Author Topic: Netscreen product competing with Cisco ASA 5520  (Read 12436 times)

hazeen

  • Guest
Netscreen product competing with Cisco ASA 5520
« on: August 10, 2006, 07:37:59 am »
Hi,
I would like to know which netscreen product competes directly with Cisco ASA 5520.
I was going thorugh the net and found cisco themselves comparing it with netscreen 208. but i found the firewall throughtput in the spec sheet to be less. and the asa 5520 has got gigabit ports while the 208 got fastethernet. so will that make any difference. kind of confused. which is better product?  :?
thanks.

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Netscreen product competing with Cisco ASA 5520
« Reply #1 on: August 10, 2006, 07:57:50 am »
HI,

afcourse cisco compares it with ns208  :evil: !! (they want to come as best out of it)

i would compare it with a SSG520/550. (these are the new platforms of juniper)

greetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Netscreen product competing with Cisco ASA 5520
« Reply #2 on: August 10, 2006, 06:08:49 pm »
hi haseem if u want a single box to handle ssl vpns,ips and suport for endpoint security with cost effective solution. the asa would be a better one. but surely feature wise netscreen is far ahead of asa. depends what are ur network requirements.

regards

sebastan

hazeen

  • Guest
Re: Netscreen product competing with Cisco ASA 5520
« Reply #3 on: August 10, 2006, 11:38:45 pm »
Hi guys,
Thanks for your reply. i was just checking out the specs and clearly the ssg has better performance rating than cisco. but i was wondering if it is an overkill. the ssg looks like a chassis based device while the cisco isnt. and how would it be pricing wise? are there any specific features in netscreen which i will not find in cisco. because i want to nail these points in my report to my managment. thank again for your help

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Netscreen product competing with Cisco ASA 5520
« Reply #4 on: August 11, 2006, 06:13:49 am »
in netscreen i can list out a few for u . i think u should not only consider performance but also security testing reports like read the latest mericom report which tetsted a ns-208 with asa 5520 with ips card card the test report says it al. asa defeated netscreen at a major difference in throughput and preventing attacks.

the things netscreen has and cisco doesn't

1) netscreen supports using virtual routers for each zone so u can filter routes easily between zones and also control traffic by controlling routes. in pix there is only a single routing table

2) it supports source routing,policy based routing, source-interface based routing and bgp which asa doesn;t support.

3)screen functions to prevent a good list of dos attakcs not available in asa unless u are buying the ips card with asa.

4)route-based vpns again not in asa. in asa u can have site to site vpns only on the basis of crypto maps.

5)support for gre on the tunnel interface to create vpn with a cisco router running gre. this feature is not available in asa.

6)for active/active failover in asa u are forced to run context which will disable running routing protocls and vpns on that box. so that makes it a useless box.

7)netscreen will provide u something called as a full mesh active/active failover which asa doesn;t support.

8)in netscreen by default everything is blocked u need to permit the traffic .in asa by default everything is permitted from a higher security interface to a lower security interface. so u need to filter out all the incoming traffic.

9)deep inspection signatures and anti-virus updates on netscreen not in asa unless u buy their expensive card for anti0-virus or ips.

10)in netscreen u can do natting matching ip's ports and services . in asa u can do natting matching only layer3 information.

these are the major ones they are many minor features also .

hope this helps.

regards

sebastan

hazeen

  • Guest
Re: Netscreen product competing with Cisco ASA 5520
« Reply #5 on: August 12, 2006, 04:44:59 am »
Thanks for your replay sebastan, that was real help. but  FRAC said cisco is comparing it with ns 208 and not compared with ssg which has better firewall throughput than ASA. I was wondering about the price difference . defintely the SSG will be more costly but by how much.btw the reason for my tilt towards netscreen is because competing team is pushing for ASA so we have to offer something similar from another brand :evil:
thanks again sebastan and frac

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Netscreen product competing with Cisco ASA 5520
« Reply #6 on: August 12, 2006, 08:33:44 am »
Hi hazeen,


- ASA only has one slot for AV OR IDP OR GIGcard!!
- ASA doesn't have WAN interfaces.
- ETC

Price isn't a issue either, around ...

                    SSG 520    ASA 5520    
List price FW              $6,500     $7,500       
List price FW + IPS             $6,500      $15,500       
     
                                             SSG 550  ASA 5540     
List price FW                          $10,500    $16,500       
List price FW + IPS                  $10,500   $24,500
     

BUT i wouldn't look at price!! those are indicators. What i would do is ask both vendors a box and test it yourself  :-D

if something about said isn't correct let me know  :-D

btw hazeen, they used the 208 for comparison because, this box can't do AV/DI/antispam, and throughput isn't that good. (ns208 is older box)

GreetZ,
Frac


« Last Edit: August 12, 2006, 08:37:07 am by Frac »
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Netscreen product competing with Cisco ASA 5520
« Reply #7 on: August 12, 2006, 08:55:57 am »
hi frac in ssg series the isp or ips is just software based and doesn;t have complete fuctionality as compared to a hardware based ips card in the asa. what do u say buddy.

