Blog :: Configuration :: Security Operations

Cisco ASA vs. Palo Alto

Firewalls play a critical role in protecting an organization’s network from a never-ending list of Internet-borne threats. Firewall selection often determines how easily remote locations connect to centralized systems to access essential resources or to complete important tasks. With this in mind, we recently held a webcast on the Cisco ASA with FirePOWER Services vs. Palo Alto Next-Generation Firewalls. In this webcast, we highlight the main areas that you should look at when determining which firewall you should select. In this article, I’d like to highlight those sections and provide details on the Cisco ASA vs. Palo Alto.cisco asa vs. palo alto

When choosing among the many firewalls, there are seven areas you should focus on.

Trusted Security

When choosing a firewall, be sure to select a well-recognized and trusted platform. Barracuda, Cisco, Fortinet, Palo Alto, and SonicWALL are among the brands having carved market share, and they’ve earned that market share for good reason: they deliver trusted security. Both the Cisco ASA and Palo Alto provide a trusted platform that any company would be happy

Ease of Use

Global multi-national enterprises typically require excessive security controls, but even those organizations that need tremendous protection don’t have to limit themselves to clunky user interfaces for the configured equipment. Many firewall models deliver tight security and easy configuration options.

When selecting a hardware-based firewall, consider the benefits of approachability. The easier a platform is to administer, the easier it will be to locate professionals capable of installing, maintaining, and troubleshooting the platform. In my testing with both the Cisco ASA vs. Palo Alto, both platforms were very easy to configure and manage.

VPN Support

A good firewall also establishes and monitors secure channels, enabling remote connectivity.  Look for a hardware-based firewall that supports both SSL- and IPSec- protected VPN connections from similar devices (for point-to-point or site-to-site VPNs), as well as secure connections from traveling employees.

Another option to consider within the VPN realm is, does the firewall offer dual-factor authentication support? Many firewalls will let you plug into online APIs like DUO or Authy, allowing for an extra layer of security between your remote users and your network.

One thing to keep in mind, while both the Cisco ASA and Palo Alto firewalls offer VPN support, if you are looking at FirePOWER Services alone, you won’t have VPN support.

I had a discussion with one of our engineers about this and here was his response:

Cisco now has a “Firepower” firewall, that is NOT an ASA. ASA-like basic functionality was added to the Sourcefire code, and they were put into a new box. Basically, this is a sourcefire box that looks like a Cisco ASA, but acts like a Sourcefire box. You won’t get NSEL nor VPN functionality (which are are large part of what the ASA can do).

From this, I could glean that there is truly no unified code that gives you all the functionality of both platforms. As such, if you need VPN functionality, you are looking at the ASA and not FirePOWER.

Capacity

Branch offices may leverage a firewall in a dual capacity, to serve as both a security device and as a network switch. Larger organizations, meanwhile, usually just drop the firewall into a larger architecture in which the firewall’s only role is to filter traffic. Pay close attention to the manufacturer’s recommendations for maximum node support.  Exceed a router’s capacity and you’ll experience errors, flat-out traffic denials (due to lack of licenses), and/or unacceptable performance.

You’ll also want to see what type of hardware they use for exporting traffic analysis details. On low-end machines with high traffic, enabling features like NetFlow exports can tax the CPU greatly, causing performance problems. Both Cisco ASA and Palo Alto offer multi-gigabit options and can handle very high throughputs, but they are dependent on which features you enable.

Gateway Security

Many organizations successfully reduce costs by centralizing anti-virus, anti-spyware, and anti-spam protection solutions on their firewall.

When comparing firewall capabilities and determining total costs of ownership, factor the cost savings that can result if you deploy these services on the firewall device, versus a traditional domain controller or other server.

Anti-Malware and threat mitigation is brought to the ASA via Cisco Advanced Malware Protection using FireSIGHT.

Cisco Advanced Malware Protection (AMP for short) provides you with global threat intelligence, advanced sandboxing, and real-time malware blocking to prevent breaches. Palo Alto’s security comes from the WildFire subscription. Palo Alto claims that WildFire quickly identifies and stops advanced attaches without requiring manual human intervention. Both solutions appear to provide a rather robust gateway security functionality, but may hinder throughput depending on bandwidth needs.

Content Filtering

Some firewall manufacturers offer Web filtering subscriptions. The benefit is that all the network services associated with a business, from gateway security services to content filtering, can be consolidated on a single device. The drawback is that you have to pay for the privilege.  When reviewing potential hardware-based firewall solutions, consider your organization’s needs and budget. Determine whether content filtering should be administered from the firewall. If the answer is yes, select a firewall that supports reliable, proven content filtering. Both Cisco ASA (via FireSIGHT) and Palo Alto offer detailed content filtering with exceptional application details.

Advanced Monitoring and Reporting

Repeatedly throughout just one business day, a single device can block thousands of intrusion attempts, detect consolidated attacks, and log failing or failed network connections. But this information is helpful to network administrators only if it’s available in a readily accessible format.

Look for firewalls that not only monitor important events, but that also log this data in compatible formats. A good firewall ideally can support next-generation NetFlow and IPFIX exports. Our incident response system, Scrutinizer, has exceptional reporting for the Cisco ASA (NSEL), FireSIGHT, and Palo Alto.