What is our primary use case?
I'm a solution architect specializing in IT infrastructure designs. I create solutions for clients using Cisco and other products. I've developed solutions with various Cisco Firewall models. I may use an entry-level solution for smaller businesses, like the Cisco 555 Series or 5500. If it's a large enterprise, I may use the 4000 Series, or an ISR router integrated with a firewall for a branch office, and maybe an ISR router, which is integrated with the firewall.
I work with businesses of all sizes, but I see Cisco more often in medium-sized companies or large enterprises. Small businesses often pick Sophos or FortiGate because of the pricing. Large enterprises use Cisco and other products like Palo Alto or Check Point, especially for managing cloud architectures like GCP and AWS.
If the customer only needs a plain firewall, Cisco ASA is sufficient. It can compete with FortiGate or Sophos. When I talk about a next-gen firewall, the basics include malware protection, instruction prevention, URL filtering, etc. Firepower is integrated to address these next-gen requirements.
I may use the tabs for dynamic policy implementation in cloud environments depending on the clients' needs, but not typically VMware. I might get a false positive with the VMware operator and platform layer. If I stop some surveys, my production will stop. In such cases, I cannot just go by dynamic classification blindly. It would be better for the application layer, not the platform layer.
How has it helped my organization?
I don't have any metrics about how ASA has improved operations for my clients, but I can look at their market share relative to Check Point and other competitors. Cisco has a decent footprint today, and it reduced my customers' CapEx. I don't have the numbers. I'm just speaking relatively. Cisco can reduce operational expenditures by around 40 percent. I'm just giving a vague estimate, but I don't have any specific metrics.
Cisco offers two architectures. I can choose the Meraki track if I want an OpEx model or the traditional track, which is a CapEx model. Due to Cisco's tech acquisitions, I have various feature options within the same product. The DNA of Cisco combines the traditional Cisco architecture with the next-generation firewall.
Segmentation can be helpful for some clients. Let's use a financial organization as an example. We have traffic moving through the branch to the core banking. This is where we can employ segmentation. We can do security policy restrictions for branch employees to prevent them from accessing certain financial reporting systems. We can limit them to the branch level.
I can enforce certain policies to prevent all branch traffic from reaching one layer of a particular segment by minimizing the overall traffic on the network. I can always control the traffic when I segment it. This set of capabilities is beneficial when a lot of financial algorithms are done.
What is most valuable?
ASA integrates with Firepower, IPS functionality, malware filtering, etc. This functionality wasn't there in the past. With its cloud architecture, Cisco can filter traffic at the engine layer. Evasive encryptions can be entered into the application, like BitTorrent or Skype. This wasn't possible to control through a traditional firewall.
Deep Packet Inspection looks at the header information and inspects the contents of a particular packet. We can also look at traffic management. It can control end-user applications, and we can check device performance when we do this type of regression on our resources. This is what we look at with a DPI. It can help us reduce the overall OpEx and CapEx.
Traditionally, we needed multiple software and hardware tools. With these features, we can snoop into our network and understand each packet at a header level. That's called the service control engine.
Within Cisco's Service Control Engine Architecture, there's something called the Preferred Architecture, which has a supervisor engine. It's more of a network management tool. Cisco makes it more convenient to manage our resources. It has a nice UI, or we can go into the command-line level.
Cisco's micro-segmentation features are helpful for access control layers and virtual LAN policy enforcement. That's how we segregate it. Micro-segmentation is focused on the application layer. When we design a policy that is more automated or granular, and we have a specific business requirement, we get into micro-segmentation. Otherwise, the majority of the implementation will be generic network segmentation.
Dynamic classification is also essential given the current security risks and the attacks. We cannot wait for it to tell us if it's a false positive or a real threat. In those cases, dynamic classification is essential, especially at a MAC level.
When using WiFi, we may have a suspicious guest, and we cannot wait for someone to stop it manually. The firewall needs to at least block the traffic and send an alert.
In cases like these, integration with Cisco ISE is handy. If the firewall alone doesn't help, you must redesign your architecture to include various associated products as you increase your requirements. For example, you may have to get into multiple servers, so you'll need an ISE for identity management.
As you start scaling up your requirements, you go beyond a firewall. You start from an L1 layer and go to the L7 sitting at the organization's gateway. When you talk about dynamic policy implementation, that's where you start to get serious about your operations and can change things suddenly when an attack is happening.
With ISE integration, you get another dynamic classification if an endpoint connects immediately. ISE has a lot of authorization rules, so it applies a filter. The dynamic policy capabilities enable tighter integration at the application workload level. Snort 3 IPS enables you to run more rules without sacrificing performance, and IPS puts you one step ahead of any threats to the organization.
What needs improvement?
There are some limitations with SSL. Regarding the security assessment for the ISO 27000 standard, there are certain features that Cisco needs to scale up. Not all products support it, so we need to be slightly careful, especially on the site track.
We face challenges with Cisco when implementing some security vulnerability assessments, including the algorithms and implementing SSL 3.0. I may change the entire product line because traditional product lines don't support that.
Integration isn't typically a problem because the network is compatible, but Cisco could upgrade the threat database. They could integrate the threat database of the on-premise firewall with the cloud. Check Point has cloud integration with a market database of all the vulnerabilities. Cisco could add this to its roadmap to make the product more effective.
For how long have I used the solution?
I have been working with firewalls for about 20 to 25 years, but I've been using Cisco for around 12 to 15 years.
What do I think about the stability of the solution?
Cisco ASA Firewall is reliable, especially in the Indian context. For example, I had a couple of banks with around 5,000 branches and ATMs. It was easy to deploy remotely or send it to each branch.
What do I think about the scalability of the solution?
Cisco ASA Firewall is scalable to a certain extent.
How are customer service and support?
Cisco support is okay, but not great. I rate Cisco support five out of ten. The response time is too long. We need an instant response to security issues. They follow some legacy processes.
In some cases, I think they're good, but they have hundreds of questions and steps to go through before the ticket is escalated. The local partner adds a lot of value in that case.
How would you rate customer service and support?
How was the initial setup?
The standard setup is straightforward and takes around four hours. You can also do more customization and adjustments to deploy it in a particular environment.
I design a custom implementation strategy for each customer. It depends on whether I'm migrating an existing environment or doing a fresh deployment. I try to understand the customer's security footprint and all the issues I need to address before installation.
What's my experience with pricing, setup cost, and licensing?
I think Cisco's price is in the right space now. They have discounts for customers at various levels. I think they're in the right spot. However, Cisco can be expensive when you factor in these additional features.
If you add SecureX, Cisco's cost will definitely jump. We started with the standard ASA, then we added segmentation and micro-segmentation, and now we're talking about automation and unified architecture. SecureX is an integrated security portfolio. It gives a vertical and 360-degree algorithm with an open, integrated platform that can scale.
Which other solutions did I evaluate?
In most next-generation products, the UA itself will manage a lot of things, but it's easier to find people with expertise. If you put 10 firewall experts in the room, six will be talking about Cisco, but you can hardly find one or two people talking about Check Point or Palo Alto. Others would be more talking about Sophos, FortiGate, etc.
What other advice do I have?
I rate Cisco ASA Firewall seven out of ten. If you're implementing a Cisco firewall, you must be crystal clear about your business requirements and how a Cisco ASA firewall will address your problem. You need to understand whether this product line contains all the features you need.
Can it pass a security audit? Does it integrate with your network device? How scalable is it? Will this solution you're implementing today be adequate in the next three years? These are the questions that you should ask.
Which deployment model are you using for this solution?
On-premises
*Disclosure: My company has a business relationship with this vendor other than being a customer. Integrator
