Juniper SSG vs Cisco ASA and PIX Firewall Comparison

Juniper Networks SSG 5 and SSG 20 *VS* Cisco ASA 5505 and PIX 501/506
  SSG 5Base/Extended** SSG 20Base/Extended** ASA 5505Base/Security Plus PIX 501 / PIX 506
Performance & Capacities        
Firewall Throughput (Large
160 Mbps 160 Mbps 150 Mbps 60 Mbps/100 Mbps
Firewall Throughput (IMIX)* 90 Mbps 90 Mbps Not Published Not Published
FW Packets per second (64byte) 30,000 30,000 Not Published Not Published
VPN Throughput (3DES+SHA-1) 40 Mbps 40 Mbps 100 Mbps 3 Mbps /15 Mbps
Sessions** 4,000/8,000 4,000/8,000 10,000/25000 7,500/25,000
Stateful FW/VPN HA** Active/Passive With ExtLicense Active/Passive With ExtLicense A/P with Security Plus license Not supported
Dial Back Up Yes Yes Yes (Dual ISP) Not supported
Security Applications        
IPS (Deep Inspection FW) Yes Yes Yes Not supported
Integrated File & Networkbased Antivirus Yes Yes Future Not supported
Adware / Spyware /
Keylogger protection
Yes (included in AV engine) Yes (included in AV engine) Future Not supported
Integrated Web Filtering Yes Yes Yes Not supported
Integrated Anti-Spam Yes Yes Future Not supported
Redirect Web Filtering Yes Yes Yes Yes
SSL VPN Not supported Not supported Yes Not supported
Interfaces and Routing        
Fixed I/O 7 10/100 5 10/100 + 2 I/O expansion slots 8 10/100 (2 are PoE) 5 10/100 (PIX501)
2 10/100 (PIX506)
I/O Options RS-232 Serial/Aux or
ISDN BRI S/T or V.92
(Factory configured)
Interface modules: IDSN
BRI S/T, T1, E1, V.92,
Not supported Not supported
802.11 a/b/g Yes (factory configuredoption) Yes (factory configuredoption) Not supported Not supported
Security Zones 10 10 Not supported Not supported
Virtual LAN** 10/50 10/50 3 Not supported
Virtual Routers 3 3 Not supported Not supported
VoIP Security (ALGs) SIP, H.323, MGCP, SCCP SIP, H.323, MGCP, SCCP SIP, H.323, MGCP, SCCP SIP, H.323, MGCP, SCCP

* IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network
traffic. The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.

Feature Comparisons
Key Feature / Point SSG 5/SSG 20 (ScreenOS 5.4)

PIX 501/506 (PIX 6.4) ASA 5505 (ASA 7.2)

Why it Matters
New, purpose-built hardware with
security specific OS that delivers
best in class integrated security
functionality for network and
application level protection
PIX is an old platform with
outdated, slow processing.
Platform is frozen at PIX-OS 6.4 ( Can get to 7.x w/ E)
ASA is new platform but is
hindered by external processing
card requirement for IPS or AV
– unable to run both in a single
Customers want the ability to lower
the capital expenditures at the
outlying offices along with flexibility
to add security as needed – without
the requirement of added HW card
LAN and WAN connectivity LAN and WAN I/O options plus supporting protocols and
encapsulations provide unmatched connectivity flexibility
in the mid range market.
No WAN hardware or
encapsulation support
whatsoever on either platform –
limited LAN hardware and
protocol support
Customers are want the ability to
extend the investment protection as
they move toward next generation
networks (broadband, metro
802.11 a/b/g
Optional dual radio 802.11 a +
802.11 b/g support
Not supported Small branch office environments are ideal locations to consolidate multiple security and networking devices (routing, Wireless AP,
FW/VPN and threat management)
802.11 a/b/g Security Security Broad range of wireless security mechanisms:
• Authentication: Pre-Shared Key (PSK) , MAC Address ACL, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1X
• Privacy: WEP, WPA, WPA2 (AES or TKIP), IPSEC VPN
Not supported Wireless access can be used as a
hacker/attacker entry point, so bullet
proof security is critical to protecting
the network.
Integrated Security Policy, Network and Device Level Management Manage all aspects – FW, VPN, IPS, routing, HA – from CLI, WebUI or NSM Centralized management for PIX is a set of utilities.

