Cisco's High-Performance ASA Appliance, New Version Of Anyconnect

Cisco Systems has announced its newest high-end ASA security appliance, stressing high-connection and concurrency rates as well as throughput to support high-performance, low-latency application environments. It has also announced enhancements to its Anyconnect remote VPN client. Cisco has a comprehensive vision of a borderless network, and today's announcements are driving it forward. That's good news if you're a Cisco shop, but the company still has more to do.

The ASA 5585X, combining firewall, VPN and IPS, features 350,000 connections per second and up to 10,000 concurrent VPN sessions in a 2 RU chassis. Cisco claims 20Gbps multi-protocol throughput. The performance numbers are for firewall and VPN only. Intrusion prevention features will have an impact of performance, which representatives acknowledged, but there were unable to say what the impact is. It's typical for vendors of multi-function firewalls to not state IPS performance since deep-packet inspection can be resource intensive.

Bigger and better security appliances are to be expected as enterprises demand security that can keep pace with their mission-critical data centers, said Jonathan Penn, VP and director of security for Forrester research. "You've got to support more connections per second, greater throughput, and even more functionality on device," he said. "It's nothing revolutionary; I don't think it fits into any broad strategy. The bar keeps moving up."

The 5585X is one of the cornerstones of Cisco's Secure Data Center strategy. The 5585X follows last month's announcement of Virtual Security Gateway (VSG), a virtualization-aware firewall product that dynamically manages policy for VMs through the creation of security zones in a VMware environment.

Cisco has also announced version 3.0 of it remote access client, Anyconnect. Anyconnect now supports both SSL and IPsec VPN protocols, something other VPN products from vendors such as Juniper have done for a while. Supporting both SSL and IPsec gives IT more flexibility in VPN deployment.Anyconnect 3.0 adds support for 802.1AE MAC Security (MACSec), which defines encryption of Ethernet frames. 802.1X, which is part of Anyconnect 3.0, provides the key management and negotiation for MACSec. With MACSec, a client accessing the wired network can get the same connection-oriented encryption and authentication that 802.11 wireless clients have without any hardware changes. Of course, the Ethernet switch has to support MACSec as well. Cisco hasn't incorporated WaaS functionality into its remote access client like Bluecoat and Juniper have, but the company says it is evaluating customer demand. Anyconnect 3.0 will be available in December 2010 starting at $100 for 25 existing ASA customers.

"I think it's great that Cisco is at least attempting to create a security strategy with a security vision behind that," said Penn. "We have not seen that before [from Cisco].  Cisco's classic approach was that bigger boxes are better, and you still see some of that with some of their products, like the 5585X."

In addition to the 5585X, Cisco announced AnyConnect integration with its Scansafe hosted Web security service, which will protect users from Web-based attacks whether they are on or off the corporate network. AnyConnect will route end-user devices through the Scansafe cloud-based security scans. Applying corporate security controls to personally owned devices raises the possibility of concerns from the end-user side, said Penn. He sees this is a general issue, not by any means limited to the Cisco/Scansafe capability.

"How much am I, as as an empowered user, going to put up with?" he said. "Not everything is corporate information. Just because I use the device occasionally to connect to the corporate environment, does that mean I give up my privacy to use that device?"