| |
SSG 5Base/Extended** |
SSG 20Base/Extended** |
ASA 5505Base/Security Plus |
PIX 501 / PIX 506 |
| Performance & Capacities |
|
|
|
|
| Firewall Throughput (Large
packets) |
160 Mbps |
160 Mbps |
150 Mbps |
60 Mbps/100 Mbps |
| Firewall Throughput (IMIX)* |
90 Mbps |
90 Mbps |
Not Published |
Not Published |
| FW Packets per second (64byte) |
30,000 |
30,000 |
Not Published |
Not Published |
| VPN Throughput (3DES+SHA-1) |
40 Mbps |
40 Mbps |
100 Mbps |
3 Mbps /15 Mbps |
| Sessions** |
4,000/8,000 |
4,000/8,000 |
10,000/25000 |
7,500/25,000 |
| Stateful FW/VPN HA** |
Active/Passive With ExtLicense |
Active/Passive With ExtLicense |
A/P with Security Plus license |
Not supported |
| Dial Back Up |
Yes |
Yes |
Yes (Dual ISP) |
Not supported |
| Security Applications |
|
|
|
|
| IPS (Deep Inspection FW) |
Yes |
Yes |
Yes |
Not supported |
| Integrated File & Networkbased Antivirus |
Yes |
Yes |
Future |
Not supported |
Adware / Spyware /
Keylogger protection |
Yes (included in AV engine) |
Yes (included in AV engine) |
Future |
Not supported |
| Integrated Web Filtering |
Yes |
Yes |
Yes |
Not supported |
| Integrated Anti-Spam |
Yes |
Yes |
Future |
Not supported |
| Redirect Web Filtering |
Yes |
Yes |
Yes |
Yes |
| SSL VPN |
Not supported |
Not supported |
Yes |
Not supported |
| Interfaces and Routing |
|
|
|
|
| Fixed I/O |
7 10/100 |
5 10/100 + 2 I/O expansion slots |
8 10/100 (2 are PoE) |
5 10/100 (PIX501)
2 10/100 (PIX506) |
| I/O Options |
RS-232 Serial/Aux or
ISDN BRI S/T or V.92
(Factory configured) |
Interface modules: IDSN
BRI S/T, T1, E1, V.92,
ADSL 2+ |
Not supported |
Not supported |
| 802.11 a/b/g |
Yes (factory configuredoption) |
Yes (factory configuredoption) |
Not supported |
Not supported |
| LAN/WAN Routing |
RIPv1/2, OSPF, BGP, PPP |
RIPv1/2, OSPF, BGP, PPP, MLPPP, FR,
MLFR, HDLC |
RIPv1/2, OSPF, BGP, |
OSPF, BGP |
| Security Zones |
10 |
10 |
Not supported |
Not supported |
| Virtual LAN** |
10/50 |
10/50 |
3 |
Not supported |
| Virtual Routers |
3 |
3 |
Not supported |
Not supported |
| VoIP Security (ALGs) |
SIP, H.323, MGCP, SCCP |
SIP, H.323, MGCP, SCCP |
SIP, H.323, MGCP, SCCP |
SIP, H.323, MGCP, SCCP |
| |
|
|
|
|
* IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network
traffic. The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.
Feature Comparisons
| Key Feature / Point |
SSG 5/SSG 20 (ScreenOS 5.4) |
PIX 501/506 (PIX 6.4) ASA 5505 (ASA 7.2) |
Why it Matters |
| Integrated
purpose-built
Firewall/VPN
appliance |
New, purpose-built hardware with
security specific OS that delivers
best in class integrated security
functionality for network and
application level protection |
PIX is an old platform with
outdated, slow processing.
