An Introduction to the Cisco ASA 5505 and 5510

The Cisco ASA 5505 and 5510 security appliances offered by Techsoup Stock are ideal for budget- and security-conscious nonprofits in need of a powerful and flexible firewall that can control access to sensitive internal information, increase employee and volunteer productivity, and enable safe remote access. In this first of a series of articles on the Cisco ASA, we will look at features that matter to nonprofits, the differences between the models offered by TechSoup Stock, and link to additional resources for those interested in purchasing Cisco ASA products and implementing them into their networks.

Why Should You Consider the ASA?

Nonprofits, like any business, must deal with network security and management issues, such as who is given authorized access, how to allocate limited bandwidth to the Internet, and how to prevent malicious traffic such as spam, viruses, and phishing. Network administrators must find network appliances that let them address these issues in a manner that allows their network users to remain most productive. The ASA 5500 and 5510 models help do this.

Those already familiar with Cisco's PIX series (retired by Cisco in July of 2008 and on TechSoup Stock in June of 2008) should have no problems making the transition to either the 5505 or 5510 models. On both models, the command line graphical user interface (ASDM), and basic VPN features are almost identical to the PIX series. And compared to the older PIX series, the ASA 5500 series gives network administrators more options in protecting and managing their networks, allowing them to more carefully restrict malicious traffic (such as viruses, spam, and phishing attempts); limit peer-to-peer file-sharing traffic (from music-sharing sites like Kazaa, for example); or give priority to business-critical traffic, such as email, Web traffic, and more.

Compared to Cisco’s PIX series, Cisco ASA units also provide nonprofits with a much more comprehensive gateway security solution: Email and Web content can be more carefully inspected before entering a network, meaning that virus-infested home users who are given remote access are less likely to be a threat. Moreover, the "application firewall" features on the ASA series helps ensure that a nonprofit's limited network resources are reserved and optimized for only the most important business-critical applications.

The 5505 versus the 5510

If you do not currently have a firewall, the Cisco ASA 5505 or 5510 from Techsoup Stock can provide your first line of defense against unwanted traffic coming in and going out of your network. Both the 5505 and 5510 share roughly the same basic set of features; the 5510, however, comes with additional tools and scalability, including the option to increase bandwidth and allow more concurrent connections.

Understanding these nuances and differences between the 5505 and 5510 can help decision-makers determine which model is best for their nonprofit environment. For example, the Cisco ASA 5505 does not offer intrusion detection, IPS (intrusion protection), antivirus, anti-spyware, or file-content inspection features as does its big brother, the 5510, making it ideal for small-home, branch, or telecommuter users requiring basic yet affordable protection. But unlike its PIX counterpart, the Cisco PIX 501, the ASA 5505 does include SSL VPNs, which will allow users to work remotely simply by visiting a Web page, rather than having to install Cisco's special VPN software. (For a feature-by-feature comparison of the 5505 and the 5510, see Cisco's Models Comparison Chart.)

Medium-sized nonprofits will no doubt feel constricted by the limited feature set of the Cisco ASA 5505, and will probably need to purchase the ASA 5510. These organizations will likely want to more carefully inspect the contents of traffic (for example, filtering out spam, phishing emails, and bad URLs). Those wanting even additional gateway protection might consider purchasing Cisco's CSC-SSM (Content Security and Control Security Services Module), which provides content security features, such as the ability to more carefully inspect for viruses before allowing access to an internal network. (This module is not currently offered via TechSoup Stock and must be purchased separately elsewhere.)

For many network administrators, the Cisco CSC-SSM module available for the 5510 is the most compelling reason to purchase a Cisco ASA in the first place. TrendMicro's award-winning antivirus technology is automatically updated 24-7, providing internal resources (such as your mail server) with a critical first line of defense against malicious network traffic. This real-time protection of all Web and mail traffic at the Internet gateway lessens the risk of viruses entering often-overlooked areas of your network, and centralized management allows administrators to administer your nonprofit's security features via an easy-to-use Web page.

Troubleshooting and Support

Installing and configuring Cisco ASA hardware might be a little daunting for those new to firewall administration, and before purchasing the hardware, nonprofits should consider looking through Cisco's documentation and support offerings. General Cisco ASA 5500 support is available online, while Cisco SMARTnet support allows administrators to call Cisco round the clock to receive top-notch technical support or to quickly receive replacement parts for defective units. (Note: Organizations that order Cisco ASA donations through TechSoup Stock will receive five years of Cisco SMARTnet product service and support at no additional cost.)

A good first place to start for those new to configuring Cisco ASAs would be Cisco's Quick-Start Guide. There, you can see how to administer your firewall with a Web client and begin configuring so that it starts securely passing traffic across network interfaces and with VPN tunnels. Those already familiar with those basics who would perhaps like more detailed information might check out the Web-based ASDM User Guide, as well as some of the Configuration Examples and TechNotes and Command Line Reference Guides on Cisco's site. While these guides are a bit more detail-oriented than the aforementioned Quick Start-Guide, they give potential administrators a good idea of some of the complexities involved in actually securing and managing a Cisco ASA firewall.