Cisco Secure Firewall Reviews

• VPN
• ASDM configuration

For FirePOWER:

• IPS
• AMP
• URL filtering

It's pretty easy to connect between different branches using site to site VPN.

Cost, it's very expensive. To migrate from a Cisco ASA 5550 and not drop in performance, you have to go to a Cisco ASA 5555-X with FirePOWER. To fully use the Cisco FirePOWER IPS, AMP and URL filtering, you are forced to (MUST) buy the Cisco FireSIGHT management centre. You also have to buy licensing for Cisco AnyConnect VPN client

I've been using it since October 2004, so for 10 years.

Due to the cost, I am still waiting for more funds to deploy the final phase, FirePOWER IPS, AMP and URL filtering.

Cisco did an upgrade from v8.2 to v8.3 of the migration system. NAT configuration is different from 8.2 to 8.3. It's not easy to upgrade to 8.3 and above leading to running different software versions.

V8.2 is very stable. With the latest versions it's still early to tell.

Upgrading from v8.2 to v8.3 is a nightmare. The risks of down time are so high that I am forced to run different versions. Stay with 8.2 on all NAT dependent on your ASA, but again it's all about the cost.

Excellent customer service. Cisco listens to their customers.

Excellent customer service and documentation.

We previously used Checkpoint, and I switched because Checkpoint was expensive but now it looks like Cisco is following the same route.

It was not that complex because I was using Cisco routers and switches five years prior.

It was an in-house implementation.

I can't tell right now as I am still investing.

The initial investment on the Cisco ASAs was around one million South African Rand and there's a R200,000 annual maintenance cost with Cisco's partners.

No. I went straight to Cisco because of my experience with their CUCM IPT solutions, routers and switches.

Budget a lot of money, especially on the initial setup and the annual licensing and maintenance cost.

• Content filtering
• VPN features
• User interface is also very friendly

Users can VPN into the network from remote locations. It has given us a very robust and well firewalled LAN, that we use for authentication as well for our core network infrastructure.

I've used it for seven years.

No issues encountered.

It's a very stable product.

No issues encountered.

It's good.

It's good.

No previous solution was used.

It was a straightforward setup.

Implementation was in-house as we have Cisco experts.

The initial cost was approximately $6,000.

No other products were evaluated.

ASA is a very reliable product and I have been using it since I cam across it. I strongly recommend the use of the product

The features that we use are:

• The stateful firewall
• VPN with AnyConnect
• Site-to-site IPSEC solutions
• High availability

The ASA gives us a secure appliance at the perimeter and allows us to provide VPN connectivity to our users. We have the ability to control our VPN users as well as use two-factor authentication if needed (using an outside Radius source).

The ASA has room for improvement in the areas of layers four through seven. I would love to see application specific control, e.g.Facebook, Gmail, etc.

I have used this solution for five years.

No issues with the deployment of the ASA as long as you are using it for what it is intended for.

No issues encountered.

As long as you buy the correct model for your company, in regards to throughput, licenses etc., you will be fine.

8/10.

8/10.

I believe it is straightforward, but again it depends on what you are trying to accomplish.

The ease of use and ease of deployment were the most important features. As a signature based appliance, SourceFire hits it on the head at detection and capturing traffic, but quite a few of the other IDS/IPS appliances are way too complicated and too time consuming to properly deploy. This will lead to improper deployments and often missing important spots in your network.

Being able to detect intrusions is very valuable, and this can be anything from reconnaissance attacks to malware beaconing from inside our network.

Being able to incorporate third party rules as the SourceFire rules often lag behind current threats. When the latest zero day or other threats hit the market and are high value threats, most departments want to have these signatures available and able to deploy automatically. SourceFire makes this a manual process with third party rules.

I've used it for two years.

No, it was quite easy.

No issues with stability.

The only issue I have is with the price, as SourceFire is VERY expensive.

