Another great firewall for small business

Where I work, I am the Cisco guy. I sort of got elected to this position somehow. When our clients (nonprofit agencies) want a firewall or a VPN, I'm the one who sets it up.

Nonprofit agencies have little budget, as one might expect. Fortunately, there are programs available that make software and hardware available to them at a bargain price. (And before you ask: you need to have a 501(c)3 tax exempt certificate to get any of the good stuff.) But the selection is limited.

For the past few years, the firewall/VPN choice was either a PIX 501 or PIX 506E. I preferred the 506E as it had a faster processor and a little more memory. However, the PIX line is no more, and now the available choice is the Cisco ASA 5505.

So earlier this year one of my clients obtained the ASA 5505, hoping to set up a remote access VPN. I'd had good experiences with the 506E and hoped that the ASA could meet the standards of its predecessor.

My hopes were met and more.

To begin with, the ASA 5505 has fixed the number one peeve I had about the PIX 506E -- PORTS. The PIX 506E had only two -- one inside, one outside. You needed a separate switch in order to actually add anything. The PIX 501 did have extra ports on the back, but had a slower processor. The ASA 5505 has eight total ports on the back, so small networks can get by plugged straight into it.

A lot of hard-core Cisco types favor the command line exclusively. I don't. Cisco's Pix Device Manager has been replaced by the ASDM (Assistive Device Security Manager). There were improvements on this too. For one thing, the PIX PDM required a rather old version of Java to run properly. The ASDM has fixed this problem.

And honestly, Cisco ought to take some pride in the ASDM. It offers a lot of administration abilities, and there's always a command line there if you need it. You can also graph varying performances, and it provides a rule flow diagram for access control lists (blocking different ports. For example, you can block access to a particular IP address -- say, myspace or facebook. It sounds a little foolish, but it does help being able to see it diagrammed out for you.) You can set up a site-to-site or remote access VPN in short order with it. It doesn't do everything, but it does make things easier and it does offer quite a lot. The ASDM can also be run as a local application on your PC rather than the web-only applet of its predecessor. For the command-line junkies, the ASA 5505 sports the same RJ-45 console port of its predecessors, and supports telnet and SSH.

Once it was up and running, the ASA 5505 did not need to be tinkered with -- it just worked. (That didn't stop me from tinkering anyway. I'm a tech, what do you want?) We set up a mail server; setting up a static mapping was a momentary job. We got a spam filter up, and changing that mapping was just as easy.

The PIX line generally supported two 'sides' -- inside your network, and outside your network (the Internet, in other words.) The ASA comes configured with three -- inside, outside, and DMZ. A DMZ is a demilitarized zone -- for example, you'd obviously want to have your web server available to the Internet, but you might then want to control its access to your inside network. While the PIX could be configured to handle a DMZ, the ASA 5505 comes that way. This is a good sign that Cisco is paying attention to its customers.

The ASA 5505 runs the latest, greatest version of the PIX/ASA operating system -- a version of Cisco IOS optimized for firewalls. It's the same as its big brothers. If you plan to get into Cisco firewalls, this is what you will want.

There are only two real negatives to the ASA 5505. The first is the same as the PIX 506E. It's not user-friendly, and a regular Joe is not going to be up to the task of getting it running. You're going to need a professional.

The other is that it doesn't offer Anti-X. Anti-X is a new offering in the Cisco ASA line, the result of a partnership between Cisco and Trend Micro. Anti-X is basically anti-everything nasty. Spam, viruses, malware, all of it. The ASA 5505 doesn't have this option. Why, Cisco, why? This could have been the PERFECT small business firewall. One device that blocks everything.

Even without it, the ASA 5505 is a solid choice. And the ASA 5505 does have an expansion slot -- hopefully Cisco may reconsider.

Some stats for the ASA 5505:

• 500MHz Intel Pentium III
• 256MB CompactFlash
• 64MB flash memory
• 8 x 10/100BaseTX
• RJ-45 serial port
• 3 x USB 2 (future use)
• expansion slot (future use)
• CLI, web browser and ASDM management