Juniper SSG vs Cisco ASA and PIX Firewall Comparison
October 3, 2007 6 Comments
SSG 5Base/Extended** | SSG 20Base/Extended** | ASA 5505Base/Security Plus | PIX 501 / PIX 506 | |
---|---|---|---|---|
Performance & Capacities | ||||
Firewall Throughput (Large packets) |
160 Mbps | 160 Mbps | 150 Mbps | 60 Mbps/100 Mbps |
Firewall Throughput (IMIX)* | 90 Mbps | 90 Mbps | Not Published | Not Published |
FW Packets per second (64byte) | 30,000 | 30,000 | Not Published | Not Published |
VPN Throughput (3DES+SHA-1) | 40 Mbps | 40 Mbps | 100 Mbps | 3 Mbps /15 Mbps |
Sessions** | 4,000/8,000 | 4,000/8,000 | 10,000/25000 | 7,500/25,000 |
Stateful FW/VPN HA** | Active/Passive With ExtLicense | Active/Passive With ExtLicense | A/P with Security Plus license | Not supported |
Dial Back Up | Yes | Yes | Yes (Dual ISP) | Not supported |
Security Applications | ||||
IPS (Deep Inspection FW) | Yes | Yes | Yes | Not supported |
Integrated File & Networkbased Antivirus | Yes | Yes | Future | Not supported |
Adware / Spyware / Keylogger protection |
Yes (included in AV engine) | Yes (included in AV engine) | Future | Not supported |
Integrated Web Filtering | Yes | Yes | Yes | Not supported |
Integrated Anti-Spam | Yes | Yes | Future | Not supported |
Redirect Web Filtering | Yes | Yes | Yes | Yes |
SSL VPN | Not supported | Not supported | Yes | Not supported |
Interfaces and Routing | ||||
Fixed I/O | 7 10/100 | 5 10/100 + 2 I/O expansion slots | 8 10/100 (2 are PoE) | 5 10/100 (PIX501) 2 10/100 (PIX506) |
I/O Options | RS-232 Serial/Aux or ISDN BRI S/T or V.92 (Factory configured) |
Interface modules: IDSN BRI S/T, T1, E1, V.92, ADSL 2+ |
Not supported | Not supported |
802.11 a/b/g | Yes (factory configuredoption) | Yes (factory configuredoption) | Not supported | Not supported |
LAN/WAN Routing | RIPv1/2, OSPF, BGP, PPP | RIPv1/2, OSPF, BGP, PPP, MLPPP, FR, MLFR, HDLC |
RIPv1/2, OSPF, BGP, | OSPF, BGP |
Security Zones | 10 | 10 | Not supported | Not supported |
Virtual LAN** | 10/50 | 10/50 | 3 | Not supported |
Virtual Routers | 3 | 3 | Not supported | Not supported |
VoIP Security (ALGs) | SIP, H.323, MGCP, SCCP | SIP, H.323, MGCP, SCCP | SIP, H.323, MGCP, SCCP | SIP, H.323, MGCP, SCCP |
* IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network
traffic. The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.
Key Feature / Point | SSG 5/SSG 20 (ScreenOS 5.4) |
PIX 501/506 (PIX 6.4) ASA 5505 (ASA 7.2) |
Why it Matters |
---|---|---|---|
Integrated purpose-built Firewall/VPN appliance |
New, purpose-built hardware with security specific OS that delivers best in class integrated security functionality for network and application level protection |
PIX is an old platform with outdated, slow processing. Platform is frozen at PIX-OS 6.4 ( Can get to 7.x w/ E) ASA is new platform but is hindered by external processing card requirement for IPS or AV – unable to run both in a single ASA. |
Customers want the ability to lower the capital expenditures at the outlying offices along with flexibility to add security as needed – without the requirement of added HW card |
LAN and WAN connectivity | LAN and WAN I/O options plus supporting protocols and encapsulations provide unmatched connectivity flexibility in the mid range market. |
No WAN hardware or encapsulation support whatsoever on either platform – limited LAN hardware and protocol support |
Customers are want the ability to extend the investment protection as they move toward next generation networks (broadband, metro Ethernet) |
Integrated 802.11 a/b/g Wireless |
Optional dual radio 802.11 a + 802.11 b/g support |
Not supported | Small branch office environments are ideal locations to consolidate multiple security and networking devices (routing, Wireless AP, FW/VPN and threat management) |
802.11 a/b/g Security | Security Broad range of wireless security mechanisms: • Authentication: Pre-Shared Key (PSK) , MAC Address ACL, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1X • Privacy: WEP, WPA, WPA2 (AES or TKIP), IPSEC VPN |
Not supported | Wireless access can be used as a hacker/attacker entry point, so bullet proof security is critical to protecting the network. |
Integrated Security Policy, Network and Device Level Management | Manage all aspects – FW, VPN, IPS, routing, HA – from CLI, WebUI or NSM | Centralized management for PIX is a set of utilities.