Customer service is very helpful and there are some extremely knowledgeable people on board.

Very technical! The men and women know what they are doing and are very helpful.

No previous solution was used.

It's straightforward with easy to follow instructions. You just plug-in and go.

I implemented it myself.

Lousy! $250K/year just for maintenance and licensing costs for a defense center and five sensors? This is insane! There is a better way.

The original setup cost was very high, not sure of the exact numbers because this product was purchased prior to me joining, but it was expensive Tack on the recurring charge and this really racks up, but luckily the day to day operational costs aren't bad at all, unless you break out the recurring charge daily!

Other IDS/IPS products were looked at.

The same level of protection can be had at a much lower cost! Look at rolling your own with commodity hardware, Suricata (Or SNORT if you choose, but look at the differences please!), Aanval for the central management and the emerging threats rules.

I'm most impressed with the visibility and control SourceFire solutions provide in to the types of traffic flowing in and out of an environment. It makes the discovery of applications and classification of user traffic simple, which in turn allows an organization to more effectively develop security policies and enforce acceptable use for its enterprise users.

I've worked with customers that have dealt with malware issues in the past and preventing its spread laterally within the environment has always been a concern. With SourceFire, we've been able to detect malicious files and stop them at the network edge before internal systems are compromised. Leveraging AMP in addition to FireAMP, which is the endpoint malware solution, is incredibly effective at blocking malware at the host level.The other good news is FireAMP can be leveraged along side traditional endpoint anti-virus software. The Defense Center also provides visibility into how malware is moving within the environment so tracking down infected machines becomes much easier for IT staff.

The overall product line is sound, but I'd like to see a roadmap for SSL decryption as part of the ASA with FirePOWER solution.

I've been working with SourceFire product offerings since Cisco's acquisition of the company in late 2014. Prior to the officially branded Cisco solution, I'd worked with open source Snort in various capacities for several years. I've been using Cisco ASA with FirePOWER services, Cisco SourceFire NGIPS/NGFW most recently.

Learning the advanced capabilities of the system can take time, but it's rather intuitive. I have not encountered issues deploying base functionality with the offerings at this point.

Overall, the systems are stable and IT admins have control in to how the sensors operate within the network in the event of failure.

There are scalability limitations with FirePOWER on the ASA, so determining anticipated throughput requirements is critical. The standalone IPS sensors can be stacked for increased throughput, so depending on your organizations needs, this may be a better path for some organizations concerned about scalability.

8/10.

9/10.

I've used Palo Alto's FW/IPS offerings and Cisco's older IPS platform on the ASA. Usually, I don't decide what organizations purchase, but I am impressed with SourceFire's capabilities over the latter.

Initial set up is straight forward, but there is not much documentation available if you have no experience with the offering. I'd recommend training for all network admins that administer SourceFire systems, especially if you want to leverage some of the advanced features.

Do research in to the types of offerings out there and make a determination of what may be the best fit for your organizations requirements and future security goals.

The ASDM has significantly improved over the years. Real-time logging and filtering is useful. Firewall rules are easy to understand, and enable/disable.

Change from Java for ASDM to HTML5. Better options to enable/disable site-to-site VPN tunnels.

8 years

The new NAT configuration is difficult to understand especially for people familiar with the pre v8.3 code.

Cisco TAC is good. They will set up a remote viewing session so they can work on the firewall as if they are sitting next to you.

Typically fast and useful.

In-house team.

The multi-context mode.

Being able to use the multi-context on the firewall to keep costs down.

No improvement needed.

I've used it for four years.

Yes but I was able to get the support that was needed to resolve any issues.

No issues encountered.

No issues encountered.

9/10.

8/10.

Yes and we switched because we needed a fully redundant solution.

If you have no experience with the device it may be complex but being trained on the device helps drastically.

We used a mix of both - vendor help and in-house.

We also evaluated Juniper firewalls.

Excellent product and excellent customer support.