Which Branch Router or Firewall to Buy?
By stretch | Tuesday, October 23, 2012 at 1:36 a.m. UTC
I work for a managed services provider, and am often tasked to evaluate the equipment in place at new customer sites and make recommendations for replacements as appropriate. We support a number of different makes and models of edge device, including:
- Cisco routers (ISR G1/G2)
- Cisco ASA firewalls
- Juniper (JunOS) routers
- Juniper SSG/Netscreen firewalls
- Adtran routers and multilayer switches
- Sonicwall (Dell) firewalls
While our customers benefit from our extensive platform support, it does place a burden on our field engineers. They must know how to configure a VPN tunnel, for example, on not just Cisco IOS, but also on flavors of ASA, Netscreen, Adtran, and Sonicwall operating systems. While this isn't an unreasonable expectation of a network engineer, it does shrink our potential candidate pool for new hires: It's much easier to find someone with experience specifically with Cisco or Juniper products than who has measured exposure to half a dozen platforms.
Another drawback is that the overwhelming choice complicates the process of recommending new or replacement equipment. Suppose you need to order an edge device for a new customer site with 30 users, a T1 circuit to an MPLS VPN, and a broadband Internet circuit with point-to-point VPN overlay. Do you recommend a Cisco 1921, an ASA 5505, a Juniper SSG5, an Adtran NetVanta 3448, or a Sonicwall NSA 240? While these are all generally comparable devices, there are obviously many differences among them, and keeping track of the details is no trivial chore.
Cisco Routers (ISR G2 Series)
I prefer deploying Cisco 1900 and 2900 routers at small- and medium-sized branch offices because they're so versatile and well-established. I can configure BGP, EIGRP or OSPF, point-to-point or policy-based VPN tunnels, firewalling (through IOS Zone-Based Firewall), SLA tracking, and numerous other critical features on a single device with a single point of management and configuration. And Cisco IOS is what most novice network engineers are familiar with given Cisco's prevalence in the market and their extensive certification tracks.
Of course, the major downside to Cisco is cost. Consider a Cisco 1921 router. While base hardware (the router itself) is arguably cheap, the licensing and accessories quickly pile on. Even economizing on the bundle package with the SEC license and a single T1 WIC can run you $1500 before SMARTnet. But wait, you want IP SLA tracking?
You'll need to fork over another couple hundred dollars for the data license as well. Correction: IP SLA tracking is provided by both the SEC and DATA licenses (but not by the base license).
Many of our smaller customers are very focused on price and balk at the up-front expense of Cisco gear, especially when paired with a three-year support contract.
Cisco ASA 5500
The ASA 5500 series (and before it, PIX) has been around a long time and garnered a decent fan base. However, with the introduction of ZBF on IOS, the division between router and firewall becomes more blurred. ASAs are great for high availability pairing and remote access through inexpensive SSL VPN connectivity, but are otherwise weak in feature parity compared to a integrated services router which can accommodate various media types and run BGP. ASA also supports IDS/IPS functionality, but I haven't had the opportunity to play with it.
Juniper (JunOS) Routers
JunOS is great. It's extremely structured, robust, and elegant. Unfortunately, it's also a pain in the ass to learn for someone with a background in Cisco IOS. Configuration is comparatively tedious (until you get the hang of it) and the configuration file can be overwhelming. Juniper does have a great free self-paced training course called JunOS as a Second Language, but like any worthwhile training it takes time and effort that overworked and/or lazy engineers simply don't have. This results in a chicken-and-egg problem for me: I can't deploy Juniper routers until I have engineers who can support the devices, but I can't get people trained without the hardware to work on. Factor in the price, which is comparable to (if not more than) an equivalent Cisco device, and there just hasn't been much incentive to expand on the platform.
These are a favorite among our engineers. They don't do a whole lot but they're good at what they do. Having a mature web UI and CLI allows newbies to go at their own pace while more experienced engineers can script out what they want. The price point of the SSG5 is attractive to customers as well. The major downside of the SSG series is that its operating system and command syntax aren't portable: Engineers can't leverage a knowledge of ScreenOS commands when configuring another non-ScreenOS platform (in contrast to Cisco IOS and Adtran, for example).
