Your SlideShare is downloading. ×
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cisco asa 5505 vs juniper ssg 5

3,085

Published on

Cisco asa 5505 vs juniper ssg 5

Cisco asa 5505 vs juniper ssg 5

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,085
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
52
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cisco ASA 5505 vs Juniper SSG 5 Cisco ASA 5505 and the Juniper SSG 5, both devices are at the low end of firewallsecurity devices offered by Cisco and Juniper.The Cisco ASA 5505 is part of Ciscos new range of Adaptive Security Appliances (ASA)the replacement for the PIX. The 5505 replaces the old PIX 501 and 506e.The SSG 5 is Junipers lowest end Secure Services Gateway (SSG). The SSG 5 replacesthe old Netscreen 5GT.There are many models of the SSG 5 and ASA 5505 available, for this review I will belooking at the non-wireless SSG 5 256mb version and the unlimited user ASA 5505 K9version.Before we get started I should make it clear that I work with the Juniper range ofhardware every day; so I may be bias.OverviewThe first thing Ill do is compare the two devices "on paper". Cisco ASA 5505 Juniper SSG 5 SSG-5-SH SSG5 RS-232Model ASA5505-UL-BUN-K9 256MBRRP* $AU1,681.90 inc GST $AU1,125.00 inc GST 160 Mbps or 90 Mbps ofFirewall Throughput 150 Mbps IMIX** trafficVPN Throughput 100 Mbps 40 MbpsSessions 10,000 8,000Connections/Second 4,000 2,800Packets Per Second (64 85,000 30,000byte)IPSec Tunnels 10 25SSL Tunnels 2 N/AMemory 256 MB (upgradable) 256 MBFlash 128 MB (upgradable) 64 MB (fixed) 8x100 Mbps (2 of which areEthernet Ports 7x100 Mbps PoE)USB 3xUSB 2.0 1xUSB 1.1 3 (trunking disabled, DMZVLANs 10 Restricted)http://www.router-switch.com/
  • 2. OS ASA 8.0(2) - ASDM 6.0(2) ScreenOS 6.1.0r1Users Unlimited UnlimitedRouting Protocols RIP v1/v2, OSPF, EIGRP RIP v1/v2, BGP, OSPFAnti-Virus No (possible future) Yes (paid for subscription)Deep Inspection Yes YesAnti-Spam No (possible future) Yes (paid for subscription)Console RJ45 RJ45 No (external modem canDialup Modem No be connected via the AUX port)IPv6 Yes Yes* RRP based on Ingram Micros pricing** IMIX traffic is more demanding than a single packet size performance test and assuch is more representative of real-world customer network traffic.The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 bytepackets + 8.33% 1518 byte packets of UDP traffic.So on paper the ASA 5505 has much better throughput and general hardwarespecifications, yet the SSG 5 supports more VPN tunnels, VLANS and has full UTM(Unified Threat Management).The Cisco ASA 5505 is also about 50% more expensive (based on the retail prices),saying this wholesale prices of the two devices only differ by about $250 ext GST.http://www.router-switch.com/
  • 3. http://www.router-switch.com/
  • 4. Cisco ASA 5505 out of the boxThe ASA 5505 comes with the following: ASA 5505 Power Supply Getting Started Guide (Software Version 7.2) Rollover console cable 90-Day Hardware Warranty Software and Documentation CD (Software Version 7.2) Regulatory Compliance and Safety Information Booklet 2 Ethernet CablesJuniper SSG 5 out of the boxThe SSG 5 comes with the following: SSG 5 Power Supply Serial to RJ45 connector 1-Year Hardware Warranty 90-Day Software Warranty (from the date of shipment) Free download of the latest ScreenOS for the first 90-Dayshttp://www.router-switch.com/
  • 5. Software and Documentation CD 1 Ethernet Cable Desk Stand (allows the SSG 5 to stand upright)The 90-Day software download for the Juniper device means that you can have tothe latest software when you first purchase the device. Unfortunately this timeperiod starts from when the device leaves Juniper. So if you purchase the device froma reseller the software update period may have already expired. This is still betterthan Cisco that requires you to purchase a SmartNet agreement before you candownload anything.The 90-Day Cisco hardware warranty is also a bit rude.Cisco ASA 5505 Starting it upOut of the box the ASA is setup with Ethernet0/0 being the WAN side while the restof ports are setup as the LAN side. The default IP address of the box is 192.168.1.1.If youre running an internet connection where an ip address is handed out via DHCPthen the ASA will give you basic internet access straight off, although most of thetime youll want to configure PPPoE or something.For users who have not used Cisco gear before then the easiest way is through ASDM(Adaptive Security Device Manager), ciscos GUI setup interface.To access this browse to https://192.168.1.1/ and download the ASDM.Once started you are greeted with some statistics of the ASA.http://www.router-switch.com/
