PIX vs ASA feature question

[DistributedBen]

We are in the process of evaluation a new firewall solution. One option is the PIX 500 series. I was curious as to what features are not availible on this line of firewalls in contrast to the newer ASA line of appliances. The Cisco site doesn't have a feature comparison between the two lines. Are there any primary differences in the firewall capabilities - outside of the applicance features (anti-spam, etc) - of the PIX and the ASAs.

I know that the ASA's offer Anti-Spam, Anti-Phishing, etc, IPS and transparent firewalling as well as others. Are any of the features in the ASA appliances going to filter down to the PIX line? I ask because I thought I read that the PIX line was going to get a feature upgrade, but I can't find where I read that.

If it helps, our environment is a campus of 5-6 buildings with almost 200 computers and 5 servers. VPN access will be needed from home, initially for about a dozen users and eventually up to 150 or so. Wireless access across the campus in addition to wired connections to the offices.

I apologize if I am being vague, but this is my weaker area and I want to make sure I know what to look for when talking with consultants.

Thanks.

 

[MorfiusX]

The PIX line is in the process of being retired. It has been replaced by the ASA line. One off the big new features of the ASA line is application layer filtering. PIXes are prety dumb compared to today's standards of enterprise firewalls. If you are looking into a new product, I wouldn't recommend the old technology of the PIX.

 

[Boscoh]

I have not actually heard from Cisco that the PIX line is officially being retired, and there are no "End of Sale" or "End of Life" notices for the PIX on their site. With that said, the market position of the PIX isn't exactly clear anymore since the ASA can pretty much do everything the PIX can. I wouldn't be surprised if the ASA does phase-out the PIX, but it's not official yet (that I've heard).

So basically, the ASA and the PIX are running the same code just on different hardware platforms. The ASA runs on a modular platform built around ASICs (specialized, reprogrammable processors). In a nut shell, the ASA is a PIX with the ability to take on multiple other functions.

It was designed so that new features in the future could potentially be hardware accelerated, rather than everything just being crunched by a single x86 processor. This is especially the case with VPN traffic. The ASA has an onboard ASIC dedicated to encryption and decryption, which pretty much integrates the old VPN Accelerator Card from the PIX series into the unit. Note that the ASA does include Anti-Spam, Anti-Phishing, and IPS by default. These will be provided by way of an add-in module that you purchase. There is only one module slot on the lower end ASA units, and I think that holds true all the way up the line. The IPS is a single module, the E-mail scanning is an individual module, and there's some other module too but I forget exactly what it is (outbreak prevention module, maybe?). The e-mail scanning is done via Trend Micro's IMSS engine.

Without the add-in modules, the ASA and the PIX units are very similar. The ASA is a bit more configurable with some options (especially concerning packet buffers) and is faster on the VPN side but since the ASA and PIX are both running 7.x code, they essentially have the same feature set. What you don't get with the PIX is the ability to add these modules later on, and you're stuck on an old hardware model that is probably stretching the limit of what Cisco can do with it.

The ASA and the PIX are almost evenly priced between the different units. With that in mind, theres really no reason to get a PIX over an ASA at this point.

 

[MorfiusX]

I have not actually heard from Cisco that the PIX line is officially being retired, and there are no "End of Sale" or "End of Life" notices for the PIX on their site. With that said, the market position of the PIX isn't exactly clear anymore since the ASA can pretty much do everything the PIX can. I wouldn't be surprised if the ASA does phase-out the PIX, but it's not official yet (that I've heard).

True, it's not official. I probably should have mentioned that. Also, "retired" may not have been exactly the right word. A seniored engineer at Cisco is my source of my information. He was assigned to a case after it was escalated to their development team and their business architecture group. He bassically said they are working on phasing out the PIX line and moving to the ASA line.

 

[typhoon43]

bassically said they are working on phasing out the PIX line and moving to the ASA line.

I have heard the exact same thing from our Cisco reps. Of course, they make more money having us upgrade to ASA, so I'm not sure what to make of it