twice the throughput of previous generation firewalls and offer high port density. Up to 8 chassis can be clustered for high availability and future expansion. Crypto accelerator allows traffic decryption in real time, and zero trust application access (ZTAA) permits complete threat inspection for applications. 4200 Series appliances can be managed by the Firewall Management Center or in the cloud with Cisco Defense Orchestrator. Each 4200 model comes with 8x 1/10/25 Gigabit Ethernet ports (SFP28) on-chassis interfaces and features two interface module bays for easy expansion. Up to 24 total Ethernet interfaces are supported. Each firewall unit includes 1.8 TB x 2 storage.
Cisco's Secure Firewall 4215 model is intended for large enterprise campuses with strong growth potential. The device delivers 90 Gbps firewall throughput and 50 Gbps IPsec VPN throughput. The 4215 allows 15 million concurrent firewall connections, 1.4 M new connections per second, and up to 20,000 VPN peers. Cisco's Secure Firewall 4225 model is designed for enterprise data centers. The appliance delivers 95 Gbps firewall throughput and 60 Gbps IPsec VPN throughput. The 4225 allows 30 million concurrent firewall connections, 1.7 M new connections per second, and up to 25,000 VPN peers. Cisco's Secure Firewall 4245 model is built for service providers who support a high volume of traffic. The 4245 delivers 180 Gbps firewall throughput and 70 Gbps IPsec VPN throughput. The 4245 allows 60 million concurrent firewall connections, 2.0 M new connections per second, and up to 30,000 VPN peers.
Cisco Firepower 9300 Series Firewalls
Cisco's Firepower 9300 Series Firewalls are highly scalable and ultra-high performing carrier-grade security appliances. The 3 Rack Units (3RU) form factor of Firepower 9300 Series firewalls accepts two add-in network modules and three security modules. Fully loaded, the Firepower 9300 can support 24 10-Gigabit Ethernet Enhanced Small Form-Factor Pluggable (SFP+) network interfaces or eight 100 Gigabit Ethernet interfaces. Intrachassis clustering of up to 5 chassis allows up to 1.2 Tbps of firewall throughput. The high-end Cisco Firepower 9300 SM-56 delivers 70 Gbps firewall throughput and 27 Gbps IPsec VPN throughput. The unit allows 35 million concurrent sessions, 490K new connections per second, and up to 20,000 VPN peers.
Legacy Firewalls from Cisco
Cisco's earlier-generation ASA 5500-X, ASA 5500, and PIX 500 firewalls provide integrated firewall, VPN, and intrusion prevention system (IPS) services in compact single-box packages, delivering a broad range of capabilities to meet the security needs of organizations ranging from small and mid-size businesses to enterprises and Internet service providers. Cisco's ASA and PIX firewalls allow IT groups to protect their network perimeter and provide secure remote access while utilizing powerful management tools based on Cisco's industry-leading firewall technology.
Cisco's PIX and ASA 5500 firewalls have reached end-of-life (EOL) status but remain widely used by small and mid-size businesses as well as by many enterprise data centers. The ASA 5500-X Series Next-Generation Firewalls deliver significantly more bang for the buck and have superseded the ASA 5500 and PIX firewalls for new deployments. The ASA 5500-X Series has in turn been replaced by Cisco's Next-Generation Firepower Firewalls. Still, Cisco's legacy firewalls, if properly managed, continue to deliver a high level of protection by supplying multiple security functions including firewall, VPN, and IPS.
Following Cisco's purchase of Sourcefire, the entire family of Cisco ASA 5500-X firewalls can be provisioned to support Firepower Services, built on Sourcefire's Snort technology, which is the world's most deployed network intrusion protection system. Firepower services bring enhanced features including advanced malware protection (AMP), URL filtering, dynamic threat analytics, and security automation.
Progent's Cisco certified network engineers can help you maintain and debug legacy PIX and ASA 5500 series firewalls and can also help you plan and implement a smooth migration to ASA 5500-X firewalls with Firepower Services. Progent can also help you plan, deploy, tune, manage and troubleshoot firewall solutions based on Cisco ASA 5500-X firewalls with Firepower Services.
