Cisco ASA 5505

Cisco's concerted overtures to the SMB show no sign of slowing down. Its latest ASA (adaptive security appliance) products now deliver a Universal Threat Management security appliance to the same target market. In this exclusive review, we take a look at the diminutive ASA 5505, which represents the entry point of this family and is aimed at small businesses and branch offices.

There are a number of similarities with Cisco's entry-level ISR products, but the ASA 5505 is aimed at companies that also want integrated anti-virus, anti-spam and intrusion-prevention measures. At its foundation, the 5505 provides extensive firewalling capabilities and support for IPsec and SSL VPNs along with built-in VPN hardware acceleration.

For installation, you tread a very similar path as for the ISR appliances. Simply connect a PC to the first port on the switch and point a web browser at the unit's default IP address. You're then provided with options to download a Java applet to run Cisco's new ASDM (adaptive security device manager) interface remotely, or to install it from the appliance and run it locally. The latter allows you to manage multiple appliances from a single Desktop shortcut.

The ASDM interface is similar to that used by Cisco's ISRs and is just as easy to use. It opens with a complete status table, with graphs showing system resource usage, network traffic and a display of Syslog messages. The interfaces can be configured as required, and we set one up as an external port, with the other seven servicing the LAN. You can also isolate management to one dedicated port. The firewall commendably defaults to blocking all unsolicited inbound traffic, but this can be easily customised with security policies containing sets of rules. Selecting a rule is even easier, as this shows a rule flow diagram below. Security levels are also assigned to each interface during installation and these determine what risks they face. Give an interface a value of zero and it's deemed totally untrustworthy, such as one that's open to the internet, while a value of 100 says it should be fully trusted.

Site-to-site and mobile client IPsec VPN setup are both wizard assisted. A separate section is provided for the CSD (Cisco Secure Desktop) manager, where you create profiles that determine how remote users running the WebVPN software are handled, what resources they can access and how their PC is cleaned up after their SSL VPN sessions have ended. The expansion slot above the Ethernet ports is provided for adding the Anti-X and intrusion-prevention features, but at the time of writing Cisco was still debating what features should be made available for the 5505. Having also looked at the 5510 appliance, we can say that the Anti-X upgrade is well worth having. It's the result of an arrangement with Trend Micro, which sees the latter's InterScan software suite deployed on the expansion module. This allows it to provide extensive measures against viruses, spam and phishing, plus inbound and outbound mail content filtering.

The 5505 delivers a quality set of security features that belie its size, and the new ASDM interface makes light work of installation and management. However, to be a true UTM appliance, Cisco must make the Anti-X upgrade available for this machine.

Author: Dave Mitchell