Juniper SSG vs Cisco ASA and PIX Firewall Comparison

Juniper Networks SSG 5 and SSG 20 *VS* Cisco ASA 5505 and PIX 501/506

	SSG 5Base/Extended**	SSG 20Base/Extended**	ASA 5505Base/Security Plus	PIX 501 / PIX 506
Performance & Capacities
Firewall Throughput (Large packets)	160 Mbps	160 Mbps	150 Mbps	60 Mbps/100 Mbps
Firewall Throughput (IMIX)*	90 Mbps	90 Mbps	Not Published	Not Published
FW Packets per second (64byte)	30,000	30,000	Not Published	Not Published
VPN Throughput (3DES+SHA-1)	40 Mbps	40 Mbps	100 Mbps	3 Mbps /15 Mbps
Sessions**	4,000/8,000	4,000/8,000	10,000/25000	7,500/25,000
Stateful FW/VPN HA**	Active/Passive With ExtLicense	Active/Passive With ExtLicense	A/P with Security Plus license	Not supported
Dial Back Up	Yes	Yes	Yes (Dual ISP)	Not supported
Security Applications
IPS (Deep Inspection FW)	Yes	Yes	Yes	Not supported
Integrated File & Networkbased Antivirus	Yes	Yes	Future	Not supported
Adware / Spyware / Keylogger protection	Yes (included in AV engine)	Yes (included in AV engine)	Future	Not supported
Integrated Web Filtering	Yes	Yes	Yes	Not supported
Integrated Anti-Spam	Yes	Yes	Future	Not supported
Redirect Web Filtering	Yes	Yes	Yes	Yes
SSL VPN	Not supported	Not supported	Yes	Not supported
Interfaces and Routing
Fixed I/O	7 10/100	5 10/100 + 2 I/O expansion slots	8 10/100 (2 are PoE)	5 10/100 (PIX501) 2 10/100 (PIX506)
I/O Options	RS-232 Serial/Aux or ISDN BRI S/T or V.92 (Factory configured)	Interface modules: IDSN BRI S/T, T1, E1, V.92, ADSL 2+	Not supported	Not supported
802.11 a/b/g	Yes (factory configuredoption)	Yes (factory configuredoption)	Not supported	Not supported
LAN/WAN Routing	RIPv1/2, OSPF, BGP, PPP	RIPv1/2, OSPF, BGP, PPP, MLPPP, FR, MLFR, HDLC	RIPv1/2, OSPF, BGP,	OSPF, BGP
Security Zones	10	10	Not supported	Not supported
Virtual LAN**	10/50	10/50	3	Not supported
Virtual Routers	3	3	Not supported	Not supported
VoIP Security (ALGs)	SIP, H.323, MGCP, SCCP	SIP, H.323, MGCP, SCCP	SIP, H.323, MGCP, SCCP	SIP, H.323, MGCP, SCCP

* IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network
traffic. The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.

