⬆️ ⬇️

What to put on the perimeter of the network: Cisco router or Cisco ASA?





Hello! Periodically, when designing computer networks based on Cisco equipment, the question arises as to what to put on the network perimeter: a router or an Adaptive Security Appliance (ASA) firewall? It is not always possible to unequivocally answer this question. I would like to once again make an attempt and make a small comparison of these two devices. You will notice that this has already been discussed many times. I agree. But devices are constantly evolving: new models appear, functionality is added. Therefore, sometimes it is worth moving away and looking again at the question. Suddenly something changed?



Refinement
For rigor, we note that the primary mapping will be between the ASA 5500-X and the ISR G2 and ISR 4000 routers.



We all know that the Cisco ASA is a security appliance and is usually referred to along with the abbreviation ME (firewall). The Cisco router is primarily a router. Oh, like he said. Actually, that's the difference. But everything is not so simple: Cisco ASA can route traffic (even supports dynamic routing protocols), and Cisco router can perform ME functions (two technologies are supported - CBAC and ZFW). I feel, as the author flew towards the phrase: yes, the captain is obvious, you are right. Therefore, I propose to take a closer look at these devices in order to determine what they have in common and what is different.

')



Historically, the ASA has advantages over the router only in a number of technologies, primarily related to security (classic firewall and VPN concentrator for connecting remote users). In all other respects, the ASA acts mainly as a catch-up. This is due to the fact that the ASA is positioned as a security tool, and the Cisco router as a universal Swiss knife (based on it we can launch encryption functions, voice functions, optimize traffic, etc.). Therefore, the question of choosing a device arises only in the context of the issue of network security.



At first glance, for the implementation of such a task as providing a secure office connection to the Internet, both devices provide everything you need:





If necessary, on both devices you can raise VPN (site-to-site and remote-access). Everywhere there is support for Netflow, to get statistics on traffic. If you need the features of the NG FW (new generation ME) or NG IPS (new generation intrusion prevention system) both on the ASA and on the router, we can do it. Thus, in general, both devices have relatively similar functionality (once again I note that we are talking only about traffic routing technology and security). Moreover, periodically the functionality of one of the devices smoothly flows into the other. This introduces additional difficulties with the choice of solutions. For example, the enhanced SSL VPN features have always been the prerogative of the ASA. But over time, many SSL VPN functions appeared on the router (clientless mode, smart tunnels, etc.). The ability to capture packets on interfaces (packet capture) has also been supported for a long time only on the ASA. A similar situation is with the use of various designs when configuring ACLs. We are talking about objects (Object Groups), which allow to group IP-addresses / networks, services in the network. All this smoothly passed to the OS of the router. Similarly, the situation is reversed: support for the BGP protocol appeared on the ASA, policy-based traffic routing - Policy Base Routing, etc. Therefore, the choice in favor of one or the other solution is not always predetermined. As usual, the devil is in the details.



Since the ASA is a narrower solution, we will try to make our comparison regarding it. ASA is positioned as a security device, so many security features work out of the box. By default, the Cisco ASA “tightens all the nuts”, while on the router you need to enable security features (configure MEs from scratch, disable extra services, etc.). Let's go through the main functions of the ASA:







This is where the main ASA functionality is almost exhausted. I would also like to note on the ASA a fairly convenient utility - packet-tracer. It allows you to conduct a primary diagnosis of the passage of the package through the device. Packet-tracer displays information on each stage of packet processing inside the device. I assume that the lack of packet-tracer on the router is due to the fact that the router is much more functional.





Let us touch on a bit of the architectural features of the software and hardware parts. Immediately, we note that the program code of the ASA and the router is completely different. Therefore, some processes are implemented in different ways.



For example, routing. The ASA is not familiar with Cisco Express Forwarding (CEF) routers. It uses its own logic: the route is defined for the session once it is established (something like fast-switching). We can say that the router operates with packets, and the ASA with sessions. NAT can influence the routing in the ASA (or rather, NAT in some cases determines where the packets of a particular session will be sent). On routers there is no such thing, the routing table or PBR is “driving” everything. When switching routing from one interface to another on the ASA, the session will not always be redeployed (it can remain working on the old interface). For each session, the ASA remembers not only the outgoing interface (that is, where to send it), but also the inbound interface (where the packets originally came from). This feature of the work is most pronounced when we have several providers (connected via static routing) and there are some publications on them. In the case of the ASA, the response packets will always go through the provider through which the request came. Those. All publications will be working. In the case of a router, the response packets will go through the default provider. Those. only on one provider will the publications work (this behavior can be circumvented by dancing with a tambourine: VRF + BGP).



Let's now look at performance. Of course, it is very difficult to compare devices by this parameter, as the measurement technique for each type of device may differ, and the marketing department does not sleep. Plus performance depends on the services that are running on the device. But still try to note a few points. Previously (for older ISR and ISR G2 models), routers were inferior in price / performance ratio (both in numbers and in experience). For example, with a similar cost of ISR G2 2921-SEC and ASA5512-X, the first device provided 50 Mbit / s (the vendor recommends this number), and the second in the worst case 100 Mbit / s (Application Control, HTTP packets 440 bytes). Maybe not quite an exact comparison, but for a rough estimate, I hope, will do. For the same money, ASA often gave us greater performance. But with the advent of 4000 routers, the picture has changed. Now you need to look at each individual case. This is due to the fact that on the 4000 routers performance is not so much degraded when you turn on services.



Conclusion



It's time to take stock and answer the question set in the article's title. There are recommendations vendor on this account, decorated in the form of various designs within the Cisco SAFE architecture. But not always we build some kind of complex networks, where there are all kinds of devices that perform the functions most suitable for them. For example, we use ASA with Firepower services as a ME device, and routers to connect to the WAN channels. Often there are situations when you need to put one thing (the reason may be the most trivial - the budget). And here we have to think about what to choose.



Case 1. A relatively small company with one office. It is necessary to provide secure access to the Internet (one or two providers are used).





In this situation, the ASA solution may look more interesting for the following reasons:





Case 2. There is a central and remote office (s). What to put in a remote office?



I think many already understand that site-to-site VPN is not the strongest side of ASA. If we have many offices, several providers and need full mesh (direct connectivity of all offices), it is better to use routers for this task. Only DMVPN technology will remove most of the headache. In the central office in this case should also be a router.



If we have one provider everywhere and there are not so many offices, the ASA is fine. Moreover, the solution may be cheaper than a similar one based on routers. But do not forget that today there is one provider, and tomorrow there are two, and the company can grow a little. Of course, on the ASA in a remote office, you can configure a backup VPN to the central office, using two providers in the center. There are just too many “buts” that can spoil the reputation of such a decision. They, of course, the vendor is trying to remove, but so far these "but" have to be taken into account.



To summarize, ASA is great for tasks such as firewalling and remote-access VPN. If we can afford to put this device to address only these issues, it is worth it. If it is necessary to get a mixture of functions in one “box”, you may need to look at the router.



If you have your thoughts about the question in the title of the article, welcome to the comments.



UPD:

The article states that the routers do not have a similar packet-tracer function as on the ASA. This statement is not entirely correct. IOS XE features similar functionality - Datapath Packet Trace.

Source: https://habr.com/ru/post/279857/



All Articles