Netscreen product competing with Cisco ASA 5520



  • Hi,
    I would like to know which netscreen product competes directly with Cisco ASA 5520.
    I was going thorugh the net and found cisco themselves comparing it with netscreen 208. but i found the firewall throughtput in the spec sheet to be less. and the asa 5520 has got gigabit ports while the 208 got fastethernet. so will that make any difference. kind of confused. which is better product?  :?
    thanks.



  • @signal15:

    Cisco compares it to the 208 because if they compared it to the SSG 520, they would look bad.  The 520 has better throughput.  If you’re looking at the ASA with IPS card, my thought is to look into the ISG 1000 with IPS card, and get the cheapest Juniper SSL VPN box (around $4k I think).  It might cost a bit more, but you’ll have better functionality across the board.

    Agree 100% regarding VPN. Juniper SSL VPN works quite well, particularly if you have a mix of Linux, Mac Unix and or Windows clients. I’ve not tried Juniper IPS cards (deployed OneSecure long ago - now Juniper IDS).


  • administrators

    I don’t really prefer one over the other, they both have their problems, and they both have good aspects.  Neither Cisco nor Juniper support sucks, so I don’t think it’s really an issue.


  • Engineer

    Hi,

    if you get all certifications done, you get direct advanced JTAC access, these speeds up the support to!

    For documentation. i never found a beter compleet doc then the concept and example guide juniper has for his security devices. Everything is in there.

    greetZ,
    Frac



  • hi if u try to compare documentation and configuraton examples then no one can beat cisco documentation and support. cisco’s support is fast and quick and very responsive.

    regards

    sebastan



  • I have been reading through all of the post between Netscreen and ASA and helpful it is but my biggest fear lies in the support arena.  I have heard many posts here and on the Net about poor support for Netscreen in general and configuration and the amount of data on the Net is severely lacking in comparison to Cisco’s devices.  Anyone have any input to this???

    Thanks to everyone.



  • Hi guys,
    Thanks a lot for ur comments and suggestions :-D. i am compiling all these suggestions and putting it to my manager.
    Again thanks,
    Hazeen


  • administrators

    The ASA might be a good all in one device for a small office, but I found it to seem kinda hacked together.  The firewalling part of it is still PIX, so if you’ve ever compared the NetScreen stuff to the PIX, you know which one is better.  The whole security level thing and the fact that it NATs everywhere by default is still there, and still annoying.

    The IPS blade is integrated only in the respect that it relies upon the ASA chassic for power and a network connection, it’s configuration is still a completely separate thing.  If I buy the IPS blade, and a couple of years down the road I want to replace just the firewall, I’m stuck either buying another ASA or purchasing a new IPS also.  They might as well have just made the IPS blade a total separate standalone unit, it would give me more flexibility and it locks me into cisco the way it is now.  Cisco’s central management product is nowhere near NSM either.

    The only thing the ASA has going for it is the addition of SSL vpn.  It’s not a particularly good implementation as you are somewhat limited on the types of rewrite rules you can put into it, and the functionality that allows you to actually get an IP on the remote network only works with Windows.

    Cisco compares it to the 208 because if they compared it to the SSG 520, they would look bad.  The 520 has better throughput.  If you’re looking at the ASA with IPS card, my thought is to look into the ISG 1000 with IPS card, and get the cheapest Juniper SSL VPN box (around $4k I think).  It might cost a bit more, but you’ll have better functionality across the board.

    I had an ASA box a couple weeks ago and was going to write a detailed review with throughput and all that, but I only got to keep it for a couple of days and didn’t have time to do any thorough testing.


  • Engineer

    Hi seb,

    yes you need to buy 2 more.

