The Adaptive Appliance (ASA) piece of the puzzle delivers firewall and VPN, but not the other security features found in an integrated unified threat management (UTM) device. For example, content scanning for malware requires an add-in hardware module and a subscription, as does intrusion prevention.

The problem is that you can only put a single add-in hardware module in any of the appliances, so you have to pick whether you want intrusion-prevention system or anti-malware in your VPN gateway, rather than having the ability to use both as most other UTM firewalls allow.

When the ASA is acting as a firewall, picking one or the other makes sense, because you usually leave anti-malware to end-point software and an anti-spam gateway. When the ASA is acting as a VPN concentrator, however, having both protections is a very attractive defense-in-depth strategy, but the ASA doesn't allow you to do that directly.

In an enterprise environment, Cisco solves this problem by recommending the second box, the full-feature IronPort S-series Web security appliance. (See .)