Adtran seems to do everything, and that's part of my problem with them. While device integration is generally a good thing, having a T1 in my multilayer switch just feels unnatural. I've also run into issues with Adtran multilayer switches apparently resulting from limited field testing. For example, when all of the physical interfaces assigned to a given VLAN are down, one would expect the routed SVI for that VLAN to also go down. Such is not the case, at least with the model of Adtran switch I was testing. This resulted in an inability to implement reliable failover routing at a customer site. Adtrans have a decent price point and are very IOS-like, but stepping off the beaten path on the platform can get you into trouble.
I'm not a big fan of Sonicwalls. My number one complaint? No command line. How am I supposed to take your devices seriously without a robust command line? The web interface is decent enough, and their built-in WAN failover feature is certainly nice, but the lack of a CLI or human-friendly configuration file means I can't parse and templatize configs. Which means I'm not interested.
One of my goals for the coming year is to start limiting the number of platforms we support moving forward. This will help us focus our training and standardization efforts, and help simplify the ordering process for account managers. I intend to lean heavily on the Cisco portfolio due to their breadth, engineers' collective experience (and yes, personal bias). I'll also have to include one or two alternatives with lower up-front costs, simply because customers will demand it. Which devices would you choose? Have I given a particular vendor an unfair wrap? Someone I left out? Let me know.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in Design
October 23, 2012 at 2:20 a.m. UTC
have you looked at Juniper's SRX line? they start off pretty cheap MSRP. I think an SRX100 high end is maybe MSRP $1000 US, and the support is dirt cheap like $60/year MSRP. Extensive routing and firewall feature set, and mostly decent switching features. GUI is nowhere near as good as ScreenOS though. but learn how to configure routing and switching on an SRX and you can transition nearly all of it to their other Junos-based products.
October 23, 2012 at 2:20 a.m. UTC
Going to perhaps make things worse with another vendor suggestion. Have a look at Mikrotik. I'm hearing they're picking up a lot of business lately due to very low cost and decent performance.
October 23, 2012 at 3:26 a.m. UTC
I've used IOS firewalls, ASAs and would prefer SRX.
The rest I can't comment as I haven't tried them yet.
October 23, 2012 at 3:48 a.m. UTC
Will - SRX would be what I would equate Stretch's JunOS entry to represent.
Stretch - I hear you re the advantages of an ISR with ZBFW but my experience with them is that:
a. they're a bear to setup - even with CCP
b. the community knowledge of ZBFW doesn't compare vs. ASA (by an order of magnitude).
So, my answer is an ASA firewall for firewall (and VPN) features and a router (for routing) in front of it. If the requirements are very basic, one can "route" out the ASA firewall with a default gateway but don't rely on an ASA for any real routing (except perhaps some -very- basic EIGRP or OSPF).
Just my 2 cents....
October 23, 2012 at 4:13 a.m. UTC
Don't forget QoS capabilities!
October 23, 2012 at 4:39 a.m. UTC
The whole idea that even a small company would balk at $1500+ for a device with 3 years support is strange to me. First they get to write almost that entire amount off as a cost of business and they get to average that over the 3 years!!! Second $1500+ one time fee for gear that will last them 4-5+ years with little intervention also doesn't seem to be a bad investment. I am sure those small companies employee either a in house or external net/sys admin that will spend hours fixing users email/workstations and the cost of the router/managed internet is small compared to those expenses, and again the companies gets to write that off.
As far as the hardware goes I don't think you can go wrong with either Juniper/Cisco, If they paid me to support Adtran/Sonicwall I would recommend going to Juniper/Cisco :)
just me two cents.
October 23, 2012 at 5:22 a.m. UTC
Hey I have been in your hiring situation before. I tend to find that Juniper guys also know cisco but not the other way around.
I also find you have to pay more for juniper guys as they tend to have better all round skills.
In saying that when the SRX range came out we nearly ditched Juniper all togetehr as it was so buggy
October 23, 2012 at 6:17 a.m. UTC
For small-medium deployments check the open source pfsense firewall. It does a good job its pretty quick, easy to setup and maintain and with a small cost. There are also vendors who make appliances with it. I have deployed a couple of those and for smb it is a very cool solution.
October 23, 2012 at 6:29 a.m. UTC
I prefer Cisco ISR, even though I have limited Juniper experience and no Adtran experience I'm pretty confident saying they are the most versatile. ASA are alright, but limited. I'm also not a fan of anything that doesn't have a console port and a decent command line, so no Sonicwall. My employer sells quite a bit of WatchGuard, which fall in with Sonicwall to me.