Firepower Services for Cisco ASA 5500-X Firewalls and Firepower NGFW Firewalls
Cisco ASA 5500-X firewalls and Firepower NGFW Firewalls accept software or hardware modules that support Cisco's Firepower Services, which offer multi-layer defense against sophisticated threats. Firepower Services are based on technology acquired by Cisco from Sourcefire. Key features of Firepower Services include:
- Layered defense against both familiar and zero-day threats
- Advanced Malware Protection (AMP) that utilizes big data to discover and mitigate security breaches
- Cisco's Next-Generation Intrusion Prevention System (NGIPS) that provides contextual analysis that covers clients, network infrastructure, apps, and content to detect attacks that incorporate multiple vectors
- Fine-grained Application Visibility and Control, or AVC, that is aware of thousands of applications and can automatically launch both standard and custom IPS policies based on the severity of risk
Firepower Services for Cisco ASA 5500-X and NGFW firewalls offer advanced multi-layered security
Simpler deployments of ASA 5500-X and NGFW firewalls can be efficiently managed via Cisco's on-box Adaptive Security Device Manager (ASDM), which is provided with all ASA 5500-X models. ASDM includes an easy-to-use web console that provides a convenient mechanism for deploying, managing, and debugging ASA 5500-X and NGFW devices and service modules.
For multi-device and multi-site deployments, ASA 5500-X firewalls with Firepower Services and NGFW firewalls can be managed with Firepower Management Center, available as one or more physical or virtual devices. Firepower Management Center provides centralized firewall management, visibility and control over applications, advanced IPS, URL filtering, and AMP. Due to frequent rebranding since Cisco's acquisition of Sourcefire Defense Center, Firepower Management Center has been delivered under various names including Defense Center, FireSIGHT Defense Center, and FireSIGHT Management Center.
Firepower Management Center provides features unavailable with the ASDM on-device manager. These include context awareness capabilities such as file trajectory, advanced malware protection (AMP) with mitigation for user devices, a console that offers real-time network visualization, automated policy tuning based on impact assessment of threats, comprehensive IPS, custom application detectors for AVC, customized health notifications, enhanced reporting features, and application interfaces for host input and database access. Hardware-dependent features like clustering, stacking, switching, routing, VPN, and NAT must be managed via Cisco's ASA 5500-X on-box ASDM and the ASA command line interface.
Cisco's ASA 5500-X Product Family
Cisco's extensive family of ASA 5500-X series firewalls includes an enhanced replacement for each rack-mountable model in the older ASA 5500 family of firewalls. Each ASA 5500-X device targets the same environment as the corresponding earlier models, which gives small offices and branch offices, midsize businesses, and large enterprises plenty of options in choosing a firewall that fits their performance requirements and budgets. All ASA 5500-X products build on Cisco's proven and widely deployed stateful-inspection firewall technology and all incorporate 64-bit hardware with multicore CPUs and are capable of running Cisco's advanced security services. All models in Cisco's ASA 5500-X family provide consistent security across any mix of physical, virtual, and cloud environments.
Cisco ASA 5506-X and ASA 5508-X Firewalls
Cisco's ASA 5506-X firewall is a value-priced desktop device for entry-level firewall applications. Cisco offers a Wi-Fi enabled model as well as a hardened version for rugged environments. The ASA 5506-X offers 300 Mbps of multiprotocol firewall throughput, 100 Mbps 3DEAS/AES VPN throughput, and 250 Mbps Application Visibility and Control (AVC) performance. The ASA 5506-X can handle 10 IPsec VPN peers (or 50 with a Cisco Security Plus license), 20,000 simultaneous sessions (or 50,000 with Security Plus), 5,000 new connections per second, and 5 VLANs (or 30 VLANs with Security Plus). The appliance comes with eight integrated 1 GE ports and does not have an expansion I/O slot.
