Wednesday, 12 March 2014

ASA vs IOS

So far so good, a couple of months ago I have successfully passed 642-618 FIREWALL exam, my first step to CCNP Security. 4 months of experiments with ASA  preceded the exam, during this practice I always wondered  which is better: IOS router or ASA, what are the differences between them, in which circumstances should we use one or another. As a result, I wrote this short list of their pros and cons, which I noticed during my research.
  • Global ACL - ASA has them, IOS not, sometimes I find them very convenient
  • Object oriented approach in ASA, you can name all objects (nets, hosts, ports), you can create object groups, for instance multiple ports.
  • Packet tracer in ASA - it is possible to simulate the packet passing through the device and see what stopped it
  • ASDM for ASA and CCP for IOS, can't say which is better
  • Packet capture - although IOS has this feature either, it seems to me ASDM version in ASA is more convenient and sophisticated
  • Advanced Level 5-7 application inspection - ASA can do this staff, IOS does not. For instance, it can be helpful for restricting TRACE HTTP method
  • Advanced NAT - NAT on ASA is absolutely controllable, I consider it more convenient than on IOS
  • Failover - there is a failover functionality in ASA: active/passive, active/active and clustering 
  • Modular policy framework - one of the main ASA features, this instrument allows to do practically everything with traffic
  • SCP server - ASA can act as an scp server
  • Convenient CLI -  ASA supports grep, it is  not necessarily to use DO before exec commands in configuration mode
  • TCP advanced options - ASA allows to control options of TCP flow such as adding or removing 19 option or preventing SYN flood attacks or TCP state by pass
  • ASA can filter Botnet traffic
  • ASA does not support DMVPN and GRE tunnels
  • ASA does not support Policy Base Routing
  • ASA has a cut through proxy - we can authenticate users before allowing traffic
  • No wild cards!!! :) on ASA
  • No Telnet and SSH client on ASA
  • There are security levels on ASA interfaces for initial fast control of access between networks
  • There is inspection of TCP and UDP turned on by default on ASA, it is very convenient
  • On ASA real IP address is used in ACLs, not mapped one
  • Transparent firewall mode in ASA - switch combined with firewall :)
  • Virtual firewall -  many firewalls in one box, however there are some restrictions: in multiple mode you can't use VPNs and routing protocols.
In general, I liked ASA more, I reckon it more suitable as a border device between LAN and internet.

- 6 comments:
Labels: , , ,
Subscribe to: Comments (Atom)

Ping does not work

Today I would like to discuss a banal situation: host A is directly connected to host B, ping from host A to host B does not work. What are...