Cisco ASA versus Palo Alto Networks Firewalls

Since Palo Alto Networks entered the enterprise security market 10 years ago they’ve been gaining ground on traditional firewall vendors. In 2015, Palo Alto overtook Fortinet on the promise (and delivery) of truly adaptive security features. It’s now the third largest vendor of security appliances, right behind Check Point, and Cisco — which maintains a 35 percent share of the market.

Market data aside, the firewall you select depends on a number of factors. Sure, the vendor should be able to support the product you purchase, but the first question you need to ask is: What type of features does my firewall need?

The answer should be addressed in your security policy.

Remember: The security appliance you select will implement your security policy. If you do this backwards, you’re making more work for yourself now and in the future. Know what you need before you start your search.

Palo Alto Networks

Palo Alto unleashes the power of the cloud against threats known and unknown. Palo Alto is an adaptive security application that allows or denies traffic by a single fingerprint. It supports your port and IP policy rules, and then enables policies based on actual users and applications in your network… and beyond. The “beyond” portion means that the firewalls share protection globally with all its subscribers. If one company experiences a unique attack, all other subscribers’ networks are updated with that fingerprint automatically.

The cool things: You can allow certain functions of an application without blocking the entire thing. For instance, you can allow Facebook, but block Candy Crush. Here’s the best thing. Palo Alto appliances are built around these next-gen features, which means no modules or additional management screens. All their best features are baked in.

The one other thing: Up until a few years ago, Palo Alto didn’t sell “small” (read: inexpensive) firewalls. Today, they do (relatively), but you’re going to be paying for next generation technologies.

 

Cisco ASA 

If you’ve been in IT for a while, you have probably run across an ASA (or perhaps a PIX). Until a few years ago, Cisco didn’t have a next-generation firewall, primarily meaning their appliances didn’t have application identification or control. Since their acquisition of Sourcefire, however, they’ve reintroduced the X series with FirePOWER, which includes these features. The reviews have overall been good in the IDS/IPS realm since then, so it was probably worth the $2.7 billion acquisition.

The cool things: Cisco has been around forever, and has the 24-7 support structure to help you in your time of need. They entered the enterprise security market by producing rock-solid VPNs, and that hasn’t changed.

The one other thing: Cisco has a mature firewall architecture, but they typically roll out features as modules, which means multiple management systems, sometimes for similar functions.

Every environment is different. In a smaller office, your firewall will likely also serve as switch and filter. In a larger office, the firewall will probably stand alone. No matter the size of your infrastructure, talk to the company sales reps, get a couple demo units, and test out your options (after you’ve finalized your security policy).

Once you make your selection, don’t forget to train your team on Cisco ASA and Palo Alto.

Learn more about Cisco, Check Point, and Palo Alto in Keith Barker’s recent webinar The Power of Palo Alto Firewalls.

 

P.S. – Not a subscriber? Start your free week.

200-125  200-105  100-105  210-260  210-060  300-115  300-101  200-310  300-320  300-208  300-135  400-251  400-251-vce  210-065  300-070