Cisco's ASA 5508-X firewall is a value-priced 1RU firewall designed for smaller deployments. The ASA 5508-X supports up to 500 Mbps of multiprotocol throughput, 100 IPsec VPN peers, 175 Mbps 3DEAS/AES VPN performance, and AVC throughput of 450 Mbps. The ASA 5508-X can handle 100,000 concurrent sessions, 10,000 new connections per second, and up to 50 VLANs. The firewall includes eight integrated 1 GE ports and no slot for I/O expansion.
Cisco ASA 5512-X, ASA 5515-X and ASA 5516-X Firewalls
Cisco's ASA 5512-X firewall is designed for small offices or branch offices and is packaged in a 1RU rack-mountable form factor. The ASA 5512-X delivers multiprotocol firewall throughput of 500 Mbps, 3DEAS/AES VPN throughput of up to 200 Mbps, and Application Visibility and Control (AVC) throughput of 300 Mbps. The ASA 5512-X supports 250 IPsec site-to-site VPN peers, 100,000 concurrent sessions, 10,000 new connections per second, and up to 50 VLANs (or 100 VLANs with Cisco's Security Plus license). The device has six integrated 10/100/1000 Ethernet ports and has one expansion slot for six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5515-X firewall is a high-performance 1RU firewall for small offices and branch offices. The ASA 5515-X supports 600 Mbps of firewall throughput, 250 Mbps 3DEAS/AES VPN throughput, and AVC throughput of 500 Mbps. In addition, the ASA 5515-X can handle 250 IPsec VPN peers, 250,000 concurrent sessions, 15,000 new connections per second, and up to 100 VLANs. The firewall includes six integrated 10/100/1000 Ethernet ports or six SFP GE ports and has a single expansion slot for six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5516-X firewall is a 1RU device designed for deployments in small or mid-size organizations. The unit offers up to 900 Mbps of firewall throughput, 250 Mbps of 3DEAS/AES VPN throughput, and AVC performance of 850 Mbps. The ASA 5516-X supports 300 IPsec VPN peers, 250,000 simultaneous sessions, 20,000 new connections per second, and up to 100 VLANs. The ASA 5516-X incorporates eight built-in 1 GE ports and has no I/O expansion slot.
Cisco ASA 5525-X, ASA 5545-X and ASA 5555-X Firewalls
Cisco's ASA 5525-X firewall replaces the discontinued ASA 5520 firewall and offers midsize businesses next-generation security at the Internet Edge. The 1RU appliance offers 1 Gbps of multiprotocol firewall throughput, 300 Mbps 3DES/AES VPN throughput, and Application Visibility and Control throughput of 1.1 Gbps. The ASA 5525-X can handle 300 VPN IPsec peers, up to 500,000 concurrent sessions, 20,000 new connections per second, and as many as 200 VLANs. The device includes eight integrated 10/100/1000 ports and has an expansion slot that can support either six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5545-X firewall is designed as an upgrade for the legacy ASA 5540 security appliance and delivers mid-range performance for edge security. The 1RU ASA 5545-X provides 1.5 Gbps firewall throughput, 400 Mbps 3DES/AES VPN performance, and 1.5 Gbps AVC performance. The ASA 5545-X can support 400 site-to-site VPN IPsec peers, 750,000 concurrent sessions, 30,000 new connections per second, and 300 VLANs. The ASA 5545-X has eight built-in 10/100/1000 Ethernet ports and includes an expansion slot for six additional 10/100/1000 ports or for six SFP GE ports.
The Cisco ASA 5555-X firewall is designed as an upgrade for Cisco's earlier ASA 5550, now at end-of-life, and provides midsize organizations with high throughput and advanced security at the Internet edge. The ASA 5555-X delivers 2 Gbps of firewall performance, 700 Mbps 3DES/AES VPN performance, and AVC throughput of 1.75 Gbps. The ASA 5555-X handles up to 700 VPN IPsec peers, 1,000,000 simultaneous sessions, 50,000 new connections per second, and up to 500 VLANs. Eight 10/100/1000 ports are integrated with the ASA 5555-X and an expansion slot allows you to add six 10/100/1000 ports or six SFP GE ports.