  • 6. ASDM is up to version 6 and is it now fairly comprehensive; if you dont like thecommand line then most of the configuration can be done here.By default the ASA blocks and filters certain traffic for example ICMP is blocked.Juniper SSG 5 Starting it upOut of the box the SSG 5 is setup with Eth0/0 being the WAN side, Eth0/1 being theDMZ and the rest of the ports being the LAN side. The default IP address of the box is192.168.1.1.The SSG 5 uses zones."A security zone is a collection of one or more network segments requiring theregulation of inbound and outbound traffic via policies. Security zones are logicalentities to which one or more interfaces are bound."So what Cisco call VLANs (or Security Levels) are basically what Juniper call Zones.The SSG is managed through a web interface this can be found at http://192.168.1.1(default username and password: net screen).Once youve logged in you are greated a general overview of the device.http://www.router-switch.com/
  • 7. Like the cisco device the SSG also allows configuration via the command line;although the WebUI is much more complete than the Cisco ASDM.Personally I do most of my configuration in the WebUI.By default all outbound traffic is allowed and the WAN interface (or Untrust asJuniper call it) is set in NAT mode. The Untrust interface isnt setup to receive anaddress via DHCP by default.Cisco ASA 5505 The HardwareThe physical construction of the 5505 is very good. The outside casing is mostlyplastic, while the base of the system is metal. The only point of concern is the powerconnector; it seems a bit flimsy and could be easily broken.If you open up the 5505 you can see that both the flash and ram is upgradable. Theflash is just a standard compact flash card, while the ram is PC3200 DDR UB NON-ECCCL3 DIMM 2.5v or 2.6v. It looks like the ASA 5505 can support up to 512mb of Ram.The primary CPU is based on an AMD Geode chip, plus there is a hardwareacceleration chip too (for VPN encryption etc).The 5505 also has a Security Services Card slot allowing extra functionality to beadded on. Although there are not any cards at this stage.There are 2 USB 2.0 ports on the back and 1 on the front. Seems like a lot for afirewall! At this stage they dont do anything.The inclusion of two Power over Ethernet ports is a great idea as it allows you tosimply plug an IP phone in without the need for an extra power brick.http://www.router-switch.com/
  • 8. There is an internal battery that can be replaced if required.Overall the ASA 5505 feel like it was built to last.Juniper SSG 5 The HardwareThe physical construction of the SSG 5 is good, but it isnt has good as the 5505. Mymain point of concern is the single USB port on the back. It isnt attached to theoutside casing and just feels a bit flimsy.The SSG 5 allows for the memory to be upgraded, although 256mb is the max. I trieda 512mb DDR2 SODIMM in the device but it didnt boot. It is possible that I was usingthe wrong type of ram (on second look it may need DDR1). The flash memory issoldered onto the board and cannot be replaced.The SSG 5 uses an Intel IXP455 chip running at 533MHz.There is a single USB 1.1 port on the back of the device that can be used for storinglog files or other firmware.Cisco ASA 5505 The SoftwareAt the time of writing software version 8.0(3) is currently the latest version for theASA. Unfortunately I currently only have 8.0(2), saying this the differences shouldonly be bug fixes.The ASA software is simply a continuation of the PIX software. The configuration isstored in a single text file. With each version of the ASA/PIX software the commandline configuration is slowly becoming more and more like Cisco IOS which is not a badthing.The ASA has a stack of features for a device so small and cheap. It does everythingthat the PIX 506e does (IPsec VPN, SPI firewall etc) plus more (SSL VPN, EIGMP). Theinclusion of SSL VPN means that this device can easily support teleworkers that maynot have access to an unrestricted internet connection. SSL VPN gives the end useran option of a client based connection (similar to an IPsec VPN) or a clientlessconnection (a web portal to published files and services).The ASA 5505 also provides basic routing and nat functionality, meaning that you canrun this device without a separate router. Unfortunately there is no option for anintegrated ADSL modem, so a modem will need to be purchased.The configuration of the ASA can be scary for new users. ASDM is not particularlywell laid out. NAT rules are in a different location to access rules and everytime youwant to make a change you must save and upload the configuration again. The baselicense is also restrictive, you are limited to three "zones": untrust, trust and dmz.http://www.router-switch.com/
