Cisco Systems ASA 5510

Cisco already has a well established product line-up with its PIX firewall and VPN concentrator appliances having a strong following but its latest ASA (adaptive security appliance) family moves the focus firmly onto the UTM security solution. Here we take an exclusive look at the ASA 5510 which is aimed squarely at the SMB sector.

Having already run an exclusive review of Cisco's ISR 3845 we can see a few similarities with both families offering firewall, VPN and intrusion prevention capabilities. However, the ISR products are primarily communications solutions and as we previously observed only support anti-virus scanning via Cisco's NAC software which is essentially a separate product.

For anti-spam measures you'll also need to set up an ISR with special access controls that look for POP3 and SMTP traffic and pass it on to a separate filtering server or appliance.

The ASA family targets those companies that specifically want a UTM solution that covers firewalling plus IPsec and SSL VPNs but includes optional measures such as anti-virus, anti-spam and intrusion prevention. Along with the higher-end ASA appliances, the 5510 uses the same VPN code as Cisco's VPN 3000 concentrators. The ASAs are being offered as a replacement or an alternative solution but although there is an overlap across the ranges, Cisco advised us it has no plans to bring the VPN 3000 products to end of life. The ASA appliances also amalgamate technology from Cisco's PIX firewalls and IPS 4200 intrusion prevention devices.

The 5510 comes with five switched Fast Ethernet ports of which three are licensed for use in the base configuration. Upgrades are provided to activate the remaining ports and also allow one to be dedicated to management access. The 5510 has a single expansion slot which accepts an SSM (security services module) that adds additional functions. For anti-virus and anti-spam Cisco has made a deal with Trend Micro so the module implements its InterScan security suite.

Extensive options are available with Cisco offering the 5510 and larger models in Firewall, IPS, VPN and Anti-X Editions. Within each Edition there are even more choices with the Anti-X version, for example, including the expansion module which adds anti-virus and anti-spyware. The complete solution costs around £3,800 for fifty users and includes the first year's update subscription. For a further £800 you can add anti-spam, URL blocking and anti-phishing.

The 5510 does provide the standard RJ-45 port for command line access to the IOS but as we found with its ISR appliances you don't need to use this at all. Pointing a web browser at its default IP address provides options to download a Java applet to run Cisco's new ASDM (adaptive security device manager) interface remotely or to install it from the appliance and run it locally. We found the ADSM utility particularly easy to use with it providing a full status report where you can see details on system resources plus traffic throughput and a display of Syslog messages at the bottom.

Your first job is to configure the interfaces and assign a security value to each one which determines the risks they face. An external port that's open to the Internet would normally be given a value of zero to indicate that it is totally untrustworthy whilst an internal port on the LAN may be given a value of 100 to show it can be completely trusted. Next you need to set up the firewall and a quick start wizard kicks off with a set of default rules that block all unsolicited inbound traffic. Custom rules are simple enough to create as you select an interface, add source and destination networks, the service being handled and an action. Rule priority is determined strictly by their position in the list and multiple rules can be saved off as complete security polices. You also get a handy flow diagram beneath the list which shows clearly what the selected rule is doing.