As far as cost goes, maybe you should look into the 800 series ISRs. I grabbed some list pricing with 3 years 8x5xNBD SmartNET on each as a comparison and they seem pretty reasonable:
ASA5505 (50 users) - ~$1150
881 ISR (Advanced IP Services) - ~$950
891 ISR (Advanced IP Services) - ~$1450
I run an 881 as my home router and have been pleased with it.
As for Marv's comment on ZBFW. If you don't stick to a convention the config can get out of control (true of many things), but I really like ZBFW. I once tried to configure it with CCP to see whether it would be an option for my less CLI minded coworkers; found it to be near unusable and the generated config was horribly unintuitive.
October 23, 2012 at 6:29 a.m. UTC
I've been into this for about 6 years now and here are my thoughts:
- ISR are good but pretty expensive and CCP is still not that good as ASDM. This might be the Cisco way to drive you to ASA if you require firewall for medium & large networks
- ASA is still the most classic&flexible firewall although it's tricky in advanced setup and as you mentioned can be replaced by an edge router for branch locations
- SSG is legacy and its CLI, of you didn't mention it is the worst I ever encountered: you cannot delete any char you mistype, sniffing from it looks like Matrix, horrendous
- SRX is the next step and you are right, JUNOS is great and powerful; if only Juniper will invest more money "in education"...
- last but not least I will add on this list Fortinet, it can be bought without UTM services and offers good firewall and free SSL VPN with very good performance for the money you pay for it. CLI and GUI are good, nevertheless "education" is very poor and are not that popular.
October 23, 2012 at 8:00 a.m. UTC
No love for Fortigates?
Solid performance, great webUI, CLI for speed and portability, content-filtering, great set of features overall.
I also really like how its SSL-VPN feature does not require any license to implement.
October 23, 2012 at 8:39 a.m. UTC
Checkpoint and stonesoft ones?
Maybe they are too expensive...
October 23, 2012 at 10:05 a.m. UTC
I reckon you can give the HP product a whirl as well. You got the two flavours the procurve and the old H3C. Of course the H3C (supporting comware as operating sysstem) is the obvious choice, due to the lack of support of MPLS / BGP on Procurve.
But for a LAN enviroment the Procurves work quite well, and is relatively cheap
October 23, 2012 at 10:34 a.m. UTC
You have forgotten a new player on this game, and from my point of view these are the weapons of choice now: The Palo Alto Networks PA200
You should give them a try.
October 23, 2012 at 10:53 a.m. UTC
It all comes to what customer needs.
If we are talking about pure router functionality within corporate environments and customer is willing to pay:
1: choice – Cisco ISR (proven values and predictability)
If not so much $:
2: choice – Juniper SRX (cheaper choice, unparalleled feature-set and versatility. Swiss knife – if we count int even UTM features [which might work better]).
Yes, you have to learn junos (as web-UI should be improved greatly - in terms of speed).
My story with JunOS. I got a Project built with ~50+ devices (with almost no prior knowledge but 5+ years as a cisco guy). And within 2 months I felt so comfortable that was able to pass even junos certification. So claiming, that Junos is not IOS and we discount it as an option – in my opinion – unacceptable. You have Juniper DayOne books, KB, free web presentations for free. And can build fully functional simple lab with only one(!!!) srx.
We use SSG devices as well. Mostly due to the two reasons:
- Even cheaper than SRX’es
- ScreenOS driven, proven stability and security
However, you have to remember that ScreenOS is yet another beast to learn if you want to get comfortable with it from CLI.
As for the Firewall of choice
1 – JuniperSRX – flexibility, stability, ease of use. [ UTM functionality / L7 fw… you have to look up close and carerfully what features to enable and how it will impact system performance]. [also as a downside - remote vpn possibilities. No native remote - ssl/ipsec. And for dyn-vpn you need licences]
2 – Cisco ASA – (place#2, because of the price).
3 – Fortigate- +++ UTM configuration possibilities and quite simple
To sum up.
Juniper SRX is a perfect choice in small–to mid range enterprise. Versatility in both routing and firewalling are awesome. (just to have look carefully working with UTM functionality – it definitely requires more improvement)
But in our environments now becoming almost first choice.
