How do I choose which ASA to use?

I would like to ask for help, i should choose an ASA firewall for our company, considering we have a couple of services on a DMZ and a INSIDE network, are there any steps to follow in order to buy a correct firewall?
Thanks

Hello Valerio

There are various aspects that you need to consider when choosing a firewall. These are not exhaustive, but give you a general idea of the kinds of things you’re looking for.

  1. Size of the enterprise. The first thing has to do with how much traffic will the firewall be handling. Will it be a small branch office serving 15 employees or a large headquarters with two thousand users? Firewalls are often rated at how many Mbps in throughput they can handle.
  2. What kind of services do you want? If you simply want a firewall to filter specific addresses, ports, and sites, you can easily apply an older ASA firewall. More advanced features can be obtained using the ASA line that supports Firepower, a technology that delivers next-generation functions like application control, intrusion protection, and antimalware and URL filtering. If you want to go beyond that, to a more enterprise-centric set of features, you should take a look at the Firepower series of products (Firepower 1000, 2100, 4100, and 9300). These are newer than ASA as they were introduced in 2017 while ASA was introduced in 2010. These are next-generation firewalls that deliver business resiliency through threat defense.
  3. Cost - It would be great to have the best of the best for every scenario, but unfortunately, as you know very well, that’s not the way the world works. Arguably, the most restrictive characteristic for the choice you will make comes down to how much money will you spend. You must balance the services to be delivered by a firewall with the cost, so that you can really get the most for your money.

These are just some fundamental thoughts. You’ll have to go through your requirements in detail, and it may be worth discussing those further with your hardware provider. In the meantime, here is a link that may be helpful in giving you more information:

You may also consider other products such as a virtual firewall, Cisco Meraki MX series firewalls, or Secure IPS.

I hope this has been helpful!

Laz

Hello,
thanks for your precise answer.
We are small company, we are in 20 workers and 4 DMZ services, for each dmz we have different public IP, i was thinking to buy Firepower 1010.

Thanks

Hello Valerio

That sounds like a good choice! Let us know how you get along… Glad to be of help!

Laz

Hi,

Firewall Vendors make Firewalls of different throughputs ranging from 2GPS to 30 GBPS . When should a 20 GBPS throughput firewall is to be used ?

Hello Surendra

When examining the specs of firewalls such as the ASA or Cisco Firepower, there are various values for throughput that are given. For example, in the Cisco Firepower 1000 series datasheet, you can see various values for things like:

  • Firewall (FW)
  • FW + Application Visibility and Control (AVC)
  • FW + AVC + Intrusion Prevention System (IPS)
  • VPN throughput

These various values indicate the expected maximum throughput when these particular features of the device are activated. If you simply operate the FW feature, it requires fewer resources than employing the FW, AVC, and IPS together, and thus the expected maximum throughput is higher.

What you must do is determine what kind of throughput you need, determine which features you will enable, and match up the value of the required throughput to that of the expected throughput with the features you need enabled.

There are some more specs that you should keep in mind, including maximum concurrent sessions for various features such as AVC and VPNs, as well as maximum VPN peers, and maximum connections per second.

Again, these are specs that need to be examined based on the expected traffic and usage that you will have at the location of installation.

I hope this has been helpful!

Laz

Thanks for the reply Laz

Aim of my Question is different . Lets say an Organization have deployed 10GBPS Firewall at the Perimeter . What should be the Internet/WAN bandwidth they should be opting for access to their WEB servers from the general public on the Internet.

Second question is what is the strategy that the organizations adopt to size their Perimeter Firewalls ? What are the Various parameters that dictate their CHOICE ?

And the Other Question is i usually Hear about a BW of 100 MBPS Max for Home Internet ? How are Internet Requirements for the Organization Vary and to what extent AKA like FW throughput can extend up to 150 GBPS ?

Hello Surendra

Sizing the capacities of the firewall at the edge of the network can get complicated, especially if you have various different types of traffic that you want to handle differently. As seen in the previous post, you can have simple FW rules, AVC, IPS, VPNs, and IDS for example. For each type of firewall, each of these features can perform at specific maximum speeds based on the capabilities of the device or service.

Now when applying this to your enterprise network, you must determine the various types of traffic you have, and decide what specific security features you want to apply to them. For example:

  1. Internal user traffic to the Internet will go through the IPS and IDS system
  2. Traffic from internal Wi-Fi guest users will go only through the FW features
  3. Traffic from the general public to internal web servers will go through AVC
  4. Traffic over the VPN to other company sites will not be filtered, but only be encapsulated and secured

When you look at traffic like this, you can quickly see how complicated it can be to determine what the maximum capacity of your connection to the Internet should be, and what kind of firewall you should procure. When such sizing of FW and Internet capacities gets complicated, vendors can be very helpful as they have various tools that can estimate the actual capacities you will need based on your current and expected future network traffic.

So as far as sizing the FW and the internet connection, it all depends upon the traffic you have, and what kind of security features you want to apply to what type of traffic.

I hope that addresses your first two questions. For your third question, the maximum bandwidths for home internet depend upon the telco in the country you are in. In some places of the world, individual users are provided with speeds in excess of 1Gbps, and elsewhere it may be limited to several Mbps. The requirements for an enterprise vary similarly, but technologies using fiber optics will allow speeds much greater than those typically available for home use. For extremely large enterprises requiring speeds in excess of 10 and 40Gbps, they typically get these from multiple connections in various locations. They are rarely all connected through a single large pipe delivering >100Gbps. As such, you wouldn’t see a huge FW with these kinds of capacities serving such connections, but you’d see several FW distributed across multiple connections, often in different locations of a multisite company.

I hope this has been helpful!

Laz

Thanks Laz for the Long Answer .

what about Data Centre Firewalls ? How is the Internet BW is sized for DCs? and what FW capacities are usually recommended for DC with 10 WEB Applications minimum

Hello Surendra

Once again, it all depends upon the expected traffic. The expected traffic depends on many factors, and you cannot know what kind of traffic to expect simply from the number of web application servers. Expected traffic, whether it’s for datacenters or enterprise networks, must be determined based on a multitude of factors including:

  1. expected number of users of services
  2. type of network applications being used (file transfer, video, web, email, etc…)
  3. expected growth of traffic in the future

These can either be determined by monitoring a network and seeing actual data flow or by intelligently “guessing” based on reliable assumptions. In the second case, it can only be an approximation and you must always take a margin of error into account.

I hope this has been helpful!

Laz