Yesterday at the RSA Conference Cisco released a new product named ASA CX. As usual when Cisco releases information about new products you have to dig alot to see thru all marketing material and find technical details. And so is defenately the case here also.
There are a few videos recentely uploaded to Youtube by Cisco that describes the product, and a few links in the marketing material cross-referencing eachother. But not much more than that. Yet. However, this is what I have found (and what I can guess by reading between the lines):
ASA CX is Micro Application Aware. This means that it should be able to filter traffic based on Layer7-information to for example block Facebook Chat, but allow Facebook Updates. Allow Skype, but block Bittorrent. And so on…
ASA CX also saids to be web reputation aware and to be able to block 0 day malwares. Together with Identity Based Firewalling (allow/deny traffic baesd on user/group-belongings rather than just ip addresses) and URL filtering it smells alot like they have put a Cisco Ironport WSA-box inside of the ASA.
Cisco ASA CX is by Cisco Prime Security Manager which is shipped with (within!) the ASA CX, which means no more ASDM!
What confuses me most is that even though there is information on Ciscos website that ASA CX comes as 2 modules (“CX SSP-10” and “CX SSP-20”) there is also a new product line of ASA:s visible on the product comparison chart: 5512-X, 5515-X and so on… And with yet no information available on in which models of ASA you can put the CX SSP-modules, I still cant tell what´s needed to run ASA CX. Can I upgrade my existing ASA-firewall to CX with a module? And if so, which models can be upgraded? If not, what models of ASA CX appliances are available? Does an ASA5512-X contain an XS SSP-10? And so on….
A conclusion: It´s really thrilling that the next generation of ASA Firewalls can do this granular application inspections that hasn´t been possible yet. And together with functions available in the WSA, ASA CX can be a really potent threat to it competitors! ASA is no longer a packet filtering firewall!
According to a anonymous but normally highly trustworthy source (who prefer to call himself Deep Throat 🙂 ), the CX will at first be a module available only for the high-end 5585-X ASA:s. At a next step the CX will be a software function available in the newly released 5505-X ASA-models. There will probably not be any CX-support in the legacy ASA:s.