October 23, 2012 at 12:24 p.m. UTC
"SSG is legacy and its CLI, of you didn't mention it is the worst I ever encountered: you cannot delete any char you mistype"
Don't blame the SSG for your inability to configure your terminal to send ^H when you press the delete key. ScreenOS has many other command line quirks, but inability to delete ain't one of them :-)
That said, I wouldn't deploy any ScreenOS devices now because the legacy comment is absolutely correct. SRX is where it's at now.
October 23, 2012 at 1:19 p.m. UTC
I have been evaluating the use of Meraki hardware. It seems to be a good fit for small remote sites with limited support. At first I had some hesitation but their products seem to work pretty well so far. I haven't used them in a production network but think it will just fine.
October 23, 2012 at 3:01 p.m. UTC
Have a look at the Juniper SRX family. I'm seeing increased performance with substantially less spend than a Cisco isr2. I'm using them as a CPE: nat, bgp, bfd and some acls and it all works great. We had to buy the data license for the isr2 to get bfd, on the juniper much more is included.
I was Cisco only up to that point, and now, some modest amount of time later, I hate working on ios boxes. Even IOS XR seems primitive in comparison to me.
October 23, 2012 at 3:27 p.m. UTC
Fortigage 100 and 200 series are great... They have both CLI and GUI to work on.
October 23, 2012 at 3:28 p.m. UTC
For small clients the offerings from Mikrotik are hard to beat for the price. I sometimes wonder why their products are not given more of a chance in small production environments. For example that $1,500+ offering from Cisco could be had for $200 - $300 or less from Mikrotik.
October 23, 2012 at 4:29 p.m. UTC
Watchguard, despite my not so good history with them a long time ago, make their living in the branch firewall/access business. They have a very nice central manager for all their product where you can template and deploy changes easily. They also have tons of options and are cheap.
October 23, 2012 at 7:12 p.m. UTC
As regards your customers that balk at the price of security gear, they need to consider how much a breech would cost them before outright rejecting any particular solution.
Is there a specific reason Check Point was omitted from your list? I currently support Cisco, Check Point and Juniper firewall gear. Check Point is by far the most stable and flexible of the three. Granted, CP is costly to initially purchase and also for ongoing support, but wins hands down as a security solution in my experience. ScreenOS is a good choice for small shops with limited means and functions. It seems to fit best for the scenarios you describe and the resources you have at hand.
I lived IOS for 12 years prior to focusing on security for the past 6. IOS is fabulous for network switching/routing, not so great for dedicated security applications, particularly on edge devices. This discussion on Cisco vs Check Point may be of interest:
October 24, 2012 at 3:17 a.m. UTC
Have you looked into Brocade?
October 24, 2012 at 12:28 p.m. UTC
October 24, 2012 at 2:24 p.m. UTC
I can certainly understand the desire to support Juniper as they do produce a decent product. That said, I am hesitant right now to recommend Juniper while they as a company are being shopped around for sale. I am of the opinion that I will wait and see who purchase them, and see what the new companies plans are before moving forward.
October 24, 2012 at 5:48 p.m. UTC
Great article Stretch, there are a myriad of options out there but you've done a good job of covering the popular options. Many Network teams including my own, see no reason to leave the Cisco Kool-Aid, even at its high price.
October 25, 2012 at 2:44 p.m. UTC
To Will Hogan's point, new Sonicwalls do have a CLI, but it's not 100% command complete with the GUI yet. You can do most of the regular stuff, but there are still some advanced options that are only available in the GUI. See the guide here: http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=406&dl=1
October 26, 2012 at 2:47 a.m. UTC
I definitely agree that limiting the spectrum of vendors and solutions offered tilts skill sets to the 'specialty' side of the scale.
While Juniper was cited as having some product disparity, Cisco products are certainly not devoid of similar grievances.
For example: The ASA (esp 5505) and ISR security modules have a lot of feature overlap including the CLI. Configurations from the command line can be MUCH different between the two because of the differing architectures. This sometimes leads to frustration and delays, analogous to how I feel working with the differences in terminals on BSD (Mac) and Fedora, for even the most menial tasks such as changing file permissions or mounting volumes.