Platform is frozen at PIX-OS 6.4 ( Can get to 7.x w/ E)
ASA is new platform but is
hindered by external processing
card requirement for IPS or AV
– unable to run both in a single
ASA. |
Customers want the ability to lower
the capital expenditures at the
outlying offices along with flexibility
to add security as needed – without
the requirement of added HW card |
| LAN and WAN connectivity |
LAN and WAN I/O options plus supporting protocols and
encapsulations provide unmatched connectivity flexibility
in the mid range market. |
No WAN hardware or
encapsulation support
whatsoever on either platform –
limited LAN hardware and
protocol support |
Customers are want the ability to
extend the investment protection as
they move toward next generation
networks (broadband, metro
Ethernet) |
| Integrated
802.11 a/b/g
Wireless |
Optional dual radio 802.11 a +
802.11 b/g support |
Not supported |
Small branch office environments are ideal locations to consolidate multiple security and networking devices (routing, Wireless AP,
FW/VPN and threat management) |
| 802.11 a/b/g Security |
Security Broad range of wireless security mechanisms:
• Authentication: Pre-Shared Key (PSK) , MAC Address ACL, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1X
• Privacy: WEP, WPA, WPA2 (AES or TKIP), IPSEC VPN |
Not supported |
Wireless access can be used as a
hacker/attacker entry point, so bullet
proof security is critical to protecting
the network. |
| Integrated Security Policy, Network and Device Level Management |
Manage all aspects – FW, VPN, IPS, routing, HA – from CLI, WebUI or NSM |
Centralized management for PIX is a set of utilities.
ASA 5505 management is GUI or CLI one-to-one – not one to many on initial release. No date shown for centralized mgmt of many devices |
To maintain a reasonable administrative cost structure, device management in outlying offices must be easy to perform and
consistent in all aspects NSM can manage large deployments of SSG 5 and SSG 20 from day zero. |
| Security Zone
Architecture |
Security zones, virtual routers and VLANs to provide ability to enforce security via logical group functions (i.e. Marketing, Finance, etc) as
opposed to specific IP subnets or addresses |
Access control lists are complex and based on source / destination IP address.
ASA 5505 supports VLANs – but does not support Zones or Virtual routers. |
Segmenting the network in a logical, easy to configure and manage manner is critical to protect internal resources from attacks and/or
unauthorized use/access |
| Transparent Mode |
Seamless deployment into existing network-adding full security functionality without network address change at install |
Not supported in the PIX 501/506
Supported on the ASA 5505 |
Customers want to be able to drop security into their network with minimal network re-configuration |
| Dynamic Routing |
RIPv1&2, OSPF and BGP eases integration of security into existing networks and supports dynamically routed VPNs |
User must choose between OSPF and BGP – cannot run both. RIP support is available on the ASA but is a global (all
interface) configuration command, eliminating ability to use multiple routing protocols. |
A common deployment is to use OSPF for internal networks AND BGP for external connections – Cisco does not support this in a one
box offering |
| Dynamic Route-Based VPNs |
With multiple VPN tunnels defined to a given location, routing protocols will ensure that the optimal tunnel will be used for
traffic dynamically |
Not supported. PIX uses static ACL based VPN tunnel configuration.
ASA supports Easy VPN, a competitive offering. |
Outlying offices need maximum reliability at all levels – device, as well as link layer |
| Virtual Routers |
Up to 8 virtual routers supported |
Not supported |
Isolates and separates public and private IP address for greater security than a shared router |
| Bridge Groups |
Group I/O as a basic switch or group them as a single L3 interface and apply policy to that interface. |
Not supported |
Customers need the ability to go beyond structured Trust, Untrust and DMZ – bridge groups provides that configuration flexibility. |
| Antivirus, (includes Keylogger, Adware and Spyware protection) |
Optional File-based Kaspersky antivirus engine and database that scans FTP, HTTP (webmail), POP3 and SMTP, IMAP for viruses, Spyware and adware |
Not supported in the PIX.
Future support for ASA. |
AV is critical – but so is IPS – the ASA forces customers to chose one of these options. They cannot have both. |
| Anti-spam support |
Optional Antispam solution from Symantec (Brightmail) provides best in class gateway-based spam prevention |
Not supported in the PIX. Future support for ASA as part of the Trend Micro- based AV module. |
Brightmail is a best-in-class offering for anti-spam, complete with dedicated research on keeping the SPAM list up to date. |
| Web filtering |
Optional integrated Web Filtering with SurfControl or redirect with either Websense or Surfcontrol |
Only re-direct is supported. |
Integrated web filtering is a proven way to stop users from inadvertently downloading viruses and visiting inappropriate web sites. |
| IPS |
Integrated IPS (Deep Inspection) provides application level protection. |
Not supported in the PIX. Future support for ASA as a security module. |
Attacks are manifesting themselves in all manner and a FW is only capable of catching those that are network related. |