The difference between the ASA and the PIX

The Cisco PIX has been a Cisco-determined firewall for many years. But in May 2005, Cisco introduced a new product, the Adaptive Security product (Asa,adaptive Appliance). However, the PIX is still available. I've heard a lot of people asking about the difference between these two product lines many times. Let's have a look.   What is the
Cisco pix?  
cisco pix is a dedicated hardware firewall. . The most common products for home and small networks are PIX 501, while many midsize enterprises use PIX 515 as the corporate firewall.  
pix Firewall uses the PIX operating system. while the PIX operating system and Cisco IOS look very close, there are enough differences for users who are very familiar with iOS to make them dizzy.  
pix series Firewall uses PDM (PIX Device Manager, PIX devices Manager) as the graphical interface . The GUI system is a Java program that is downloaded through a Web browser.  
In general, a PIX firewall has an outgoing interface that is used to connect to an Internet router that is connected to the Internet. At the same time, the PIX has an inward interface that is used to connect to a LAN switch that is connected to the internal network.
What is the Cisco asa?  
The ASA is a new firewall and anti-malware security appliance in the Cisco family. ( don't confuse this product with the PIX for static packet filtering)
the ASA family of products are all 5500 series. The Enterprise Edition includes 4 types: Firewall,ips,anti-x, and VPN. For small and medium-sized companies, there are also commercial versions.
Overall, Cisco has a total of 5 models. All models use the ASA 7.2.2 version of the software, the interface is also very similar to the Cisco PIX. CISCO pix and ASA vary significantly in performance, but even the lowest ASA model provides much higher performance than the underlying PIX.
like the PIX, the ASA also provides such intrusion prevention systems (Ips,intrusion prevention system) as well as VPN concentrators. In fact, the ASA can replace three independent devices--cisco PIX firewalls, Cisco VPN 3000 series concentrators, and Cisco IPS 4000 series sensors.
Now that we've looked at the basic situation of the two security tools, let's look at the results of their comparisons with each other.  
Pix to the ASA
Although the PIX is a very good firewall, the security situation is changing. Just using a static packet filter firewall to protect your network is far from enough. For the web, new threats abound-including viruses, worms, unwanted software (such as peer-to-peer software, games, instant messaging software), cyber scams, and application-level attacks.  
If a device can cope with multiple threats, we call it a "anti-x" capability, or it provides "multiple threat (Multi-threat)" protection. but the pix just can't provide this level of protection.  
Most companies do not want to install a pix for static firewall filtering, while using some other tools to protect against other threats. They prefer to use a "all-in-one" device-or a UTM (Unified threat Management) device.
The ASA provides protection against these different types of attacks. It's even more powerful than a UTM device-but to be a true UTM, it needs a CSC-SSM module (CSC-SSM, content security, and control security services Service) is not the only line. The module provides ANTI-X functionality in the ASA. Without CSC-SSM, the ASA's functionality would look more like a pix.
So, which one is right for your business? As we usually say, it depends on the needs of your business. However, I prefer to choose ASA First and then the PIX.the price of an ASA is lower than the pix of the same function. Aside from the reason for the cost, at least logically, the choice of ASA means that newer and better technologies are chosen.
For those who already use the Cisco PIX, Cisco has provided a migration guide to solve the problem of migrating from the Cisco PIX to the ASA. As far as I'm concerned, I think this is at least a sign that Cisco's Day of terminating the PIX is getting closer. Although Cisco has not explicitly announced this, I think it is only a matter of time. 

The ASA and the PIX are completely contrasted

(1) ASA new hardware design, the same grade, the actual performance than the PIX high. The version of the software used is not very different, as is the configuration command.

(2) The ASA has a total of four versions, the Anti-x,vpn,ips,firewall,cisco ASA 5500 Series Adaptive Security appliance itself is a modular platform that can provide IPS/ANTIX/VPN functionality, these three versions are tailored for your different needs. Therefore, when your business needs to apply security and intrusion prevention services to protect business-critical services and infrastructure from the effects of worms, hackers, and other threats, it is recommended that you configure the IPs edition. When you want to help the client system protect against malicious site threats such as viruses, spyware, and leaks, and content-based threats, it is recommended that you configure version Antix. When you are aiming to enable remote users to securely access internal network systems and services and support VPN clusters for large enterprise deployments, it is recommended that you configure the VPN version. At the same time, these three versions are available with the firewall function and the IP SEC VPN feature.

(3) At the same time, the ASA series itself is a "all in one" device. whichthe 5510/5520/5540 has only one slot and 5550 no additional slots. The most basic function of ASA is firewall function, VPN function. Note that there are 2 SSL VPN license in the default state, and you need to buy license if you need more. The ASA itself has two functional modules, the AIP and the CSC. Because the 5510/20/40 series itself has only one slot, we can only insert the AIP module or the CSC module. Butitself the ASA built-in has the IPs function and anti-virus function, but they are soft implementation. Therefore, these four functions can be integrated on a single ASA.