October 26, 2012 at 9:55 p.m. UTC
Juniper SRX is very good product. Specially with rescue config feature. This saved as several times. Also, compare to Cisco, they are cheap and its having more Fe and GigE ports compared to Cisco. We are using mostly SRX220, as its cheap and can do MLPPP. But if we need powerful, we go SRX 240. Even providing hosted firewall service on SRX240. These things are quite powerful and works pretty well. And after using Juniper for while, nobody in our company wants to work on Cisco!!!
October 27, 2012 at 5:14 p.m. UTC
I like Edgewater Networks Edgemarc. It's main purpose is to be a VOIP SBC (sip router/firewall) but it works GREAT as a firewall. I've been able to build an ipsec vpn tunnel between it and other firewalls (sonicwall, tippingpoint x5, and watchguard) but with other firewalls I haven't had that kind of compatibility. The throughput is good as well (at least up to 10megabit, that's the most bandwidth I've used one on). This is to be expected considering that voip is very susceptible to jitter and any kind of delay.
It has an easy to use web interface, but also runs linux underneath (accessible via ssh).
October 28, 2012 at 8:09 p.m. UTC
As others have mentioned, the Juniper SRX line is really good. The few cons i don't like are:
- Huge configuration file, must always filter the output;
- Copy/Paste from notepad is not so swell as on Cisco IOS. In example, to create 1 destination NAT rule i must copy a single line into Cisco configuration while i must copy 4 of them into JunOS. If you need to insert many similar rules, it will be a burden;
- IPSec VPN debugging outputs could've been better. It's worse than to read some dry RFC.
And they are not that buggy anymore, can live with JunOS10.4++ :)
October 28, 2012 at 11:51 p.m. UTC
Wow, to find a single individual conversant in all of those brands. Tough one to be sure. 80% of that market worldwide is pretty much dominated by Cisco, so I don't think it's a bad bet to begin one's concentration there. So given the choice, after the CCNP which areas with which vendors would you guys pursue to add to your skill sets?
October 30, 2012 at 5:40 p.m. UTC
+1 for Palo Alto Networks.
Competitive pricing, myriad of features, and a very intuitive GUI in addition to structured, JUNOS-like CLI.
October 31, 2012 at 8:56 p.m. UTC
I've had great luck with using ADTRAN devices for routers and firewalls. They are extremely versatile devices. The pricing makes them much more attractive than Cisco. They also support their devices with updates without the need of a Smartnet like support contract. I've sent many questions directly to their engineering and support via email and have always got a response in hours.
Stretch definitely brings up a good point that if you're used to Cisco there will be some differences that you'll need to learn. Their IAD products are reliable and cheap compared to Cisco.
Their multilayer switches are different from Ciscos they do not support addresses on physical interfaces. I prefer to refer to them a layer 3 lite. The 1335 is extremely flexable; router, switch, poe, and vpn for under $1500? Great devices for hosted phone systems and small branch offices.
Supporting the hardware you sale without asking for a credit card for software updates means a lot to me.
November 3, 2012 at 4:22 a.m. UTC
Palo Alto Networks +1
Great WebUI, very easy to use and fast compare to JWeb on Juniper SRX
Decent VPN clients, it is very easy to use compare to Juniper SRX Dynamic VPN (WHAT A JOKE)....
Central Management is great
CLI needs improvement, the CLI could be much better with better cut and paste config ability.
Lack of decent SNMP support.
If you are using ScreenOS, the learning curve is not that bad..
Very buggy software,
Poor documentation, lack of best practice guide
Support is okay not the fastest in respond to issues or fixing bugs.
November 6, 2012 at 9:31 a.m. UTC
Nice approach to understanding the ROI. My Cisco centric team also loves Fortinet boxes. They perform well for the UTM functionality + routing failover with OSPF domain extended into the perimeter devices.
November 6, 2012 at 8:04 p.m. UTC
What about ordinary servers with OpenBSD?
November 7, 2012 at 2:11 p.m. UTC
What, no mention of Palo Alto?
November 11, 2012 at 3:13 a.m. UTC
Does anybody else seem to think the VPN config for the SRX is overly complicated and very huge?
November 14, 2012 at 8:00 p.m. UTC
We can discuss for years which device is better. Some folks take Cisco and Juniper or other vendor and make a religion of them.
