cisco or juniper firewall ?

[azev]

If you were to choose between Cisco PIX515E/525 or Juniper Netscreen 50, which one would you choose? and why?

 

[Boscoh]

Depends on what your requirements are. And dont just look at the PIX. The Cisco Adaptive Security Appliance (ASA) brings some new things to the table and is essentially a modular PIX.

You need to compare all the specs of the units you're considering and make sure they satisfy your requirements, then ask yourself the following questions:

1) Have you used products from either vendor before?
-----Were you happy with your experience? Especially concerning tech support.

2) Who has the better total price, including tech support/other maintenance costs?
-----Be aware of upgrade costs to add modules/unlock software options. These prices can bite you in the kisser if you aren't careful. For example: it costs more money to have units that are capable of High Availability with loadbalancing, as opposed to units that are only capable of failover with one unit active and the other in standby. It costs more money to upgrade to advanced software version to get more features and performance. It also costs money to add things such as IPS and Antivirus.

3) Is either one of the units going to integrate into your network easier? In other words...if you have a Cisco network, you might feel more comfortable with the PIX/ASA. 7.0 code is a lot like IOS, unlike 6.x.

Those are some of the questions you should be asking yourself.

Personally, if both units met my requirements and were the same price, I would choose a PIX or an ASA (they are similarly priced). But thats my own personal opinion...others would choose Netscreen (Juniper), while still others would choose Checkpoint, Servgate, Fortinet, or even BSD or Linux. There is nothing wrong with any of those. It's what meets your requirements, what you can afford and support, and most importantly - what you feel most comfortable securing your perimeter with (I'm assuming this is a perimeter firewall).

 

[JRock]

Cisco PIX 515E w/128MB RAM running 7.0(1)

 

[spidey07]

I may lean towards a nokia appliance (checkpoint)

They're just so easy. And the ability to troubleshoot and log is infinitely better than PIX.

 

[bgroff]

Originally posted by: spidey07
I may lean towards a nokia appliance (checkpoint)

They're just so easy. And the ability to troubleshoot and log is infinitely better than PIX.

They are just so easy when they work. God help you when it decides to take a nice firewall crap. Then you get to look into nooks and crannies of software you never knew existed! (I've been there, it can be downright frightening...)

 

[spidey07]

Originally posted by: bgroff

Originally posted by: spidey07
I may lean towards a nokia appliance (checkpoint)

They're just so easy. And the ability to troubleshoot and log is infinitely better than PIX.

They are just so easy when they work. God help you when it decides to take a nice firewall crap. Then you get to look into nooks and crannies of software you never knew existed! (I've been there, it can be downright frightening...)

Agreed. The PIX definately wins in that arena.

 

[azev]

Well, I.ve spoke with a couple of ppl that I knew used juniper product and they are very satisfied. Unfortunately most of them used a much more expansive product (204/208) which has much more features. I've work on a pix firewall before but that was a while ago and it was only a pix 501 and 506. I am also looking at checkpoint firewall right now, just so I have more data/products to compare.

 

[Boscoh]

The PIX might not have as many bells and whistles or be as easy to configure as some other units, but they are workhorses. I have PIX 501s and 506e's in chemical manufacturing environments where there is a lot of RF interference, a lot of dirt and dust, and extreme variations in temperature. I have never had a PIX fail at any of those locations. I've had 1720's fail, but never a PIX. I've got PIX units at those locations which have been running without a reboot for almost 2 years.

I'll put it to you like this...if Netscreen, or Checkpoint, or whoever came in tomorrow and offered to replace every firewall I had with their greatest top of the line unit for free, I'd politely decline the offer. It's not an "oooooooooo Cisco!!!" effect, it's because the PIX has earned my trust by being so damn reliable.

I've seen Netscreen units have similar results, and they have a very nice product. If it had been Netscreen that I'd placed in my network instead of Cisco and I'd had the same experience, I'd be sold on Netscreen. However, I dont think I ever would have implemented Checkpoint...I've heard of too many problems with the appliances these run on. I cant afford to even risk that.

 

[cmetz]

azev, I would pick the PIX, with the caveat that the platform is basically at its end of life now. It will get security updates for a while, but unlikely to get feature updates. PIX software I have found very reliable. PIX hardware is okay. It's basically a PC inside. I have seen them have hardware failures, but it's not common.

Do watch out that the PIX has a lot of arbitrary limits put in by marketing folks to make you need the next model up.

Netscreen's CLI is absolutely garbage and their web UI is annoying and incomplete. They're very very annoying to manage.

 

[Boscoh]

Originally posted by: cmetz
azev, I would pick the PIX, with the caveat that the platform is basically at its end of life now. It will get security updates for a while, but unlikely to get feature updates. PIX software I have found very reliable. PIX hardware is okay. It's basically a PC inside. I have seen them have hardware failures, but it's not common.