    GreetZ,
    Frac



  • hey frac i read abt the ssg550 even it supports by default 4 interfaces so how will i achieve full mesh active/active. it minimum requires 6 interfaces for full mesh active/active.probably i will have to buy 2 more interfaces for getting it done.

    regards

    sebastan



  • hi frac the asa has the ips card which gives the throughput for ips processing. u can check the mericom reports also. it;s not software based.

    regards

    sebastan


  • Engineer

    hi seb,

    i don’t believe the cisco ips is hardware based. (because in the blade version, which is the same i think, it was a linux os with ips on (harddisk on blade)

    but i could be wrong about ASA

    greetZ,
    Frac



  • hi frac in ssg series the isp or ips is just software based and doesn;t have complete fuctionality as compared to a hardware based ips card in the asa. what do u say buddy.

    regards

    sebastan


  • Engineer

    Hi hazeen,

    • ASA only has one slot for AV OR IDP OR GIGcard!!
    • ASA doesn’t have WAN interfaces.
    • ETC

    Price isn’t a issue either, around …

    SSG 520 ASA 5520
    List price FW $6,500    $7,500
    List price FW + IPS       $6,500   $15,500

    SSG 550  ASA 5540   
    List price FW                          $10,500    $16,500       
    List price FW + IPS                  $10,500  $24,500

    BUT i wouldn’t look at price!! those are indicators. What i would do is ask both vendors a box and test it yourself  😄

    if something about said isn’t correct let me know  😄

    btw hazeen, they used the 208 for comparison because, this box can’t do AV/DI/antispam, and throughput isn’t that good. (ns208 is older box)

    GreetZ,
    Frac



  • Thanks for your replay sebastan, that was real help. but  FRAC said cisco is comparing it with ns 208 and not compared with ssg which has better firewall throughput than ASA. I was wondering about the price difference . defintely the SSG will be more costly but by how much.btw the reason for my tilt towards netscreen is because competing team is pushing for ASA so we have to offer something similar from another brand :evil:
    thanks again sebastan and frac



  • in netscreen i can list out a few for u . i think u should not only consider performance but also security testing reports like read the latest mericom report which tetsted a ns-208 with asa 5520 with ips card card the test report says it al. asa defeated netscreen at a major difference in throughput and preventing attacks.

    the things netscreen has and cisco doesn’t

    1. netscreen supports using virtual routers for each zone so u can filter routes easily between zones and also control traffic by controlling routes. in pix there is only a single routing table

    2. it supports source routing,policy based routing, source-interface based routing and bgp which asa doesn;t support.

    3)screen functions to prevent a good list of dos attakcs not available in asa unless u are buying the ips card with asa.

    4)route-based vpns again not in asa. in asa u can have site to site vpns only on the basis of crypto maps.

    5)support for gre on the tunnel interface to create vpn with a cisco router running gre. this feature is not available in asa.

    6)for active/active failover in asa u are forced to run context which will disable running routing protocls and vpns on that box. so that makes it a useless box.

    7)netscreen will provide u something called as a full mesh active/active failover which asa doesn;t support.

    8)in netscreen by default everything is blocked u need to permit the traffic .in asa by default everything is permitted from a higher security interface to a lower security interface. so u need to filter out all the incoming traffic.

    9)deep inspection signatures and anti-virus updates on netscreen not in asa unless u buy their expensive card for anti0-virus or ips.

    10)in netscreen u can do natting matching ip’s ports and services . in asa u can do natting matching only layer3 information.

    these are the major ones they are many minor features also .

    hope this helps.

    regards

    sebastan



  • Hi guys,
    Thanks for your reply. i was just checking out the specs and clearly the ssg has better performance rating than cisco. but i was wondering if it is an overkill. the ssg looks like a chassis based device while the cisco isnt. and how would it be pricing wise? are there any specific features in netscreen which i will not find in cisco. because i want to nail these points in my report to my managment. thank again for your help



  • hi haseem if u want a single box to handle ssl vpns,ips and suport for endpoint security with cost effective solution. the asa would be a better one. but surely feature wise netscreen is far ahead of asa. depends what are ur network requirements.

    regards

    sebastan


  • Engineer

    HI,

    afcourse cisco compares it with ns208  :evil: !! (they want to come as best out of it)

    i would compare it with a SSG520/550. (these are the new platforms of juniper)

    greetZ,
    Frac


 

29
Online

38.4k
Users

12.7k
Topics

44.5k
Posts