At some point you need to pick a few products and stick with them until the market changes. In traditional networking (switches, routers, firewalls) Cisco still has a very high market share. If you decide not to deploy or support Cisco, you will lose customers. Juniper is second, with everyone else trailing behind.
Stick with the top two or three and watch market trends and adjust.
On a technical side, I have deployed both Cisco (ISR, Catalyst, Nexus, and PIX/ASA) and Juniper (SRX, J-series, EX, and ScreenOS). Unless you are building an extreme low latency, high-bandwidth, high-transaction infrastructure, you can pick Cisco, Juniper, Brocade or any other vendor and successfully deploy if you are competent with that specific vendor. In a normal office deployment it comes down to cost and/or management's preference.
Some specifics about Junos devices that I personally do not like:
EX switches do not survive power outages 50% of time. Luckily, 10.x code and above has a backup partition. 12.x code might have a built in option to recover a corrupted partition.
HA in SRXs makes both firewalls act as a single logical device. It is good unless you have to upgrade. In-service upgrade (3400s and above) has caveats based on code release and options you are running. Unlike Netscreen or ASA, which have two boxes sharing state, if you screw up an SRX upgrade be ready for a long downtime. With ASAs you can always upgrade one box at a time.
November 25, 2012 at 10:26 p.m. UTC
I have tested for 3 months some equipment (router) for one client with low budget and higher data demands (start-up business). In the middle of the research, a good friend talked to me about Mikrotik from Latvia (EU). Looking for his specification and brand info in their site, I found a equipment with characteristic between (King-Kong) and (Hulk) with a very small price tag. The prices varies from $645 to $995 and have super hero capacities like 16 to 36 cpu cores (1.2 GHz), 16 - 24 millions of pps (64kb frame), PoE, SPF ports, 2 - 4GB Ram and so on. I have ordered 2 for back-to-back test and I think if this equipment fill my specification, I will using or recommend to the client. Here the link for more info:
ps: The router include a firewall module, MPLS, Proxy and other cool stuff.
December 7, 2012 at 6:18 p.m. UTC
Sonicwall in their recent versions 5.8.x is building in a full CLI. Also the NSA 240 is not going to be continued in the future, it has been replaced by 220/250.
December 11, 2012 at 9:30 p.m. UTC
I think this could be the best "bang for the buck" deal around, though I'm not too familiar with prices of products by any vendor.
Tons of features and deployment options (appliance, "standard hardware - Barracuda NG FW running on a IBM/HP/Dell/... server, virtual appliance VMware/XEN).
December 12, 2012 at 2:04 a.m. UTC
Stir clear from Fortinet-s. They are not stable enough, but for branch FW-s it may be not an issue.
SRX-es are great, I manage network with about 100 of them. 240 and 210 mostly. Have not seen any hardware problem. Software sometimes screws up, but FW normally able to reboot yourself or just restart failed process automatically.
January 3, 2013 at 10:52 p.m. UTC
You can do test on communication between Cisco and Juniper devices
at this online lab-
January 4, 2013 at 3:22 p.m. UTC
I have VPN experience with Cisco ASA as well as Juniper SRX and the old NetScreen stuff. We have ~30 VPNs to various sites using mostly small NetScreens and a few larger boxes as the 'hub' for them. We've been migrating to the SRX line for firewalls and will soon be migrating to them for the VPNs too. If you didn't like the SRX line when they first came out a few years ago you should look again, they are rock solid now.
I personally don't like the ASA for anything other than client-based VPNs (they are great at that). The CLI & config files of a Junos/SRX so clean, readable, and usable you'll hate ever looking at an ASA again. I learned Junos easily, is not a pain in the ass as this article mentions.
You can get an SRX 100 for around $600.
January 12, 2013 at 10:27 a.m. UTC
take a look at www.mikrotik.com. a number of mikrotik routers (RB800, RB1100, RB1200) make excellent branch and HQ routers as they are stable, packed with features + they are not expensive: cheapest RB750 is good for up to 3Mbps VPN branch office and costs $30. they also provide tons of features... even a $30 RB750 supports BGP
February 28, 2013 at 1:25 a.m. UTC
ISR ZBF can be made to work, but even with a good naming convention and sticking to a basic strategy, the configuration gets huge. In addition the tools for monitoring/testing the ZBF are practically non-existant and the documentation for the various parts of the inspection engine are still terrible. Trying to figure out why a particular protocol is not passing through, or a particular inspection engine is not working is near impossible.
