We are going to deploy a pair of firewall (redundant setup), and considering either Cisco ASA 5510 with Security Plus license or Juniper SSG-140
Which one do you recommend please?
Printable View
We are going to deploy a pair of firewall (redundant setup), and considering either Cisco ASA 5510 with Security Plus license or Juniper SSG-140
Which one do you recommend please?
Netscreen works really well in a cluster. The only thing that I found to be affected so far when doing a failover is BGP because the routes are flapping as it reconnects. Everything else works so smooth you don't even know there was a failover event and you are on a backup unit now. Configuration syncs up automatically too. Highly recommended. Also check out SSG-320M which is a nice setup when combined with 8 port or 16 switch modules, but costs quite a bit more than SSG-140.
What are the planned uses, what exactly are you needing/trying to do?
I love ScreenOS and the SSG platform. I second DMDM's suggestion of the SSG-320 with a 16 port module. I have two of them with that configuration. They work great.
The Cisco ASA line is great as well. I just prefer the SSG because I like the interface better and personally have more expierence using the SSG over the ASA, but they can play nice together if they need to.
Huge Cisco Systems fan ... so they get the vote.
If you plan on SSL VPN users then go with the cisco, otherwise the SSG140 is a wonderful device.
I hear the Junipers are fantastic for firewall things, but as Spudstr said, Cisco's are known for their VPN.
+1 for Juniper.
I've used bridge and tree, and both are fine products-- but I've been happier with the latter. IMO the Juniper interface beats Cisco hands down, although that's probably a matter of personal taste.
As for reliability, our Juniper kit just works. The Cisco gear I used to run could be a bit flaky, particularly when trying to maintain a tunnel between Tampa and Chicago. It would randomly stop passing traffic for no reason we or AT&T (we were connecting to a customer's AT&T-managed VPN) could determine. I've never experienced Juniper weirdness, although I'm sure there are horror stories in both camps.
As always, YMMV.
Cisco 5510's here. Have several in our DC - multiple VPN's, BGP environment, multiple VLAN's, etc. We maintain several VPN tunnels between TN - FL and TN - MA, and never have problems at all.
Juniper makes a great product though. I don't think you can go wrong with the two choices you're looking at.
I am personally not worried about their phase out ideas. Lots of customers have ScreenOS in huge volumes and lots are buying it now. For example compare Juniper's forums for ScreenOS and for anything else- you'll see the difference in volume. We just spent close to $15k on new ScreenOS devices and are planning up to another $10k next quarter. The platform is rock solid, dependable and very capable. I am sure three years from now this platform will still be well supported. However after 10 years of relying on ScreenOS we no longer call support- ever. It is that good.
P.S. I still use my first Netscreen 5 at home. Not SSG-5, not 5GT, not 5XP, but the original Netscreen 5 which only had two ports and if my memory is right those were not even FastEthernet :)
No special purposes here. Howver, we need to protect for some VoIP customers. Is there any trouble for VoIP through those kind of firewall?
This is spot on! While the SSG doesn't have integrated VPN, the SA series is hands down better than Cisco. I actually have both, and the Cisco does work great, but it doesn't have the features the Juniper does.
They are both great choices. You are talking about (arguably) the two top networking companies in the world. As others have said, I love the Juniper interface.
Yes, the SSG platform is on it's way out. Though I believe most of them (maybe not the netscreen line) are supported until 2015.
the SSG's recently came out a few years ago, the old netscreens were originally aquired by the now maker of Fortinet. SSG's wont be going anywhere anytime soon the older netscreen models will more than likely.. or atleast until the SRX line gets certified for DOJ/military stuff. They might be good now but thats why juniper has been keeping the netscreen/SSG's around.. due to the gov certs they obtained for that product line.
Nope none. We've deployed countless ASA's with voip running through them and had nothing but happy customers.
Clearly im slightly biased but I would go with the ASA's. We've found a couple environments where the more features that are used on the SSG's have had some pretty big performance hits whereas with the ASA's there wasnt any noticeable difference when migrated. Doesnt sound like you'd be using it but the SSL VPN's on the ASA's is unmatched. When paired with a solution such as 2 factor SMS authentication or RSA securid auth you get a very extensible solution.