Firewalls

goscombtech · 24th November 2007

As everyone know... I love everything Juniper. To that tune, we are looking for a set of new firewalls and are thinking of these in routed mode (OSPF stub, iBGP defaults) as A/A pairs:

http://www.juniper.net/products_and_...ies/index.html

Anyone have any previous experience with them? I am hoping to get one on eval for a play.

Karl · 24th November 2007

I've not heard fantastic things about Netscreen for some time now, we were looking at them + the Juniper IPS product for a customer, in the end we went with TopLayer.

DF-Duncan · 24th November 2007

We have used many Juniper products, and we personally prefer the TopLayer applications, as these are proving much more effective.

markcastle · 25th November 2007

Have a look at this thread

Ricky · 25th November 2007

THIS USER HAS BEEN GAGGED BY THE FORUM HOSTS FOR SPAM OR BREAKING THE RULES...
User will be ungaged in around 65 hours from this post.

goscombtech · 25th November 2007

PIX doesn't do all we need

Karl: this is the SSG i'm looking at, not netscreen. same screenos yes, but iirc the boxes are a lot more powerful, no?

Does anyone have any toplayer pricing info and a spec sheet?

Karl · 25th November 2007

At the end of the day, the SSG is a Celeron or a P4 running stuff in software - It's the same as the J-Series routers

Pricing for TopLayer - from £10k from memory.

JamieBeeston · 25th November 2007

Cisco ASA for the Lower budget clients, Checkpoint for the higher bidget clients.

Sorted.

MattParks · 26th November 2007

Goscomb - Interested to hear what the PIX's or ASA's dont do that you need? Always good to keep abreast of customer firewall/solution demands.

goscombtech · 26th November 2007

Quote:

Originally Posted by MattParks

Goscomb - Interested to hear what the PIX's or ASA's dont do that you need? Always good to keep abreast of customer firewall/solution demands.

Unless they do routed mode these days and support OSPF + BGP and IPv6 ? They didn't used to the last time i looked...

JamesSykes · 26th November 2007

I went for the Cisco's because they seem to be pretty much standard in my price range and I've rarely heard a bad word said about them. (except from nokia checkpoint nerds)

I was put off by the Netscreens by a couple of members on here and also a friend who almost broke into a sweat during a 15 minute rant damning them to hell!

They will do routed mode and OSPF and IPV6 but I'm not sure about BGP.

PeteK · 27th November 2007

Quote:

Originally Posted by goscombtech

Unless they do routed mode these days and support OSPF + BGP and IPv6 ? They didn't used to the last time i looked...

They do (and as far as I recall always have) supported routing, both Pix's and ASAs.

They certainly do OSPF and BGP, not sure about ipv6 tho tbh. Got two ASAs to install tomorrow, so will take a look, but other than that ticks the boxes, and ASAs (so long as you don't want Anti V/Spam, Phishing etc etc) stuff on them are comparatively cheap as chips. £1300 ish for a 350mb/s firewall only unit, 6k connections per sec, 130k tops connections. Ok, that is the baby of the rack mounts (5510 in the Plus version - more max connections and vlans) but still V sensibly priced IMO if you want some gig ports and gig plus capability.

Quick compares > http://www.cisco.com/en/US/products/...omparison.html

Karl · 28th November 2007

From memory, a recent NANOG thread said that whilst they do support IPv6, it's a very limited feature set compared to the IPv4 support.

imran · 29th November 2007

We have about 70 Juniper Netscreen/SSG firewalls in operation ranging from the 5GT to SSG520. We did have issues with the 5GT however Juniper support were quick to resolve this and all seems to be humming along fine.

Some units are almost 4 years old but still work perfectly.
Speak to the guys at http://www.1stsecuritywarehouse.com

freethought · 22nd January 2008

Not used any Juniper kit, but I swear by Fortinet's FortiGates. Hardware accelerated with AntiVirus and IPS/IDS. You can pick up a FortiGate 400A for about £4500 which will do 450Mbps across a pair of gigabit and four 10/100 ports if memory serves me correctly. Awesome performance and no bloody host count licensing (I'm looking at you Check Point). They do OSPF and BGP as well.
I think Check Point still wins out with management and logging tools though, they just have a much more mature tool set.
Not had the joy of playing with Crossbeams or anything like that, but I've worked with a lot of Nokias running everything from 4.1 to NG R55 and they are all right, not fantastic, but all right. They don't seem to work well with more than 50-60 VLANs and getting them to crash and reboot isn't too hard if you know what you are doing but if you just leave them alone then they are fine. Have worked with some in a data centre environment that have been up for years, running hundreds of VPNs and the only problems are when the hardware eventually dies.
Nokias do OSPF and BGP, as do other Check Point appliances like the Corssbeams but with Check Point it is up to the appliance/OS to provide routing protocol support, something that dedicated, integrated systems don't suffer from.