I disagree with you on that. The PIX just recieved the 7.0 code which introduced some new features. Cisco has yet to make that available on the 501 and 506e. I've heard from Cisco that the 506e is almost definitely going to recieve 7.0, and they are still evaluating the possibility of the 501. So that is a pretty major upgrade for each of those platforms. And as far as I know, the 7.0 code will continue on the PIX for a while. If you know something different, please share.

There is always the chance that Cisco will release some new PIX models that contain ASICs, but that would infringe on the ASA. The only reason I think Cisco would do this is to keep capitalizing on the PIX name...and I suspect the units would still be purpose-built firewalls. Not multi-function modular units like the ASA. I've heard rumors of a PIX 502, instead of making 7.0 available on the 501. But they're nothing more than rumors.

Do watch out that the PIX has a lot of arbitrary limits put in by marketing folks to make you need the next model up.

Thats very, very true. The same can also be said for many other vendors, Netscreen included.

 

[spidey07]

Boscoh,

I haven't kept up with it...did cisco aquire somebody for these new models or are they home grown?

 

[Boscoh]

The ASA is home grown as far as I know.

 

[cmetz]

Boscoh, Cisco is telling folks very very specifically to buy ISRs instead of PIXes. That right there is a big comment on how much future each product has.

The PIX has always been a funny product in Cisco's line, as a result of acquisitions. It's based on an x86 CPU and a totally different software base, with different commands. I am frankly surprised that the PIX lasted as long as it has.

7.0 is available on 515E with a memory upgrade, and up. I was told by Cisco that they're considering adding some or all of the 7.0 features to an image for lower end boxes, but make no promises. I think there's a lot of spinning in that. Basically, until I have an image in my hands, I wouldn't count on anything. I am sure that 501/506E would get critical security updates for a while to come, but am skeptical of them getting feature updates. The higher end boxes are more likely to get some new features because those were widely sold to large customers who are very pro-Cisco, and Cisco usually tries not to make those customers too unhappy.

The PIX is starting to look dated, but they're decent little boxes. They do what they claim and they are pretty reliable.

In my personal opinion, I see the small to medium enterprise market segment moving towards integration of router and firewall functions such that the market for a purely firewall box is going away. That is to say, I don't see how a PIX 501, 506, or 515 is a long term viable product, compared to a router with all that functionality built in. That's exactly what Cisco is pitching with the ISR series. It's only when you get into higher end networks that requirements and money make a standalone firewall more long-term viable.

 

[irwincur]

I may lean towards a nokia appliance (checkpoint)

HAHAHA - junk.

Have fun working with that crap.

Personally Cisco is probably the way to go - for support if anything. The user base is just so much larger. However, Juniper does make some good equipment.

 

[p0lar]

I've dealt with the PIX in hordes of scenarios -- some it excels, others it does not (i.e. Crypto, OMG RUN). I can't speak for Juniper's firewalls, but I'm an advocate of their higher end routers, especially when working with BGP.. exceptionally solid. I can't speak for the ASA though I've been approached to test it in a few odd scenarios (high-volume crypto VoIP). I'm not a huge fan of the checkpoint software, but recognize that it can be easier to manage. I've had some major issues with CP's VRRP implementation in the past, but perhaps these are rectified. My personal favourite at the moment, and the one that seems to be evolving the fastest with vast amounts of flexibility, is OpenBSD. They need to do some serious work on their threading model to make it perform to the level of commodity hardware capabilities, not to mention a relatively steep initial learning curve and zero GUI for those that require it, but it has some amazing featuresets built into the GENERIC kernel and hardware support is increasing at a fantastic rate. I've plopped it on some old Nokia IP130 firewalls (formerly IPSO 3.8, IIRC) with excellent success, FWIW. If you're not into Unix, however, it's just not for you no matter which way you slice the pie.

At any rate, call a spade a spade -- the PIX is an x86 platform with a customized OS. I'm not sure if they actually changed the underlying OS in 7 or just the interface (5.x was nasty, 6.x improved, but wasn't exactly sync'd with IOS, and I really don't care about 7 at this point), but I think it was originally based on Plan9 Unix. (don't quote me on that...) One thing you can say for the PIX is that it is easily supported and much documentation exists though more and more leans towards handholding (typical CC[N[A,P],{xyz}] material now a daze) rather than the comprehension of theory. ($0.02 disclaimer)

See if you can get a 'demo' to work with, even if it's off-site. After all, if you're not comfortable with it, it will likely never be optimal and your TCO will drastically increase when there's a problem.

Good luck.