I understand what they were trying to do, but at this point, I'm thinking they need to rework it. It's nice to try and stick with the existing modular policy framework just isn't scalable configuration wise. It would be easier to apply zones to interfaces and ACLs to the zones...similar to ASA. Maybe they'll eventually get the frame work where the show commands are manageable and you have real insite into the logging and state functions (snmp mibs would be nice).
March 7, 2013 at 4:06 p.m. UTC
Well, I'm historically a "cisco guy" so I can only really comment on that part. I worked for an MSP for about the last five years, and we were a Cisco shop.
tl;dr version = Cisco ASA is solid, but expensive. Does great at site2site VPN, very dependable.
ASA is a very solid platform, but does require initial work to get them configured. However, once you know how to configure them, they will literally run for years stuck in a closet and doing their thing. One client we had ran a central site with a 5520, and 20+ roaming sites with 5505's, all running more or less the same config with just different IP addresses. These ASAs sat in dusty, hot, humid, vibrating conditions and ran VPNs back to the home without problems for years. When one broke, since they kept up with their smartnet, Cisco would ship out a new one overnight with hardly a hoop to jump through. One call to TAC, and a box showed up the next day. Get the firmware matching, drop in a config and you're off to the races.
The ASA line is branched from the PIX line, which they purchased a long time ago. Its OS is not actually directly from the IOS line, but has been made to conform so that most commands are the same. In some ways, ASA is easier to configure, as it tends to be "smarter" at configuration.
Client VPNs, not as great. The 64-bit versions of their VPN client were initially not available, and the 32-bit doesn't work at all on a 64-bit os. Until their newest VPN client (AnyConnect) there was no simple GINA integration, so you had to first login, then connect the VPN. Caused some problems with roaming domain laptops that went long periods being disconnected from their DCs.
Licensing and Smartnet are where Cisco starts to lose battles. The ongoing cost of smartnet drove several customers to look for other solutions like Sonicwalls and even domestic, off the shelf solutions from their local office supply store.
I don't know how other companies handle their partner setups, but to be a Cisco shop you must employ a certain number of Cisco certified personnel, and that requirement changes depending on the level of product you want to support.
April 5, 2013 at 8:20 a.m. UTC
Have you ever worked with Alcatel-Lucent (ALU) gear? Say the 7750? Or how about Brocade?
April 30, 2013 at 9:32 p.m. UTC
Working as a security consultant for big companys and provides i can say, that we deploy cisco asa over juniper srx or checkpoint gaia for firwalling. I dislike srx because you need some lines of cli code for firewalling where we need one at asa. But rollback and compate are great features on srx. Jweb on srx is damed slow and machines boot slow as well. But juniper is the biggest competitor if you need a solid firewall which offers best in class performance.
February 21, 2014 at 3:00 p.m. UTC
Branch firewall - Palo Alto.
I just left training and I have to say packets inspection firewalls look simply archaic now. Cisco & Juniper are going to be left behind very quickly Actually, its already happening. This has more to do with functionality than marketing. Why use just source/destination/service when you can look INSIDE the application? GAME OVER.
August 8, 2014 at 8:52 p.m. UTC
We use all: ASAs, IRS2, SSGs, and SRX.
ASAs are great as HA pair of firewalls in a data center. I would not use them in offices where you need all in one device, since they don't support BGP and route-based VPN tunnels. ISR2 are great all-in-one. This is our preferred device, and as stated before, cost is an issue. But it is worth it.
SSGs/ISGs, love them, they can do most of the ISR2s and all of ASAs and have a great HA setup in ISGs for large data centers but Juniper will retired them in time. SRX is SSGs replacement. SRX, I want to love them, but...All-in-one is great competitor to ISR2s, more Ethernet ports, cheaper, but you can't add more RAM and bugs. For larger data center HA deployments: stay away! HA deployment is terrible and you will have to reboot both boxes to fix an issues, unlike ASA or ISGs. SRX HA makes two boxes into one logical, control plane stays on one, but forwarding on both. We had a memory leak, could not fail-over, the only way was to reboot the whole cluster (per JTAC). Now explain business why data center was down even though you have an HA setup. This never happened with ASA or ISGs.