Cisco recently announced free software updates for multiple vulnerabilities in the ASA 5500 series firewall.  Vulnerabilities are in the areas of denial of service, packet buffer exhaustion, and systems access.   The Cisco security advisory is available at the following link: www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml.   The ASA 5500 security appliance was refreshed this year on the high-end with new X series models, improving performance and adding IPS functionality.  More information on these appliance refreshes can be found in a previous blog installment “A Closer Look at Cisco Data Center Firewalls – ASA 5585-X.”

The firewall services module for the Catalyst 6500 switch and 7600 series router is also affected by the SCCP Inspection Denial of Service Vulnerability.  The FWSM (WS-SVC-FWM-1-K9) is an integrated module for the 6500 switch and 7600 router and as such provides infrastructure simplification.  Delivering firewall services with stateful packet filtering and deep packet inspection, the module can be deployed in pairs for active-active failover. 

Alternatives to the Cisco Adaptive Security Appliance include Juniper Networks and Checkpoint; Gartner recognizes these OEMs as the leaders in enterprise network firewalls (Gartner Magic Quadrant 2010). In particular, the Juniper SRX has a modular architecture that allows for scalability and investment protection.  And with separate and distributed data and control planes the SRX delivers exceptional firewall performance.  Juniper integrates dynamic VPN, IPS, and NAT along with platform hardening protection into the SRX firewall.  Also, with the acquisition of Altor Networks Juniper recently announced the vGW Virtual gateway that provides security in VM environments at the hypervisor level.