Cisco’s Adaptive Security Appliance (ASA) Firewalls are one of the most popular and proven security solutions in the industry. Since the introduction of the PIX and ASA Firewall into the market, Cisco has been continuously expanding its firewall security features and intrusion detection/prevention capabilities to adapt to the evolving security threats while integrating with other mission-critical technologies to protect corporate networks and data centers.
In recent years, we’ve seen Cisco tightly integrate separate security technologies such as Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) within the ASA Firewall appliances in the form of hardware module add-ons (older 5500 series & newer 5500-X series) and, recently, software modules supported only by the newer ASA 5500-X series security appliances.
With the addition of the software or hardware module, customers are able to increase the firewall’s security and protection capabilities while at the same time simplifing security management and administration by dealing with a single firewall device instead of multiple firewall, IPS or IDS devices.
While this article covers the hardware modules available for the Cisco ASA 5500 Firewall series, upcoming articles will cover both software and hardware modules along with Cisco FirePOWER & FireSIGHT management services for the newer ASA 5500-X series.
Note: The Cisco ASA 5500 series hardware modules for ASA-5505, ASA 5510, ASA 5520 & ASA 5540 have been announced as End-of-Sale & End-of-Life. Modules below are no longer sold or supported by Cisco. Last day of support was 30th of September 2018.
Users interested in the newer ASA 5500-X IPS, Context-Aware and FirePOWER services can read our article Cisco ASA 5500-X Series Firewall with IPS, ASA CX & FirePower Services. Application Visibility and Control (AVC), Web Security, Botnet Filtering & IPS / IDS.
Hardware Modules For ASA 5500 Series Firewalls
The ASA 5500 series Firewalls (ASA-5505, ASA 5510, ASA 5520, ASA 5540 etc) were the first security appliances with the capability to integrate hardware modules for enhanced security and threat protection.
To help target different markets and security requirements, Cisco split its hardware module offerings into two distinct categories:
- Content Security and Control Security Services (CSC-SSM)
- Advanced Inspection and Prevention Security Services (AIP-SCC & AIP-SSM)
Each hardware module card is equipped with its own CPU, RAM and Flash storage space, running a separate operating system that integrates with the ASA Firewall via its internal network ports.
Let’s take a brief look at each category.
The Content Security & Control Security Services Modules
The Content Security and Control Security Services module aims to cover corporate environments where comprehensive malware, advanced content filtering (including Web Caching, URL filtering, anti-phishing), and anti-spam filtering is required. This all-in-one hardware module solution is capable of providing a wealth of security and control capabilities essential for all size networks.
Following are the hardware modules supporting Content Security and Control Security Services:
- CSC-SSM-10: For ASA 5510 & ASA 5520. Initial support for 50 users, upgradable up to 500 users
- CSC-SSM-20: For ASA 5510, ASA 5520 & ASA 5540. Initial support for 500 users, upgradable up to 1000 users
The CSC-SSM-10 & CSC-SSM-20 modules look identical. Shown below is the CSC-SSM-20 module:
Figure 1. The Cisco CSC-SSM-20 hardware module for the ASA 5500 series Firewalls
Users requiring additional information on the Cisco CSC-SSM modules, including features, hardware specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500 Series Content Security and Control Security Services datasheet from our Cisco ASA 5500 Product Datasheets and Guides download section.
The Advanced Inspection & Prevention Security Services Modules
The Advanced Inspection and Prevention Security Services modules combine IPS and IDS threat protection with mitigation services aiming to protect and stop malicious traffic before it can affect the network. Updates for the modules occur up to every 5 minutes, ensuring real-time updates and effective protection from zero-day attacks.
Cisco ASA Firewall customers can choose between the following Advanced Inspection and Prevention Security Service modules depending on their ASA hardware platform:
- AIP SCC-5:For ASA 5505. 1 Virtual sensor. 75Mbps concurrent threat mitigation throughput.
- AIP SSM-10: For ASA 5510 & ASA 5520. 4 Virtual sensors. Up to 225Mbps concurrent threat mitigation throughput depending on ASA model.
- AIP SSM-20: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 500Mbps concurrent threat mitigation throughput depending on ASA model.
- AIP SSM-40: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 650Mbps concurrent threat mitigation throughput depending on ASA model.
Figure 2. The Cisco ASA Firewall AIP SSC-5, AIP SSM-20 and AIP SSM40 IPS hardware modules
Users requiring additional information on the Cisco AIP SSC-5 & AIP-SSM modules, including features, hardware specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services module and card datasheet from our Cisco ASA 5500 Product Datasheets and Guides download section.
The ASA 5500 Firewall series hardware modules offer a substantial number of network security enhancements making them ideal for corporate environments with sensitive data, in-house webservers and multiple VLANs & VPN networks. Their ability to provide advanced malware threat protection, URL filtering and IPS / IDS services make them the ideal upgrade for any ASA 5500 series Firewall adding true value to protecting and mitigating security threats.