ASA 5505 management is GUI or CLI one-to-one – not one to many on initial release. No date shown for centralized mgmt of many devices

To maintain a reasonable administrative cost structure, device management in outlying offices must be easy to perform and
consistent in all aspects NSM can manage large deployments of SSG 5 and SSG 20 from day zero.
Security Zone
Security zones, virtual routers and VLANs to provide ability to enforce security via logical group functions (i.e. Marketing, Finance, etc) as
opposed to specific IP subnets or addresses
Access control lists are complex and based on source / destination IP address.

ASA 5505 supports VLANs – but does not support Zones or Virtual routers.

Segmenting the network in a logical, easy to configure and manage manner is critical to protect internal resources from attacks and/or
unauthorized use/access
Transparent Mode Seamless deployment into existing network-adding full security functionality without network address change at install Not supported in the PIX 501/506

Supported on the ASA 5505

Customers want to be able to drop security into their network with minimal network re-configuration
Dynamic Routing RIPv1&2, OSPF and BGP eases integration of security into existing networks and supports dynamically routed VPNs User must choose between OSPF and BGP – cannot run both. RIP support is available on the ASA but is a global (all
interface) configuration command, eliminating ability to use multiple routing protocols.
A common deployment is to use OSPF for internal networks AND BGP for external connections – Cisco does not support this in a one
box offering
Dynamic Route-Based VPNs With multiple VPN tunnels defined to a given location, routing protocols will ensure that the optimal tunnel will be used for
traffic dynamically
Not supported. PIX uses static ACL based VPN tunnel configuration.

ASA supports Easy VPN, a competitive offering.

Outlying offices need maximum reliability at all levels – device, as well as link layer
Virtual Routers Up to 8 virtual routers supported Not supported Isolates and separates public and private IP address for greater security than a shared router
Bridge Groups Group I/O as a basic switch or group them as a single L3 interface and apply policy to that interface. Not supported Customers need the ability to go beyond structured Trust, Untrust and DMZ – bridge groups provides that configuration flexibility.
Antivirus, (includes Keylogger, Adware and Spyware protection) Optional File-based Kaspersky antivirus engine and database that scans FTP, HTTP (webmail), POP3 and SMTP, IMAP for viruses, Spyware and adware Not supported in the PIX.

Future support for ASA.

AV is critical – but so is IPS – the ASA forces customers to chose one of these options. They cannot have both.
Anti-spam support Optional Antispam solution from Symantec (Brightmail) provides best in class gateway-based spam prevention Not supported in the PIX. Future support for ASA as part of the Trend Micro- based AV module. Brightmail is a best-in-class offering for anti-spam, complete with dedicated research on keeping the SPAM list up to date.
Web filtering Optional integrated Web Filtering with SurfControl or redirect with either Websense or Surfcontrol Only re-direct is supported. Integrated web filtering is a proven way to stop users from inadvertently downloading viruses and visiting inappropriate web sites.
IPS Integrated IPS (Deep Inspection) provides application level protection. Not supported in the PIX. Future support for ASA as a security module. Attacks are manifesting themselves in all manner and a FW is only capable of catching those that are network related.

About Ren (NetXG)
I work to much..

6 Responses to Juniper SSG vs Cisco ASA and PIX Firewall Comparison

  1. Cristian says:

    BGP routing is not supported on Cisco ASA appliances (as erroneously was noted in the “LAN/WAN Routing” section). Cisco firewalls support RIP, OSPF and EIGRP (as of version 8) as routing protocols.
    The lack of support for BGP routing is one of the reasons why I started recommending Juniper firewalls for connections to external companies. The second reason is the price – an SSG5 is cheaper, has no user count restrictions like the ASA. If you want a fully functional ASA 5505 appliance, you need to Security Plus license (approx 4000 CAD). A fully functional SSG5 is 1200 CAD.

  2. sajin says:

    plz specify diff. b/w pix and ASA

  3. Stas says:

    Only FYI. FWSM ver 3.2 support BGP-stub routing.

  4. Maxa says:

    ASA does not support BGP.

  5. Pingback: Computer Repair Services, Montreal Networking Services, IT Solutions

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: