October 3 At: 9:56 am
Juniper SSG vs Cisco ASA and PIX Firewall Comparison
| SSG 5Base/Extended** | SSG 20Base/Extended** | ASA 5505Base/Security Plus | PIX 501 / PIX 506 | |
|---|---|---|---|---|
| Performance & Capacities | ||||
| Firewall Throughput (Large packets) |
160 Mbps | 160 Mbps | 150 Mbps | 60 Mbps/100 Mbps |
| Firewall Throughput (IMIX)* | 90 Mbps | 90 Mbps | Not Published | Not Published |
| FW Packets per second (64byte) | 30,000 | 30,000 | Not Published | Not Published |
| VPN Throughput (3DES+SHA-1) | 40 Mbps | 40 Mbps | 100 Mbps | 3 Mbps /15 Mbps |
| Sessions** | 4,000/8,000 | 4,000/8,000 | 10,000/25000 | 7,500/25,000 |
| Stateful FW/VPN HA** | Active/Passive With ExtLicense | Active/Passive With ExtLicense | A/P with Security Plus license | Not supported |
| Dial Back Up | Yes | Yes | Yes (Dual ISP) | Not supported |
| Security Applications | ||||
| IPS (Deep Inspection FW) | Yes | Yes | Yes | Not supported |
| Integrated File & Networkbased Antivirus | Yes | Yes | Future | Not supported |
| Adware / Spyware / Keylogger protection |
Yes (included in AV engine) | Yes (included in AV engine) | Future | Not supported |
| Integrated Web Filtering | Yes | Yes | Yes | Not supported |
| Integrated Anti-Spam | Yes | Yes | Future | Not supported |
| Redirect Web Filtering | Yes | Yes | Yes | Yes |
| SSL VPN | Not supported | Not supported | Yes | Not supported |
| Interfaces and Routing | ||||
| Fixed I/O | 7 10/100 | 5 10/100 + 2 I/O expansion slots | 8 10/100 (2 are PoE) | 5 10/100 (PIX501) 2 10/100 (PIX506) |
| I/O Options | RS-232 Serial/Aux or ISDN BRI S/T or V.92 (Factory configured) |
Interface modules: IDSN BRI S/T, T1, E1, V.92, ADSL 2+ |
Not supported | Not supported |
| 802.11 a/b/g | Yes (factory configuredoption) | Yes (factory configuredoption) | Not supported | Not supported |
| LAN/WAN Routing | RIPv1/2, OSPF, BGP, PPP | RIPv1/2, OSPF, BGP, PPP, MLPPP, FR, MLFR, HDLC |
RIPv1/2, OSPF, BGP, | OSPF, BGP |
| Security Zones | 10 | 10 | Not supported | Not supported |
| Virtual LAN** | 10/50 | 10/50 | 3 | Not supported |
| Virtual Routers | 3 | 3 | Not supported | Not supported |
| VoIP Security (ALGs) | SIP, H.323, MGCP, SCCP | SIP, H.323, MGCP, SCCP | SIP, H.323, MGCP, SCCP | SIP, H.323, MGCP, SCCP |
* IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network
traffic. The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.
| Key Feature / Point | SSG 5/SSG 20 (ScreenOS 5.4) |
PIX 501/506 (PIX 6.4) ASA 5505 (ASA 7.2) |
Why it Matters |
|---|---|---|---|
| Integrated purpose-built Firewall/VPN appliance |
New, purpose-built hardware with security specific OS that delivers best in class integrated security functionality for network and application level protection |
PIX is an old platform with outdated, slow processing. Platform is frozen at PIX-OS 6.4 ( Can get to 7.x w/ E) ASA is new platform but is hindered by external processing card requirement for IPS or AV – unable to run both in a single ASA. |
Customers want the ability to lower the capital expenditures at the outlying offices along with flexibility to add security as needed – without the requirement of added HW card |
| LAN and WAN connectivity | LAN and WAN I/O options plus supporting protocols and encapsulations provide unmatched connectivity flexibility in the mid range market. |
No WAN hardware or encapsulation support whatsoever on either platform – limited LAN hardware and protocol support |
Customers are want the ability to extend the investment protection as they move toward next generation networks (broadband, metro Ethernet) |
| Integrated 802.11 a/b/g Wireless |
Optional dual radio 802.11 a + 802.11 b/g support |
Not supported | Small branch office environments are ideal locations to consolidate multiple security and networking devices (routing, Wireless AP, FW/VPN and threat management) |
| 802.11 a/b/g Security | Security Broad range of wireless security mechanisms: • Authentication: Pre-Shared Key (PSK) , MAC Address ACL, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1X • Privacy: WEP, WPA, WPA2 (AES or TKIP), IPSEC VPN |
Not supported | Wireless access can be used as a hacker/attacker entry point, so bullet proof security is critical to protecting the network. |
| Integrated Security Policy, Network and Device Level Management | Manage all aspects – FW, VPN, IPS, routing, HA – from CLI, WebUI or NSM | Centralized management for PIX is a set of utilities.
ASA 5505 management is GUI or CLI one-to-one – not one to many on initial release. No date shown for centralized mgmt of many devices |
To maintain a reasonable administrative cost structure, device management in outlying offices must be easy to perform and consistent in all aspects NSM can manage large deployments of SSG 5 and SSG 20 from day zero. |
| Security Zone Architecture |
Security zones, virtual routers and VLANs to provide ability to enforce security via logical group functions (i.e. Marketing, Finance, etc) as opposed to specific IP subnets or addresses |
Access control lists are complex and based on source / destination IP address.
ASA 5505 supports VLANs – but does not support Zones or Virtual routers. |
Segmenting the network in a logical, easy to configure and manage manner is critical to protect internal resources from attacks and/or unauthorized use/access |
| Transparent Mode | Seamless deployment into existing network-adding full security functionality without network address change at install | Not supported in the PIX 501/506
Supported on the ASA 5505 |
Customers want to be able to drop security into their network with minimal network re-configuration |
| Dynamic Routing | RIPv1&2, OSPF and BGP eases integration of security into existing networks and supports dynamically routed VPNs | User must choose between OSPF and BGP – cannot run both. RIP support is available on the ASA but is a global (all interface) configuration command, eliminating ability to use multiple routing protocols. |
A common deployment is to use OSPF for internal networks AND BGP for external connections – Cisco does not support this in a one box offering |
| Dynamic Route-Based VPNs | With multiple VPN tunnels defined to a given location, routing protocols will ensure that the optimal tunnel will be used for traffic dynamically |
Not supported. PIX uses static ACL based VPN tunnel configuration.
ASA supports Easy VPN, a competitive offering. |
Outlying offices need maximum reliability at all levels – device, as well as link layer |
| Virtual Routers | Up to 8 virtual routers supported | Not supported | Isolates and separates public and private IP address for greater security than a shared router |
| Bridge Groups | Group I/O as a basic switch or group them as a single L3 interface and apply policy to that interface. | Not supported | Customers need the ability to go beyond structured Trust, Untrust and DMZ – bridge groups provides that configuration flexibility. |
| Antivirus, (includes Keylogger, Adware and Spyware protection) | Optional File-based Kaspersky antivirus engine and database that scans FTP, HTTP (webmail), POP3 and SMTP, IMAP for viruses, Spyware and adware | Not supported in the PIX.
Future support for ASA. |
AV is critical – but so is IPS – the ASA forces customers to chose one of these options. They cannot have both. |
| Anti-spam support | Optional Antispam solution from Symantec (Brightmail) provides best in class gateway-based spam prevention | Not supported in the PIX. Future support for ASA as part of the Trend Micro- based AV module. | Brightmail is a best-in-class offering for anti-spam, complete with dedicated research on keeping the SPAM list up to date. |
| Web filtering | Optional integrated Web Filtering with SurfControl or redirect with either Websense or Surfcontrol | Only re-direct is supported. | Integrated web filtering is a proven way to stop users from inadvertently downloading viruses and visiting inappropriate web sites. |
| IPS | Integrated IPS (Deep Inspection) provides application level protection. | Not supported in the PIX. Future support for ASA as a security module. | Attacks are manifesting themselves in all manner and a FW is only capable of catching those that are network related. |
2 Responses to “Juniper SSG vs Cisco ASA and PIX Firewall Comparison”
Leave a Reply
© 2008 NetXG - News and Reviews | Entries (RSS) and Comments (RSS)
Ren,
I have been using 2 Cisco ASA 5520s for 2 years and now I am installing 2 ASA 5550s. The new version 8.02 OS has routing protocol EIGRP in it. Also, the ASAs can have multiple security contexts which make the virtual or transparent firewall capabilities available.
Thanks,
October 3rd, 2007 at 12:23 pmRichard Gray
Good Points Richard. Once you get above the ASA 5510 It’s a whole different comparison with the products. I am working on some comparisons for the 5510+ with the Juniper 320+ for the enterprise guys. I also hear some pretty good things about the Fortinet ( Fortinet.com ) Firewalls too.
This comp chart is to help those in the Remote Office or SOHO Firewall market to consider Features. I wish Cisco would do a little more and offer mid to enterprise security in some of they’re lower end gear.
Ren
October 3rd, 2007 at 2:04 pm