Cisco ASA 5585-X Firewalls
The top of the line of Cisco's ASA 5500-X firewall family is the ASA 5585-X, which is the only version with a 2RU dual-slot chassis. Intended as an upgrade for the discontinued ASA 5580 firewall, the ASA 5585-X is designed for enterprise data centers, ISPs, and other environments that need to deliver high performance and handle high traffic density.
The lower slot of the Cisco ASA 5585-X chassis is for the firewall/VPN Security Services Processor (SSP), and the upper slot is for the IPS SSP. Cisco offers four different SSPs and four IPS SSPs. Based on the SSP selected, the ASA 5585-X's multi-protocol firewall performance can be from 2 to 20 Gbps, 3DES/AES VPN throughput from 2 to 10 Gbps, and Application Visibility and Control from 4.5 Gbps to 15 Gbps. The ASA 5585-X can manage 5,000 to 10,000 VPN IPsec site-to-site peers, 500,000 to 4,000,000 simultaneous sessions, 40,000 to 160,000 new connections per second, and 1024 VLANs. Integrated I/O can be configured to support eight 10/100/1000 ports and 2x10 GE SFP+ ports or six 10/100/1000 ports and four 10 GE SFP+ ports. Expansion I/O options include eight 10 GE SFP/SFP+ ports, four 10 GE SFP/SFP+ ports, or twelve 1 GE SFP ports plus eight 10/100/1000 ports.
For more information about Progent's support for Cisco ASA 5500-X firewalls, Firepower Services, and Firepower Management Center, visit Cisco ASA 5500-X firewalls with Firepower Services consulting.
Cisco ASA 5500 Series Firewalls
Cisco's ASA 5500 Series multi-function firewalls improve on the discontinued PIX 500 family they are designed to replace by introducing a modular hardware and software architecture for easy expansion and investment protection, offering optional Secure Sockets Layer (SSL) VPN support in addition to the standard IPsec VPN included with all models, and delivering substantially higher performance. Unlike the ASA 5500-X line of firewalls that replace them, ASA 5500 firewalls cannot be upgraded to support Cisco's Firepower Services.
The expandable design of the ASA 5500 Series allows you to add services by installing security service modules (SSMs) and security service cards (SSCs). These user-installable enhancements give you the option of adding IPS and content protection services such as blocking viruses, spyware, and phishing attacks and performing file and URL filtering. In addition to allowing you to respond quickly to new threat environments, the expandable design of the ASA 5500 Series also protects your capital investment by increasing the useful life of your security appliances. The ASA 5500 Series also protects your investment in IT staff training by supporting the rich set of PIX 500 management tools and protocols including the Cisco Adaptive Security Device Manager (ASDM) system for web-based management, secure command-line interface (CLI) access, verbose syslog, and SNMP.
Cisco ASA 5500 firewalls provide enhanced application protection via application-aware inspection processes that analyze network flows at Layers 4-7 and covers web, voice, and mobile wireless connectivity. Cisco's inspection engines integrate extensive application and protocol databases and employ advanced security enforcement technologies such as anomaly detection and application and protocol state monitoring. Cisco ASA firewall inspection engines also let you control IM and peer-to-peer file sharing so you can police usage policies and free up bandwidth for key business applications.
Cisco ASA 5505 Firewalls
Cisco's ASA 5505 firewall is designed for small businesses, branch offices, and enterprise teleworkers. These devices offer maximum firewall throughput of 150 Mbps and can handle up to 25 SSL VPN sessions plus 10,000 connections in the Base version and up to 25,000 connections in the Security Plus version. The ASA 5505 includes 256 MB of memory and can support up to three VLANs with trunking disabled. GTP/GPRS inspection, VPN clustering, and load balancing are not available in this entry-level firewall. High availability support is an option with the Security Plus version.
The ASA 5505 has a single expansion slot for a Security Services Card (SSC) that supports Advanced Inspection and Prevention. Maximum IPS throughput with this card installed is 75 Mbps.
