Cisco ASA VPN device with the 8.4(5) image and ASDM 7.11. This device meets the requirements for FIPS 140-2 cryptographic requirements for federal agencies. The purpose of the device is that it ensures the confidentiality, integrity, and availability of information between networks. The device is best used between different locations offering secure communications for users, clients (DMZ), and partners (DMZ). Cisco has been in the business for creating borderless networks for some time. Overall performance and features of the device are great. It does take a little time to get used to the commands, as they are a little different from the Cisco IOS router but not as different as another vendor like 3com now, HP.
This device provides the following features and services
• Visibility and granular control of applications and micro-applications, with behavior-based controls
• Robust web security
• Advanced threat protection with a comprehensive, highly effective intrusion prevention system (IPS)
• Highly secure remote access
• Protection from botnets
• Proactive, near-real-time protection against Internet threats
• Site to Site (l2l)
• Remote Access (RA) AnyConnect or IPsec Client (Cisco Client)
• Clientless VPN (webpage)
• PKI Infrastructure for Certificate based scalable authentication
• Secure Desktop (Vault)
• Cache Cleaner
• Keystroke Logger Detection (KSL)
• Host Emulation Detection
• Advanced Endpoint Assessment (License required)
o Provides remediation (Fixes)
The device is reported to be the Anti-X device that will eliminate threats and reduce risks. The extended features are nice in the brochure and work if you use the proven and tested platforms. This includes the Cisco Secure Desktop (CSD). Which as of January 17, 2013 was being developed and now has stopped? More on this later.
This device provides protection and utilizes technology like IPsec protocol suite for authentication, encryption, and integrity of network communication. Companies can use these devices to build secure tunnels form branch offices and create that borderless network. It allows remote teleworkers the ability to work from anywhere. It also provides an implementation where partners can connect to company extranets to collaborate. The uses for this device are great and I would certify that this product be used in every deployment.
• Great encryption capabilities
• Versatile Remote Access configuration down to user level settings
• Customizable Web Portals Internet/Extranet Sites
• Monitoring VPN activity and errors
• CLI provides quick access to various states of the device
• Troubleshooting Tools
• Troubleshooting error codes not always decipherable
• Firewall rule configuration not as intuitive as Checkpoint. ASDM needs work
Recently I have had the experience to setup and use a Checkpoint VSX appliance for building virtual firewalls. Checkpoint makes a great product and as far as I can say it is very intuitive more so than the Cisco ASA for creating firewall rules and applying them. The Cisco ASA also supports multiple context mode for firewalls and separate networks for a Managed Security Provider or ISP allocating address space to businesses. However, I have yet to really see a Cisco ASA used in this manner so I cannot comment on the performance of this used in this manner. I do know that the Checkpoint VSX security appliance can handle the bandwidth and processing. Utilizing 10 GB interfaces and a Linux OS, the Checkpoint is a very secure and powerful security appliance. Can the Checkpoint do VPN? Yes, but I have not configured that yet.
Cisco Secure Desktop – As reported here
“Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.” – Cisco
CSD works only on Windows platforms and it starts to go downhill from there. When you move to 64 bit systems and more rare platforms like Mac or Linux, the capabilities of CSD keeping your network safe and the bad stuff just takes a nose dive. The implementation for features vs. benefit is not worth the product offering. Your IT Dept will spend more time fixing why users cannot connect than they will having them get and be productive. Yes, what it does sounds great in the brochure but the real safe way to prevent data leakage is to train the users.
There has been talks lately since hacking events are on the increase as to what device offers the most security from the firmware to your data center. The move has been to shift from Checkpoint to Cisco as an American made product vs. an Israel manufactured device. This has been pure speculation and this trend will be monitored closely if it continues. I am not certain as to why based off speculation but in reality there is no difference in cryptographic service being impaired or diminished by any device Checkpoint or Cisco. I think it may be fear or the move to remove all doubt to purchase Cisco only.
* Personal author note – KP “We live in an age not seen before. While there is nothing new under the sun, I believe this is the time we are in, where faith and moral code is replaced by another agenda. This is what might be causing the fear of a foreign made product used in Gov’t shops”.
If you are looking for a mature and dynamic security appliance for your SMB or enterprise network, the Cisco ASA is for you. If you are looking to create a data center and offer a lot of services then maybe the Checkpoint is the way to go.