Cisco ASA with FirePower vs Palo Alto Firewall
In this guide we hope to shed some light on the many benefits and shortcomings of both the Cisco ASA with FirePower services and the Palo Alto Next-Generation Firewall.
Comparison of Palo Alto Firewalls vs Cisco ASA/firepower
- The differences between Palo Alto and Cisco ASA firewalls
- The features and benefits of both solutions for businesses of all sizes
- How well each system scales, key features, shortcomings, and associated costs
- Choosing a solution that provides the best protection, ease of deployment, and simple maintenance
Here are some of the key areas
Key Areas:
- Trusted Security
- Ease of Use
- VPN Support
- Capacity/Performance
- Gateway Security
- Content Filtering
- Advanced Monitoring and Reporting (which will show you the net flow and IP fix exports from these solutions)
We will then go over cost for each solution based on functionality and traffic volume so with that let’s jump right in. Firewalls play a critical role in protecting an organization’s network from a never-ending list of Internet born threats. Firewall selection often determines how easily remote locations connect two centralized systems to access essential resources or to complete important tasks.
We recently evaluated both the Cisco ASA with FirePower services and the Palo Alto next-generation firewall. What we looked for were benefits that our customers were asking for from their vendors as well as the uniqueness of their flow exports, by doing this we were able to learn what features were important to our customers and see how our customers could use these firewalls in their environments.
So let’s start our discussion with the Cisco ASA with FirePower services. With the ASA with SourceFire next-generation intrusion prevention system, Cisco creates an industry-first adaptive threat focused next-generation firewall.
What we found interesting was that this system attempts to create a solution that removes the multiple pieces required in traditional architecture; the one where you have firewalls and malware analysis systems and VPN gateways, IPS e.t.c. and they do that by bringing together these pieces in one appliance with the integration of Sourcefire the ASA also gains application control and URL filtering specifically URL filtering. The ASA also brings forth advanced malware protection with the integration of Sourcefire.
Palo Alto is the maker of the Palo Alto next-generation firewall. Palo Alto firewalls like the ASA with FirePower services bring many solutions under one roof. They market themselves as a company able to identify applications regardless of port, protocol evasive tactics or encryption with multi-gigabit low-latency inline deployments for enterprise, in addition, Palo Alto has built-in anti malware detection with its Wildfire subscription.
So now that we know a bit more about each company let’s dive into the key areas to look for.
Trusted Security
The first is Trusted Security; when choosing a firewall be sure to select a well-recognized and trusted platform Barracuda, Cisco, Fortinet, Palo Alto, Sonicwall and Watch Guard are among the brand’s having carved market share and they’ve earned that market share for good reason; they deliver trusted security whatever brand you select confirm that the firewall is ICSA certified; which is the industry standard for packet inspection. With that in mind let’s have a look at the trust of Cisco and Palo Alto. Cisco Systems has been around since the beginning, it is considered by many to be the largest networking company in the world and Cisco has products ranging from network firewalls and routers to unified communication devices including voice over IP telephone systems and Pulitzer believes that this is a company that certainly has trusted security. Palo Alto Networks are newer to the scene and they arrived just around 2005 and while not as large as Cisco they have a large following of user communities. And unlike Cisco, Palo Alto has a very specific range of products working entirely in the network security space. So currently they don’t offer routing and switching solutions, they offer next-generation firewalls, ritualized firewalls, and network security management. And they too are a company that Pulitzer believes can certainly be trusted.
Ease of Use
The second thing to look for is ease of use so global multi-national enterprises typically require excessive security controls, but even those organizations that need tremendous protection don’t have to limit themselves too clunky user interfaces for their configured equipment. And many firewalls models deliver tight security and easy configuration options, so when selecting a hardware-based firewall consider the benefits of the approach-ability and ease-of-use. The easier a platform is to administer the easier it will be to locate professionals, capable of installing maintaining and troubleshooting these platforms. So with that in mind let’s take a look at the interfaces of both solutions so you can see how each company provides ease-of-use.
Cisco ASA with FirePower services is actually two things, so as such there’s two different configurations and management interfaces. There’s one for the ASA, and the other for the FireSIGHT server, so the Cisco ASA exports in INSEL to your flow collector, while FirePower services exports data to the FireSIGHT server, which then in-turn sends flows via e-streamer to your flow collector. These are two separate systems on the ASA and they need to be configured separately. It is important to note that after the initial configuration of FirePower and FireSIGHT, management of the system is done either in ASDM or in a web interface for the FireSIGHT console. You can see in the screenshot we have a number of tabs indicating various parts of FirePower in ASDM. From various dashboards you can see information about applications, top destinations etc. and you can also manage FirePower details via a web interface. So Cisco ASA and FirePower are easily managed and offer great details of your data from within their interfaces.