Cisco ASA 5510, 5520, and 5540 Firewalls
Cisco's ASA 5510 firewall is designed for small and mid-sized businesses and small enterprises. The ASA 5510 offers maximum firewall throughput of 300 Mbps and can handle up to 250 SSL VPN sessions. In the Base version, the ASA 5510 supports 50,000 connections in the Base version and up to 130,000 connections in the Security Plus version. The ASA 5510 includes 256 MB of memory and can support up to 50 VLANs in the base version and 100 VLANs with the Security Plus version. Load balancing, VPN clustering, and high availability support are available only in the Security Plus version.
Cisco's ASA 5520 security appliance is designed for small enterprises. The 5510 offers maximum firewall throughput of 450 Mbps and can handle up to 750 SSL VPN sessions and 280,000 connections. The ASA 5520 includes 512 MB of memory and can support up to 150 VLANs. GTP/GPRS inspection, VPN clustering, plus support for load balancing and high availability are included.
Cisco's ASA 5540 is made for medium-sized enterprises, offers maximum firewall throughput of 650 Mbps, and can handle up to 2,500 SSL VPN sessions along with 400,000 connections. The ASA 5540 includes 1 GB of memory and can support up to 200 VLANs. GTP/GPRS inspection, VPN clustering, load balancing, and high availability support are included.
Cisco ASA 5510, 5520, and 5540 firewalls can each accept a single Security Services Module (SSM) that can support Content Security and Control Security, Advanced Inspection and Prevention (AIP), or 4 Gigabit Ethernet security. Maximum IPS throughput, depending on the AIP Security Services Module used, can be up to 300 Mbps on the ASA 5510, 450 Mbps on the ASA 5520, and 650 Mbps on the ASA 5540.
Cisco ASA 5550 Firewalls
Cisco's ASA 5550 firewall is designed for large enterprises and delivers top firewall throughput of 1,200 Mbps. The ASA 5550 can handle up to 5,000 SSL VPN sessions and 650,000 connections. The Cisco ASA 5550 includes 4 GB of memory and supports up to 250 VLANs. GTP/GPRS inspection, VPN clustering, load balancing, and high availability support are included.
The ASA 5550 does not have expansion slots but has four integrated small form pluggable (SFP) fiber optic Ethernet ports.
Cisco ASA 5580 Firewalls
Cisco's ASA 5580-20 and 5580-40 firewalls are designed for large enterprise data centers. The ASA 5580-20 has firewall throughput of 5 Gbps, supports 1,000,000 connections, and has 8 GB of memory. The ASA 5580-40 has firewall throughput of 10 Gbps, supports 2,000,000 connections, and has 12 GB of memory. Both versions can handle up to 10,000 SSL VPN sessions and support up to 250 VLANs. Both models include GTP/GPRS inspection, VPN clustering, load balancing, and high availability support, and both have six slots for Interface Expansion Cards (IECs) that allow the addition of Ethernet ports.
To find out how Progent can help you maintain or upgrade your Cisco ASA 5500 firewalls, see Cisco ASA 5500 firewall consulting services.
Cisco PIX Security Appliance Series
Cisco's older generation PIX 500 Series firewalls established the standard for dedicated firewall appliances and were the mostly widely deployed firewall devices in the industry. The PIX 500 series has a purpose-built operating system that offers a wealth of security services, PIX firewalls offer a high level of protection and have earned Common Criteria Evaluation Assurance Level 4 status and ICSA Firewall and IPsec certification. PIX firewalls provide security for a wide range of VoIP and other mixed-media protocols including H.323 v. 4, Session Initiation Protocol (SIP), Cisco Skinny Client Control Protocol, Real-Time Streaming Protocol (RTSP), and MGCP. This enables businesses to provide security for a wide range of current and future IP voice and video applications. Because PIX firewalls are no longer sold and may not be supported by Cisco, IT managers should be thinking seriously about upgrading to the corresponding ASA 5500-X firewall. Progent can help with developing and implementing an upgrade strategy and can also provide affordable online support to help companies manage and maintain legacy PIX firewalls.