regards

sebastan

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Netscreen product competing with Cisco ASA 5520
« Reply #8 on: August 12, 2006, 04:39:33 pm »
hi seb,

i don't believe the cisco ips is hardware based. (because in the blade version, which is the same i think, it was a linux os with ips on (harddisk on blade)

but i could be wrong about ASA

greetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Netscreen product competing with Cisco ASA 5520
« Reply #9 on: August 13, 2006, 02:11:14 am »
hi frac the asa has the ips card which gives the throughput for ips processing. u can check the mericom reports also. it;s not software based.

regards

sebastan

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Netscreen product competing with Cisco ASA 5520
« Reply #10 on: August 14, 2006, 03:24:13 pm »
hey frac i read abt the ssg550 even it supports by default 4 interfaces so how will i achieve full mesh active/active. it minimum requires 6 interfaces for full mesh active/active.probably i will have to buy 2 more interfaces for getting it done.

regards

sebastan

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Netscreen product competing with Cisco ASA 5520
« Reply #11 on: August 15, 2006, 04:54:44 am »
Hi seb,

yes you need to buy 2 more.

GreetZ,
Frac

JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 531
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
Re: Netscreen product competing with Cisco ASA 5520
« Reply #12 on: August 16, 2006, 07:05:50 pm »
The ASA might be a good all in one device for a small office, but I found it to seem kinda hacked together.  The firewalling part of it is still PIX, so if you've ever compared the NetScreen stuff to the PIX, you know which one is better.  The whole security level thing and the fact that it NATs everywhere by default is still there, and still annoying.

The IPS blade is integrated only in the respect that it relies upon the ASA chassic for power and a network connection, it's configuration is still a completely separate thing.  If I buy the IPS blade, and a couple of years down the road I want to replace just the firewall, I'm stuck either buying another ASA or purchasing a new IPS also.  They might as well have just made the IPS blade a total separate standalone unit, it would give me more flexibility and it locks me into cisco the way it is now.  Cisco's central management product is nowhere near NSM either.

The only thing the ASA has going for it is the addition of SSL vpn.  It's not a particularly good implementation as you are somewhat limited on the types of rewrite rules you can put into it, and the functionality that allows you to actually get an IP on the remote network only works with Windows. 

Cisco compares it to the 208 because if they compared it to the SSG 520, they would look bad.  The 520 has better throughput.  If you're looking at the ASA with IPS card, my thought is to look into the ISG 1000 with IPS card, and get the cheapest Juniper SSL VPN box (around $4k I think).  It might cost a bit more, but you'll have better functionality across the board. 

I had an ASA box a couple weeks ago and was going to write a detailed review with throughput and all that, but I only got to keep it for a couple of days and didn't have time to do any thorough testing.

hazeen

  • Guest
Re: Netscreen product competing with Cisco ASA 5520
« Reply #13 on: August 19, 2006, 11:30:20 pm »
Hi guys,
Thanks a lot for ur comments and suggestions :-D. i am compiling all these suggestions and putting it to my manager.
Again thanks,
Hazeen

beefcake

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Netscreen product competing with Cisco ASA 5520
« Reply #14 on: August 20, 2006, 10:09:26 pm »
I have been reading through all of the post between Netscreen and ASA and helpful it is but my biggest fear lies in the support arena.  I have heard many posts here and on the Net about poor support for Netscreen in general and configuration and the amount of data on the Net is severely lacking in comparison to Cisco's devices.  Anyone have any input to this??? 

Thanks to everyone.

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Netscreen product competing with Cisco ASA 5520
« Reply #15 on: August 21, 2006, 01:00:26 am »
hi if u try to compare documentation and configuraton examples then no one can beat cisco documentation and support. cisco's support is fast and quick and very responsive.

regards

sebastan

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Netscreen product competing with Cisco ASA 5520
« Reply #16 on: August 21, 2006, 03:03:07 am »
Hi,

if you get all certifications done, you get direct advanced JTAC access, these speeds up the support to!

For documentation. i never found a beter compleet doc then the concept and example guide juniper has for his security devices. Everything is in there.

greetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com

signal15

  • Administrator
  • Hero Member
  • *****
  • Posts: 531
  • Karma: +1/-0
    • View Profile
    • JuniperForum.com
Re: Netscreen product competing with Cisco ASA 5520
« Reply #17 on: August 21, 2006, 11:56:47 am »
I don't really prefer one over the other, they both have their problems, and they both have good aspects.  Neither Cisco nor Juniper support sucks, so I don't think it's really an issue.

sighup9

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +0/-0
    • View Profile
    • http://www.radix.net/~ewagner
Re: Netscreen product competing with Cisco ASA 5520
« Reply #18 on: August 30, 2006, 04:31:13 pm »

Cisco compares it to the 208 because if they compared it to the SSG 520, they would look bad.  The 520 has better throughput.  If you're looking at the ASA with IPS card, my thought is to look into the ISG 1000 with IPS card, and get the cheapest Juniper SSL VPN box (around $4k I think).  It might cost a bit more, but you'll have better functionality across the board. 


Agree 100% regarding VPN. Juniper SSL VPN works quite well, particularly if you have a mix of Linux, Mac Unix and or Windows clients. I've not tried Juniper IPS cards (deployed OneSecure long ago - now Juniper IDS).