Much like the Cisco ASA, the Palo Alto also uses a web-based interface for management and reporting. From the dashboard I can see common information about my device including the IP address for management as well as the versions for various subscriptions on that firewall. The dashboard can also show you other details like the top applications, while this may be useful to you actually can change these dashboards as well by simply clicking on the widgets drop-down. As with the ASA the Palo Alto is really easy to use and provides great insight with their built-in reports.
VPN Support
The third thing that we would like you to consider is VPN support. A good firewall also establishes and monitor secure channels enabling remote connectivity, and you would want to look for hardware-based firewalls that support both SSL and IPSEC protective VPN connections from similar devices; point to point or site-to-site VPN as well as secure connections from traveling or remote employees.
Another option to consider within the VPN realm is whether the firewall offers dual factor authentication support. Many firewalls will let you plug into online API’s like DUO or Authy, which allows for an extra layer of security between your remote users and your network. The Cisco ASA provides a VPN concentrator so it is built-in directly into the firewall. One thing to note is that the VPN is a function of the Cisco ASA not a function of FirePower, so users connect using AnyConnect and they can be configured to allow users onto the network via LDAP Active Directory or Cisco ISE.
The ASA also provides options for dual factor authentication like DUO Security and this provides an extra layer of security by ensuring even if your user’s credentials are compromised a second token will be required. Now we want to continue with the idea of ease of use within this VPN realm and to do this we just want to explain the simplicity of setting up VPN users. Adding and allowing users to connect to the network via VPN is fairly straightforward in the ASA; you start by creating certificates and these are the certificates that will be used to encrypt the traffic between the client and the Gateway, then you configure LDAP and Active Directory or whatever you’re using like maybe Radius in the AnyConnect connection profile and this creates a profile that will act as the authentication mechanism that AnyConnect uses. You obviously have to create the IP address pool for the VPN users and any other profile policies you desire. Once you have these components that are based on your organization’s needs you’ll have a fully functioning VPN running so with that let’s explore the Palo Alto’s VPN setup.
Like the ASA, Palo Alto includes a VPN concentrator in the firewall. VPN connectivity is done via the Global Protect subscription. Global Protect works very similar to AnyConnect in that you download a client to your user’s machine and then create the tunnel by the application. Users authenticate to the VPN via LDAP or Active Directory, Radius or really anything similar that you would with AnyConnect. There’s also an option to import via a local database as well, which may be useful for you. Palo Alto also supports dual factor authentication much like the ASA. Adding and allowing users to connect to the network via VPN is fairly easy and is as simple as creating certificates and these are the certificates that will be used to encrypt the traffic between the client and the Gateway. Configuring LDAP, Active Directory, Radius or a local database in the authentication profile is the next step, and this creates a profile that will act as the authentication mechanism that Global Protect uses.
The next step after this is to configure the firewall gateway to allow VPN traffic, this is where users will gain access on your network from. You can enter details for the authentication itself, the tunnel details including whether or not to enable IPSEC, and the gateway address where users actually connect from.
And finally to configuring client access, you have to set up the network where clients will join the network; typically, this is set to its own subnet so that these users are isolated from other users on the network. Setting this up is a simple as the other steps; we specified DNS details for VPN users, what the DNS search domain is (which here is called the DNS suffix), the pool of IP’s that users connect with and any route details that we need to provide. Overall setting up VPN users and connecting with Global Protect client is really easy and it’s no more cumbersome than AnyConnect.
Capacity/Performance
The fourth item to consider is capacity branch offices may leverage firewall and a in dual capacity to serve as both a security device and as a network switch and larger organizations meanwhile usually just drop the firewall into a large architecture in which the firewall’s only role is to filter traffic, so pay close attention to the manufacturer’s recommendations for maximum node support. Exceed the firewalls capacity and you’ll experience errors flat-out traffic denials and do the lack of Licensing & or potentially unacceptable performance you’ll also want to see what type of hardware they use for exporting traffic analysis details on low-end machines with high traffic enabling features like netflow or IP fix exports can tax the cpu greatly causing performance troubles.
