Cisco Blogs

Firewall, IPS, and Web Security Without Degrading Performance? Yes You Can Have It All!

February 28, 2012 - 5 Comments

In an effort to reduce costs and improve operational efficiency, organizations of all sizes have begun compressing their firewall and other security services into smaller form factors and fewer physical units. Many small and midsized companies have opted for UTMs to run all of their security on a single box. Unfortunately, UTMs have failed to deliver on their promise to deliver true multi-service security. Most UTMs do one or two things really well, but add all the other services as “checkbox” items just to say they have it.

Recognizing these limitations, many larger companies opt instead to purchase individual security services to achieve the quality and capabilities they’re looking for, along with a more powerful appliance that can run them more efficiently. Though this strategy has often produced better results than can be obtained from a UTM, it comes with its own set of issues. First, performance still takes a pretty major hit. That’s because, just as with pretty much everything else in life, network security comes with some pretty sizable trade-offs. In general, there’s an inverse relationship between security and performance. Any high-end box can provide high performance; likewise, multiple top-tier security services can deliver superior protection. The problem comes in when we try to put everything on a single box. Obviously, the more services we attempt to run on a single box, the larger the hit will be to performance.

The other problem with this strategy is the physical limitations of most security devices. While some services can be purchased in software form, many high-end security services are hardware-based – either as a dedicated appliance or as a hardware module that can be inserted into a security appliance. This, of course, severely limits the number of security services that can run on a single appliance, leading most organizations to simply deal with the trade-off, forced into making the impossible choice between performance and security. Others make the even harder decision to purchase an appliance that’s way outside their budget, just to try to strike a security-performance balance they can live with.

Today’s announcement of the Cisco ASA 5500-X Series midrange security appliances helps reduce this tradeoff by providing the performance small and midsize businesses need, at a price they can afford, without compromising security. The Cisco ASA 5500-X Series uses the Cisco SecureX framework for a context-aware approach to security that delivers multiple security services, multigigabit performance, flexible interface options, and redundant power supplies—all in a compact 1-RU form factor. These appliances optionally provide additional broad and deep network security through an array of integrated cloud- and software-based security services that utilize identity for security policy selection, with no need for additional hardware modules. They are built on the same proven security platform as the rest of the ASA family of security appliances, and have been designed to deliver superior performance for exceptional operational efficiency.

Enterprise-grade security services that are delivered via software and the cloud solve the physical limitation problems of most other high-end security devices; the fact that they are fully integrated into a high-performance chassis not only helps preserve as much performance as possible, but it also enables growing organizations to purchase only as much as they need today, then turn on new security services as their needs change – for a cost-effective, extensible security solution that can grow with their changing needs, without having to purchase all new hardware.

Irrespective of the hardware and platform, performance will continue to take a hit as more security services are enabled – that much is unavoidable. But a midrange appliance that delivers up to 4 Gbps of firewall throughput, 1,000,000 concurrent firewall connections, and 50,000 connections per second – with integrated software- and cloud-based security services – puts a high-performance, cost-effective, extensible security solution within reach for many small and midsized companies.

For more information, visit

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. So Jeff. I keep seeing this statement “Enterprise-grade security services that are delivered via software and the cloud,” but have yet to see any elaboration on it. Can you expand on this at all, in regards to what services are offered via the cloud? I am assuming this has something to do with Cisco SIO?

  2. The new ASA platform upgrade has definitely been a winner in my book. Not only has it performed to the highest of our company liking, our clients utilizing the midrange systems are finally at peace keeping their security centralized into one and keeping costs at a low.

    • Hi Cody,

      Great, I’m glad it’s helping you! We’re definitely happy with it here, too.

  3. I am glad to see that cisco upgrade its mid-range ASA platform. Performance/features seems really good and completive.i hope to see the same upgrade for IPS Sensor products with boosted performance.