There is a lot of buzz around Cisco Prime. It’s obvious that Cisco put a lot of effort and money in this product. Primecisc will eventually be a whole suite of management tools under the same umbrella and my gut feeling is that this sooner and later will replace the entire Cisco Works suite.
As a security guy I’ve done a few notes though. When it comes to management of Cisco ASA CX, the firewall will still needs to be managed from ASDM. At the same time the CX function AVC (application visibility and control) is managed from Prime Security Manager (PRSM, pronounced ‘prism’, which by the way is not the same product as ‘Prime Infrastructure’). This means that the box had 2 different parts that are managed independent with different tools. The only integration between these sides is that the object groups in the firewall can be sucked into PRSM and re-used by the CX policies. That is neat.
But what happens if You manage your firewalls with CSM (Cisco Security Manager) and the object-groups are modified from PRSM? Let me guess: ‘out of band changes’-complaints from CSM.
however, this is still a hypothetic issue since the current version of CSM does not support ASA code version 9.1 (which is required for CX). So currently if you have a ASA CX you have to manage the firewall from ASDM and the CX-stuff from PRSM. This is of course a temporary issue since there will probably be a new version of CSM out that supports ASA 9.1. (My guess is that it will be availably roughly when ASA 9.2 is released… *Grin*)
With AVC in ASA, the firewall is a serious competitor to Checkpoint both when it comes to speed, functionality and price, and it is still my favorite firewall. And when migrating to a centralized management tool that can also manage the rest of the network (I see in a future that PRSM will be part of the general Prime software. I sure hope so!), Cisco ASA has a major advance compared to Checkpoint (which will always be “just a firewall”).
But until Cisco has solved the management of ASA CX, I think that that most customers will implement AVC and web filtering in another way than using CX. Probably with Cloud Web Security (scansafe) or Scansafe WSA, which will both add antimalware/virus-scanning of web traffic, which is by the way not available in CX. If I stare into my magic glass ball I see a PRSM that manages everything in ASA. Beyond that PRSM will be part of Prime Infrastructure and CSM will fade away the same way as CS-MARS did. But my magic glass ball has a track record not without remarks. 🙂
Oh by the way! For everyone that plans to buy a ASA – don’t hesitate, it is great! And when you do, choose one of the X-models that supports CX. Then you will be able to add CX functions with a license and subscriptions later on. A X-ASA without CX is the same as a ‘non-X ASA’, only faster and cheaper!