(4) The four versions of the ASA are specifically tailored to meet the different needs of Cisco. The ASA hardware design is consistent, using the AIM framework (Adaptive identification and Mitigation Services Architecture), with a modular design in the core. So the firewall is the core function, and the IPs, Anti-x Modular design, the card has a relatively independent cup and memory, so multi-functional integration but performance will not be degraded. You can choose the function card according to your needs.

Introduction to Cisco ASA Advanced Detection and Defense (AIP) module
The Cisco advanced detection and Defense Security Services Module (AIP-SSM) developed for Cisco ASA 5500 Series Adaptive Security devices proactively provides full-feature intrusion prevention services that block malicious traffic, including worms and network viruses, before they are impacted.

AIP-SSM Intrusion Prevention Service
With Cisco IPS Sensor software 5.x,cisco AIP-SSM, you can combine in-line defense services with innovative technologies to improve accuracy. Customers can confidently use the effective protection provided by the Intrusion Prevention System (IPS) solution without worrying that legitimate traffic will be discarded. If deployed within Cisco ASA 5500 series devices, AIP-SSM will be able to work with other network security resources to provide proactive, comprehensive protection of the network. 

Because the Cisco AIP-SSM employs the following technologies, it enables users to be more confident against a variety of threats: 

Accurate online defense technology that proactively prevents threats without discarding legitimate traffic. This unique technology enables intelligent, automated, and correlated analysis of data to ensure that customers can leverage the benefits of intrusion prevention solutions. 
Multiple threat identification – detailed traffic detection through L2 to L7 to prevent users from violating network policies, stealing various vulnerabilities, and performing unusual operations. 
Unique network collaboration-improves scalability and sustainability through network collaboration, including effective traffic capture technology, load balancing capabilities, and visibility into encrypted traffic. 
Powerful management, event correlation, and support services-providing complete solutions, including configuration, management, data correlation, and advanced support services. For network-level intrusion prevention solutions, Cisco Security Monitoring, analysis, and response systems (Cisco secure MARS) are able to discover, isolate, and accurately remove malicious components. With the Cisco Accidental Control System (ICS), the network is able to quickly adapt and deliver distributed responses, thereby effectively preventing new worms and virus outbreaks. 

If combined, these components provide a comprehensive in-line defense solution that enables customers to confidently detect and block malicious traffic to ensure business continuity is unaffected.

Introduction to Cisco ASA content security and control (CSC) Security Services Module

Cisco ASA 5500 Series Content security and control security Services Module (CSC-SSM) provides industry-leading threat defense and content control at the edge of the Internet, providing comprehensive anti-virus, anti-spyware, file-level viruses, anti-spam, and comprehensive, easy-to-manage solutions from industry-leading vendors , anti-phishing, url blocking and filtering, and content filtering services. CSC-SSM enhances the security features of the Cisco ASA 5500 series, enabling customers to further enhance the protection and control of business communications content. With the capabilities and deployment of Cisco's Award-winning Cisco ASA 5500 series devices, the service module can further enhance user choice flexibility.

Key business factors
With the following components, the Cisco ASA 5500 series CSC-SSM can help organizations more effectively protect their networks, improve network availability and employee productivity: 

Comprehensive security protection--CSC-SSM uses trend Micro's award-winning anti-virus and anti-spyware technology to virtually prevent all known malicious code from entering and spreading, preventing critical business applications and service outages, preventing critical systems and people from working, and reducing The expensive cleanup burden that is required after the system has been infected. 
Advanced content filtering-integrates URLs, content filtering, and anti-phishing technologies to prevent corporate and personal confidential information from being stolen, reduces legal liability for breaches of network usage policies, and helps companies comply with Internet content laws such as the health Insurance Facilitation and Accountability Act (HIPAA), Sarbanes-oxley (SOX) and data protection law. 
Integrated messaging security-integrates anti-spam technologies to prevent large amounts of unwanted e-mails from entering the mail server, increasing employee productivity and preventing valuable network bandwidth and storage resources from being wasted. 
Customization and debugging capabilities-enables administrators to customize the control of Spam and content features to meet the requirements of a particular corporate policy or network environment. 
Easy to manage and update automatically-provides smart default settings and an intuitive interface integrated with ASA-5500 Adaptive Security Device Manager (ASDM) to simplify initial configuration, deployment, and subsequent operations. Automatically updates all CSC-SSM components, including scan engines and style files, to keep the network up to date with minimal management. 

In short, the ASA family of products is primarily designed to simplify network configuration, improve network performance Cisco has introduced new products, in the future to replace the PIX and VPN concentrator, etc., and the IPs and anti-virus to achieve modular support. Performance does not degrade with multiple functions in one product

The difference between the ASA and the PIX