  • 9. You cannot create pin holes in the DMZ to allow access the the Trust network either.The SSL VPN is also very limited as you are only allowed 2 SSL VPN connections. IPsecis a little better with 10 tunnels allowed, but even cheap SOHO routers can do 10IPsec tunnels.All of these limits can be removed or increased with more expensive licenses, butthey are much much more costly.It is possible to get the ASA 5505 in 10 and 50 user versions (number of computersusing the internet behind the ASA). Why Cisco have this limit is beond me. Ive neverseen a cheap SOHO router with a user limit.The reporting options in ASA 5505 are fantastic. If you want to know what is going onit your network then the ASA will tell you. It can display the most used services,sources or destinations in a pie chart (plus a whole stack of other options).Overall the ASA software is good, but there are far too many limits on the base 5505.ASA Software Version 8.1 is due soon although Ive yet to hear what extra features itwill include.Juniper SSG 5 The Softwarehttp://www.router-switch.com/
  • 10. The SSG 5 came out with ScreenOS 5.4 but since then Juniper have released 6.0 and6.1 both adding lots of extra functionality. ScreenOS supports just about any routingprotocol (BGP, OSPF, RIP etc) and has some really nice features that arent found onthe ASA 5505.The base SSG 5 license supports unlimited users, 25 VPN tunnels and 10 zones. Theextra zones really makes the SSG 5 stand out. For example you can have aUntrust,Trust, DMZ and VPN zone. All VPN tunnels can be bound to the VPN zone, separatingit from internet traffic. There are also no limits on how the zones work so the DMZcan talk to the any zone if you so wish. With 10 zones every port on the SSG 5 can bepart of a different network. So if I wanted to add a wireless access point I couldcreate a zone that only allows the wireless users to access the internet.Policy management is also much better than the ASA. Every change made via theweb interface is automatically saved. You can quickly disable policies and move themaround. You can fine tune each policy. For example you might want to enable NAT ona policy, or add anti-spam scanning on certain incoming SMTP connections. Thepolicy management on the SSG 5 feels much more mature.Again the SSG 5 like the ASA 5505 can be used as a stand-alone device without theneed for an extra router. The SSG 5 does have another nice option; you can purchasethem with ADSL2+ modems built in (or ISDN or 56k modem). So you dont need tobuy an extra modem. Saying this I find it easier and cheaper just to use an externalmodem as it can be upgraded if a new technology comes out.ScreenOS 6.0 added Auto Connect VPN which works the same as Ciscos DynamicMultipoint Virtual Private Network. This basically means that in a hub and spoke vpnsetup the spoke sites (remote offices) can automatically establish a VPN tunnelbetween each other (based on the rules at the hub) to reduce the traffic goingthrough the hub. This can increase bandwidth and decrease latency.ScreenOS 6.1 added IKEv2 the next version of the Internet Key Exchange protocolwhich is used in IPsec.http://www.router-switch.com/
  • 11. UPDATE: Power AdapterJust thought Id add a quick section on the power adapter.The Cisco ASA 5505s power adapter is quite large and seems to make a bit of noise(more than the device itself).http://www.router-switch.com/
  • 12. SummaryBoth devices are fantastic yet each have their own strengths and weaknesses. Forexample the SSG doesnt support SSL VPNs while the ASA doesnt support built inAnti-Virus or Anti-Spam.I feel that the ASA 5505 is a little let down by its software and licensing limits. Thereporting options in the ASA are much better than the SSG, but this doesnt make upfor its other short comings. SSL VPN is nice but again far too limited with only 2connections. The ASA 5505 hardware is clearly better than the SSG 5: PoE ports, USB2, higher throughput.On paper the SSG 5 isnt has good as the ASA 5505, yet the device is much lesslimited. I personally dont feel that the performance of the SSG 5 isnt an issue. Thesetwo devices are designed for small businesses and teleworkers, theyre never goingto see 150mbit/sec of traffic.The SSG 5 comes with many more hardware options, you can even get a version with802.11a/b/g wireless.To me the SSG 5 makes a better router than the ASA 5505. While the ASA 5505http://www.router-switch.com/
  • 13. makes more sense for a business with teleworkers that require SSL VPN.The SSG 5 can handle more VPN tunnels (up to 40 with an extended license) and hassome technology that makes it better for site to site VPNs, such as running BGP overan IPsec tunnel.If youre currently running a Cisco network stick to the ASA. Likewise if youre runninga Juniper network use the SSG.For new users you need to decide on what is important to you. Do you plan on usingSSL VPN? Then get the ASA 5505. If youre just using IPsec or require some morecomplex networks/routing get the SSG 5.More Related Reviews:Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 SeriesCisco ASA 5500 Family, Key Component of the Cisco Secure Borderless NetworkHow to Configure Cisco ASA 5505 Firewall?http://www.router-switch.com/

×