PIX firewalls feature a variety of configuration, monitoring, and troubleshooting features, providing businesses the versatility to use the tools that best meet their needs. Management solutions include common, policy-based administration utilities, integrated Web-based administration, and compatibility with remote-monitoring protocols such as SNMP and syslog. The integrated ASDM interface provides a world-class web-accessible management solution that greatly simplifies the deployment, updating, and monitoring of individual PIX firewalls without requiring any extra software other than an ordinary browser and Java applet to be running on a manager's computer.
IT managers can also remotely configure, track, and troubleshoot PIX firewalls using a command-line interface. Secure command-line interface communication is available using a number of methods such as SSHv2 Protocol, Telnet through IP Security (IPsec), and out-of-band via a console port. Cisco PIX security appliances also have robust automatic-update capabilities, a collection of advanced secure remote-management services that ensure firewall settings and software images can be kept current.
For a description of Progent's technical support and migration services for Cisco PIX 500 firewalls, see Cisco PIX 500 firewall migration and support services.
Progent's Migration Support for Cisco Firewalls
Because Cisco has stopped offering the ASA 5500 and PIX product lines, many businesses are concerned about relying on a critical infrastructure component that may no longer be supported. ASA 5500-X and Firepower NGFW firewalls have the advantage of being current products and also offer a number of technical and economic benefits in comparison to older ASA 5500 and PIX devices. These benefits include higher throughput, connection capacity and connection speed plus the ability to run Cisco's Firepower security services. Progent's Cisco experts can help you determine the business case for migrating from PIX or ASA 5500 firewalls to ASA 5500-X or Firepower NGFW devices, create a migration plan that allows for a fast and seamless upgrade, help you deploy and configure modern firewalls, and provide remote training, consulting, and troubleshooting services.
How Progent Can Support Your Cisco Firewalls
Cisco Firepower NGFW Series, ASA 5500-X with Firepower Services, ASA 5500, and PIX 500 family firewalls incorporate a broad array of configuration, management, and expansion options that offer you the ability to set up these security appliances to match your company's specific requirements. Progent's CCIE authorized network engineers can help you to design and manage an efficient network infrastructure that includes Cisco firewalls and offers world-class security, availability, throughput, and manageability. Progent's GISA and CISSP-ISSP-qualified information security professionals can help you to create a security policy appropriate for your environment and can configure your security appliance to support your security policies. Progent's security evaluation consultants can assess the strength of your current firewall solution and validate the overall security of your entire IT environment. Progent's Technical Response Center can provide emergency online technical support for Cisco products and can give you quick access to a Cisco CCIE network engineer.
Progent offers a range of additional consulting services to help businesses of any size create a complete, company-wide security solution. Progent's project management services can help you define and implement an efficient plan to migrate from legacy Cisco appliances to the latest generation of devices. Progent's vulnerability testing and mitigation services for network devices and applications can help you validate the security and compliance of your IT environment. Progent's certified information security engineers can help you develop and test a comprehensive security strategy that addresses the complex data theft and privacy issues associated with cloud computing. Progent can help you use Cisco's AnyConnect to provide secure VPN connections for a broad range of platforms such as Windows, Mac, Linux, iOS, and Android. Progent's BYOD consulting experts can help you manage smartphones and tablets by offering services that include iPhone and iPad integration and Android phone and tablet consulting. Progent's ProSight WAN Watch 24x7 remote network monitoring and reporting services provide round-the-clock protection for your information system. Progent's disaster recovery planning consultants can help you create and validate a DR/BC plan that is based on industry best practices. Progent's QTS Data Center Test Lab is available to prototype new firewall solutions and verify that they provide the performance and security your business requires.
For more details concerning Progent's consulting services for Cisco technology, select a topic:
Contact Progent for Cisco Firewall Solutions
To ask Progent about consulting help with Cisco Firepower NGFW, ASA 5500-X, ASA 5500, or PIX firewalls, call 1-800-993-9400 or visit Contact Progent.