Archive for September 23, 2010

ISR’s IOS firewall vs ASA

Posted: September 23, 2010 in Network Security

In the IT industry, some of the most common debates among technology professionals are Mac vs PC, Linux vs Everything, Nvdia vs ATI, Intel vs AMD, and ASA firewall vs IOS’s firewall.

Other than money, the decision is for the most part, depends on the engineer’s philosophy. Some prefer to have a single device do their routing and their security, while others prefer to have dedicated security devices. This reasoning, however, does not really determine what the “best” solution for your network is.

Since IOS 12.4(9)T, IOS routers now support Zone-Based firewalls; as opposed to the previous CBAC, which worked by deny-all ACL’s, and CBAC creating temporary holes in your ACL based on inspection rules. Because of this, the ~features~ offered by the IOS are just as rich as those offered by the ASA. One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. I will say the ASA typically offers faster performance, but that’s partially because the ASA is sort of a 1 trick pony and not doing any dynamic routing.

One advantage of the ASA is that it can operate in Transparent mode, in which the firewall is essentially acts as a Layer 2 bridge, and is not seen as a router hop in the network path. This simplifies deployment since there are no routing patterns to adjust and no complicated NAT configurations to setup. It also obfuscates the firewall’s presence.

The 800 series routers offer 3G cards, and as such, typically make for better branch office solutions than an ASA5505. This incorporation of 3G cards offer better fault tolerance if your main connection fails, and to date there are no ASA models that have integrated 3G. Both allow for High Availability clusters; however this only addresses the failure of the device itself, not the loss of service provider connectivity. [Which is something we all know; 90% of the time, the problem is with the ISP, not the device.]

When deploying for large corporate networks, with multiple sites that are networked together, I think one of the main things to consider is the complexity of VPN features desired. The ASA’s feature set is relatively limited in this respect. If you want to leverage more advanced features like DMVPN or GET VPN, and IOS router is your only option. Of course by default, the ASA performs a little faster on VPN tunnels, but if you need a boost to VPN performance, you can install one of the AIM-VPN boards and get a significant increase to the number of IPSec tunnels and/or SSL session. For example, on an 1841 the datasheet says about 800 tunnels and on a 2800 about 1500 tunnels. More info here:

If you’re looking for IPS, either platform will serve your needs: IOS routers have IPS AIM and IPS NME add on boards, and these will dramatically increase inspection performance over just using the router’s resources. I believe the stats show the AIM @ 45mb/s and the NME @ 75mb/s w/ about 3000 signatures. If you’re setting up a branch office or smaller office, yet you want advanced analysis offered by IPS, then the IOS Router is the less expensive solution. For an ASA you must purchase  an AIP module to do Intrusion Detection/Prevention, however an IOS router with the Advanced IP Services image can make use of software based IPS built into the image. The number of simultaneous inspections that can be performed depends on the DRAM installed in the router. For 128MB you use the 128MB.SDF signature file, which supports 300+ signatures. For 256MB, you use the 256MB.SDF signature file, which supports 500+ signatures. Now this is a far cry from the thousands of signatures offered the AIM or AIP hardware, but it does offer a bit more intelligence than a standard firewall

Click to access prod_presentation0900aecd806ccf26.pdf


If you’re looking for an appliance to just do traffic inspection, predominantly for a web DMZ or publicly accessible network, probably the ASA is your best bet. If however you have a highly decentralized -internal- network where branch offices frequently talk to each other, then you would benefit from something like DMVPN, thus your deployment would be greatly simplified using something like a 2800 running IPSec SSO w/ the AIM-VPN card.

As a matter of personal preference, I find myself moving away from the philosophy of this specialized device for routing and this specialized device for security. I prefer to simplify my deployments, and believe me w/ NAT, VPNs, Firewall, IPS, having an ASA sitting behind your border router…it can add a significant amount of complexity to your design…and ultimately, your troubleshooting.