The Cisco ASA brings much to the table with regard to capacity they have platforms and standalone options like the ASA 5506-X with FirePower services and that provides support for throughput of 300 Megabits per second but they also have high capacity solutions like the ASA 5585-X with FirePower SSP 60 which can provide up to 20 Gigabits per second. And Cisco offers you a broad range of solutions regardless of capacity which in turn provides a solution to organizations of any size. Palo Alto networks brings a wide variety of solutions to the next-generation firewall capacity table as well and it starts from there PA 500 which offers throughputs of 250 Megabytes per second to their their massive PA 7080 which has support for over 200 Gigabits per second so they too offer a broad range of solutions to fit the needs of any organization.
So with that in mind we’d like to jump into the performance details for both solutions a few notes about performance in general both the Cisco ASA with FirePower services and the Palo Alto firewalls offer high throughput options as well as small and medium-sized business options for companies that require minimal throughput. The major player with regard to performance comes directly from the features you enable in either system for example if you enable malware detection in Cisco FirePower or Palo Alto you should expect to see a 50-percent hit to the performance of those systems and if you have higher volume of traffic you should expect this number to increase especially if you’re reaching the limit for that device.
Likewise if you’re under taxing the hardware let’s say you have a Palo Alto PA 7080 or an ASA 5585-X for a network with less than a hundred megabits per second bandwidth with the likelihood of you overpowering the system is very limited and the inverse is true also if you only have a a smaller scale ASA 5506-X or a Palo Alto PA 500 with over a gigabit bandwidth then your system isn’t going to be able to handle that volume. Therefore there are a few things to keep in mind when you’re looking at this performance you should look at your current bandwidth requirements. Again if you have more bandwidth and the firewall cannot handle it, then it will cause performance degradation so only enable the features that you need.
Both Cisco and Palo Alto provide excellent features but you may not need them all, and finally you should look to the future; your needs may change and if you anticipate that you say require VPN users or the antivirus capabilities moving forward consider the impact it will have on the system upgrading to the next device now will save you time money and frustration in the future.
Gateway Security
The fifth reason you should consider when planning to purchase a network firewall is gateway security. Many organizations successfully reduce costs by centralising antivirus, anti-spyware and anti-spam protection solutions on their firewall. When comparing firewall capabilities and determining total cost of ownership, factor the cost savings that you can see if you deploy these services on the firewall device versus say a traditional domain controller or other server anti-malware. And threat mitigation is brought to the scene with Cisco Advanced Malware Protection (AMP).
Using FireSight, Cisco AMP provides you with global threat intelligence, advance sand boxing and real-time malware blocking to prevent breaches via the FireSight web GUI. You can see analysis on threats that are happening in this view, you can see the indications of compromised hosts as well as over a set time and you can also see the malware events and intrusion events.
Now we drill into these threats, and we can see the specific malware that’s occurring in a given time frame from this view. We can see the threat name, file name as well as the SHA value for the file and once you dig into and identified threat you can see the entire history of that file. This is known as retrospective security meaning having the ability to track all interaction points with the infected file. Each circle here is a traveling point now.
let’s look at the Palo Alto anti-malware capability so Palo Alto security comes from wildfire subscription, and according to Palo Alto wildfire provides detection and prevention of Zero-day malware using a combination of malware sandboxing, signature-based detection and blocking a malware. Wildfire extend the capabilities of Palo Alto networks next-generation firewalls to identify and block targeted and unknown malware. Palo Alto claims that wildfire quickly identifies and stops advanced attacks without requiring manual human intervention.
Now in this view we can see the items submitted to wildfire. This includes the filename submitted, the attacker, and the victim. Because Wildfire is a cloud-based service, we can see the details for my traffic in their website interface.
Here we can see an overview of the malware and this will show me the actual malware caught compared to the benign submissions and we are also given details about the source of the submission; the device sending those submissions. So both of these solutions offer pretty robust details regarding gateway security as seen here.
Content Filtering
Now the sixth reason is content filtering. Some firewall manufacturers offer web filtering subscriptions and the benefit is that all of the network services associated with the business from the Gateway security services to content filtering can be consolidated on a single device. The drawback, off course, is that you have to pay for the privilege but when you’re reviewing potential hardware-based firewall solutions consider your organization’s needs and budget and determine whether content filtering should be administered from the firewall. If the answer is yes select a firewall that supports reliable proven content filtering.The ability to see application specific details is quite robust in the FirePower interface.