Feature Comparisons

Key Feature / Point	SSG 5/SSG 20 (ScreenOS 5.4)	PIX 501/506 (PIX 6.4) ASA 5505 (ASA 7.2)	Why it Matters
Integrated purpose-built Firewall/VPN appliance	New, purpose-built hardware with security specific OS that delivers best in class integrated security functionality for network and application level protection	PIX is an old platform with outdated, slow processing. Platform is frozen at PIX-OS 6.4 ( Can get to 7.x w/ E) ASA is new platform but is hindered by external processing card requirement for IPS or AV – unable to run both in a single ASA.	Customers want the ability to lower the capital expenditures at the outlying offices along with flexibility to add security as needed – without the requirement of added HW card
LAN and WAN connectivity	LAN and WAN I/O options plus supporting protocols and encapsulations provide unmatched connectivity flexibility in the mid range market.	No WAN hardware or encapsulation support whatsoever on either platform – limited LAN hardware and protocol support	Customers are want the ability to extend the investment protection as they move toward next generation networks (broadband, metro Ethernet)
Integrated 802.11 a/b/g Wireless	Optional dual radio 802.11 a + 802.11 b/g support	Not supported	Small branch office environments are ideal locations to consolidate multiple security and networking devices (routing, Wireless AP, FW/VPN and threat management)
802.11 a/b/g Security	Security Broad range of wireless security mechanisms: • Authentication: Pre-Shared Key (PSK) , MAC Address ACL, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1X • Privacy: WEP, WPA, WPA2 (AES or TKIP), IPSEC VPN	Not supported	Wireless access can be used as a hacker/attacker entry point, so bullet proof security is critical to protecting the network.
Integrated Security Policy, Network and Device Level Management	Manage all aspects – FW, VPN, IPS, routing, HA – from CLI, WebUI or NSM	Centralized management for PIX is a set of utilities. ASA 5505 management is GUI or CLI one-to-one – not one to many on initial release. No date shown for centralized mgmt of many devices	To maintain a reasonable administrative cost structure, device management in outlying offices must be easy to perform and consistent in all aspects NSM can manage large deployments of SSG 5 and SSG 20 from day zero.
Security Zone Architecture	Security zones, virtual routers and VLANs to provide ability to enforce security via logical group functions (i.e. Marketing, Finance, etc) as opposed to specific IP subnets or addresses	Access control lists are complex and based on source / destination IP address. ASA 5505 supports VLANs – but does not support Zones or Virtual routers.	Segmenting the network in a logical, easy to configure and manage manner is critical to protect internal resources from attacks and/or unauthorized use/access
Transparent Mode	Seamless deployment into existing network-adding full security functionality without network address change at install	Not supported in the PIX 501/506 Supported on the ASA 5505	Customers want to be able to drop security into their network with minimal network re-configuration
Dynamic Routing	RIPv1&2, OSPF and BGP eases integration of security into existing networks and supports dynamically routed VPNs	User must choose between OSPF and BGP – cannot run both. RIP support is available on the ASA but is a global (all interface) configuration command, eliminating ability to use multiple routing protocols.	A common deployment is to use OSPF for internal networks AND BGP for external connections – Cisco does not support this in a one box offering
Dynamic Route-Based VPNs	With multiple VPN tunnels defined to a given location, routing protocols will ensure that the optimal tunnel will be used for traffic dynamically	Not supported. PIX uses static ACL based VPN tunnel configuration. ASA supports Easy VPN, a competitive offering.	Outlying offices need maximum reliability at all levels – device, as well as link layer
Virtual Routers	Up to 8 virtual routers supported	Not supported	Isolates and separates public and private IP address for greater security than a shared router
Bridge Groups	Group I/O as a basic switch or group them as a single L3 interface and apply policy to that interface.	Not supported	Customers need the ability to go beyond structured Trust, Untrust and DMZ – bridge groups provides that configuration flexibility.
Antivirus, (includes Keylogger, Adware and Spyware protection)	Optional File-based Kaspersky antivirus engine and database that scans FTP, HTTP (webmail), POP3 and SMTP, IMAP for viruses, Spyware and adware	Not supported in the PIX. Future support for ASA.	AV is critical – but so is IPS – the ASA forces customers to chose one of these options. They cannot have both.
Anti-spam support	Optional Antispam solution from Symantec (Brightmail) provides best in class gateway-based spam prevention	Not supported in the PIX. Future support for ASA as part of the Trend Micro- based AV module.	Brightmail is a best-in-class offering for anti-spam, complete with dedicated research on keeping the SPAM list up to date.
Web filtering	Optional integrated Web Filtering with SurfControl or redirect with either Websense or Surfcontrol	Only re-direct is supported.	Integrated web filtering is a proven way to stop users from inadvertently downloading viruses and visiting inappropriate web sites.
IPS	Integrated IPS (Deep Inspection) provides application level protection.	Not supported in the PIX. Future support for ASA as a security module.	Attacks are manifesting themselves in all manner and a FW is only capable of catching those that are network related.