Choosing Between the PIX and the ASA One of the first questions to answer when trying to determine what Cisco firewall your environment requires is what the difference between the Cisco PIX Firewall and the Cisco ASA is.
Nội dung Text: Choosing Between the PIX and the ASA
Choosing Between the PIX and the ASA
One of the first questions to answer when trying to determine what Cisco firewall your
environment requires is what the difference between the Cisco PIX Firewall and the
Cisco ASA is. The ASA is essentially the latest version of the Cisco firewall solution and
is based largely on the PIX software. In fact, the Cisco ASA and enterprise versions of
the PIX (PIX 515E and larger) actually run the same firewall software starting with the
7.x code base. In the case of the PIX, this firewall software is commonly known as PIX
version 7.x. In the case of the ASA, this firewall software is commonly known as ASA
version 7.x. Versions of software prior to 7.0 are not supported on the ASA.
The major difference between the Cisco PIX Firewall and the ASA does not lie in the
firewall functionality itself, but rather in the additional features that the ASA provides in
an integrated solution. Although the PIX can perform some basic IDS functions, it is
really not an effective IDS solution in and of itself. The ASA addresses this PIX
deficiency by incorporating a fully functional and feature-complete IPS solution as a
component of the ASA. In essence, the ASA not only runs the PIX firewall software, it is
also capable of running the complete Cisco IPS software to provide an integrated firewall
and IPS solution. This is commonly referred to as deep packet inspection. In conjunction
with the advanced IPS capabilities, the ASA also provides for content security and
control for antivirus, antispam, and antiphishing (commonly referred to as anti-X)
scanning through the use of the Content Security Control and Control Security Services
Module (CSC SSM). The ASA also supports Secure Sockets Layer (SSL)-based VPN
connections and VPN clustering to provide for load balancing of VPN clients. Finally,
the ASA tends to provide for much better performance than the PIX at a similar price
point due to the fact that the ASA uses newer-generation processors and application-
specific integrated circuits (ASIC) than the PIX does.
So the question of whether you should select a PIX or an ASA comes down largely to
whether you need the additional functionality of the ASA, because fundamentally they
both provide the exact same basic firewall functionality. If you do need the additional IPS
functionality that the ASA provides, or think you will in the near future, the ASA is the
appropriate choice. If you do not, the PIX firewall is the appropriate choice.