Viewing a number of categories from a side checklist, we can select them and then I can add them to a filter and this will show me the applications that are under a given category. From this view I can see the type of application it is as well as the port information; if it’s available. And this is good to know because now I can create policy rules to allow or deny such traffic in this case i’m looking at remote file storage.
Content filtering on the Palo Alto is powered by their advanced pplication detection algorithm and the content filtering is handled by looking at the application behavior via rules. So rather than blocking dropbox for example you could block file sharing which would block any application that fits that rule like Box, SugarSync, Google Drive and Amazon Cloud Drive etc. Let’s take a look at what this looks like by viewing the application section in the objects tab; you can search for applications which Palo Alto has deemed a part of a given category.
In this example if we search for web browsing we can see the categories that our search falls under. We can also see the subcategories and technology that the filter is associated with. Then in the bottom section we can see the individual items that are associated with our search. This is very beneficial because we can see a much more focused list of applications then we can if we are only looking at Port/Protocol details alone. Also since it is based on patterns and not port/protocol, we don’t have to worry about applications misusing them to bypass traditional firewall rules.
Advanced Monitoring and Reporting
So now that you have these details and the features we like to take you into the final and in by no means least reason which is advanced monitoring and reporting. Repeatedly throughout just one business day a single device can block thousands of intrusion attempts detect consolidated attacks and log failing or failed network connections. But this information is helpful to network administrators only if it’s available and readily available format, so you want to look for firewalls that not only monitor important events but that also log this data and compatible formats. And a good firewall ideally can support next-generation netflow and IPfix exports. So both the Cisco ASA with FirePower services and the Palo Alto firewalls can take advantage of the advanced flow exports and provide detailed insight into the traffic.
Our Conclusion on which one is better
So in summary the Cisco ASA with FirePower services and the Palo Alto next-generation firewall offer a broad range of benefits for organizations of all sizes and deciding which solution to go with is entirely dependent on the features you need and the type of environment you have so while there are no clear winners today or perhaps there’s only winners be sure that the features of either solution meet the requirements of your business now.
2 Comments
Thanks for such a detailed comparison. I would like give some input on what I have found working with CISCO ASA.
Out-of-Band Management Interface: Cisco – No true out of band you would need an external out of band manager that you are using for the rest of your gear.
Browser-based GUI: Cisco – Java is a bummer but not a deployment killer. After you, VPN in you can manage via ASDM if you want.
In-Band Interface Management Profiles: Cisco – I think this give you better control, very few people should have access via a few interfaces.
Single Security Policy: I have worked with PA, and you have to set a new policy for every network you want to connect to. On a Cisco ASA, you simply do an OBJ and then control access via the ACL. You can do an ACL in the VPN if you want.
Zone-Based Security Policies: PA if you 20 networks you need twenty policies and if these networks need to talk to 10 on the other side that 200 policies. Cisco you just set up the OBJ and control via ACL. So much cleaner and faster.
Network Objects in Slash-Notation: I do not see this as a big deal some might.
Tags: That would be nice to have
Managing all Un-Committed Changes: Cisco – No you can make as many changes as you want then click apply. You will see the CLI lines that will be changed before they are deployed so you can double check your work. I may be missing your point.
Simple Renaming of almost Everything: This would be a nice to have. OBJ in the ASA cannot be renamed way to go Palo Alto.
Configuration Log: We Use Opmanager device expert for more than just who did what. You can set up AAA logging in the ASA then sent the logs to a log server so you have all your devices activates in one place. Cisco router have had this feature for years and I do not remember when I have ever used it.
Traffic Log Filtering: Cisco – This is super easy in a Cisco ASA.
Adjust Columns: Cisco Most columns are adjustable
Application Command Center: Cisco has had this since the Pix days. It is on the main dashboard of the ASDM, or you can do it via CLI.
Route-Based VPN: You can do route base with a router and encrypt the traffic via the ASA. There are other ways to make traffic selection if needed when the base IPSec does not suit your needs. NO GRE yet……
IKE Policy per VPN: Cisco – True on the IKE, but you can add or delete any protocol you want, and you can granularly control IPSEC for every tunnel.
Well, one of the main differences as well is that Cisco Firepower (ASA with Firepower, or FTD) is a NGFW and NGIPS platform, while PAN is only a NGFW platform.
Most security experts prefer firepower reports and analysis, while network admins prefer Palo Alto.
Both platforms are good, but I personally prefer FTD (not the ASA with Firepower) platform.