ASA 5505 management is GUI or CLI one-to-one – not one to many on initial release. No date shown for centralized mgmt of many devices |
To maintain a reasonable administrative cost structure, device management in outlying offices must be easy to perform and consistent in all aspects NSM can manage large deployments of SSG 5 and SSG 20 from day zero. |
Security Zone Architecture |
Security zones, virtual routers and VLANs to provide ability to enforce security via logical group functions (i.e. Marketing, Finance, etc) as opposed to specific IP subnets or addresses |
Access control lists are complex and based on source / destination IP address.
ASA 5505 supports VLANs – but does not support Zones or Virtual routers. |
Segmenting the network in a logical, easy to configure and manage manner is critical to protect internal resources from attacks and/or unauthorized use/access |
Transparent Mode | Seamless deployment into existing network-adding full security functionality without network address change at install | Not supported in the PIX 501/506
Supported on the ASA 5505 |
Customers want to be able to drop security into their network with minimal network re-configuration |
Dynamic Routing | RIPv1&2, OSPF and BGP eases integration of security into existing networks and supports dynamically routed VPNs | User must choose between OSPF and BGP – cannot run both. RIP support is available on the ASA but is a global (all interface) configuration command, eliminating ability to use multiple routing protocols. |
A common deployment is to use OSPF for internal networks AND BGP for external connections – Cisco does not support this in a one box offering |
Dynamic Route-Based VPNs | With multiple VPN tunnels defined to a given location, routing protocols will ensure that the optimal tunnel will be used for traffic dynamically |
Not supported. PIX uses static ACL based VPN tunnel configuration.
ASA supports Easy VPN, a competitive offering. |
Outlying offices need maximum reliability at all levels – device, as well as link layer |
Virtual Routers | Up to 8 virtual routers supported | Not supported | Isolates and separates public and private IP address for greater security than a shared router |
Bridge Groups | Group I/O as a basic switch or group them as a single L3 interface and apply policy to that interface. | Not supported | Customers need the ability to go beyond structured Trust, Untrust and DMZ – bridge groups provides that configuration flexibility. |
Antivirus, (includes Keylogger, Adware and Spyware protection) | Optional File-based Kaspersky antivirus engine and database that scans FTP, HTTP (webmail), POP3 and SMTP, IMAP for viruses, Spyware and adware | Not supported in the PIX.
Future support for ASA. |
AV is critical – but so is IPS – the ASA forces customers to chose one of these options. They cannot have both. |
Anti-spam support | Optional Antispam solution from Symantec (Brightmail) provides best in class gateway-based spam prevention | Not supported in the PIX. Future support for ASA as part of the Trend Micro- based AV module. | Brightmail is a best-in-class offering for anti-spam, complete with dedicated research on keeping the SPAM list up to date. |
Web filtering | Optional integrated Web Filtering with SurfControl or redirect with either Websense or Surfcontrol | Only re-direct is supported. | Integrated web filtering is a proven way to stop users from inadvertently downloading viruses and visiting inappropriate web sites. |
IPS | Integrated IPS (Deep Inspection) provides application level protection. | Not supported in the PIX. Future support for ASA as a security module. | Attacks are manifesting themselves in all manner and a FW is only capable of catching those that are network related. |
Hello
BGP routing is not supported on Cisco ASA appliances (as erroneously was noted in the “LAN/WAN Routing” section). Cisco firewalls support RIP, OSPF and EIGRP (as of version 8) as routing protocols.
The lack of support for BGP routing is one of the reasons why I started recommending Juniper firewalls for connections to external companies. The second reason is the price – an SSG5 is cheaper, has no user count restrictions like the ASA. If you want a fully functional ASA 5505 appliance, you need to Security Plus license (approx 4000 CAD). A fully functional SSG5 is 1200 CAD.
Regards,
Cristian
plz specify diff. b/w pix and ASA
Only FYI. FWSM ver 3.2 support BGP-stub routing.
Hi
@ SAJID
PIX vs ASA
http://www.scribd.com/doc/4634663/PIX-vs-ASA
ASA does not support BGP.
Pingback: Computer Repair Services, Montreal Networking Services, IT Solutions