SSG5 vs ASA 5505?

msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
Hopefully some Juniper guru's can chime in here :)

Our shop, and myself for that manner, haven't had any experience with Juniper in the past. We are going to be finally replacing our often failing as of lately Linksys RV series VPN routers at our remote offices. We were originally going to go the route of ASA 5505's since we have a 5510 at the main office and I've been familiar with it as well as having a 5505 at home so it's more in my comfort zone. At this point though, apparently ASA 5505's are fairly difficult to obtain - CDW was estimating 90+ days for ~40 units.

Just wondering how something like the SSG5 compares to the ASA's. Obviously both would be a significant upgrade from what we are currently running. Not looking for anything spectacular except basic firewall and l2l VPN capabilities. The UTM option on the SSG5 *might* be something we look into but probably further down the road when the budget allows if we opted to go that route. Just wondering how a Cisco guy like myself is going to pickup the SSG5 and if they will play well with an ASA at the other end. I'm not a know all expert when it comes to VPN configurations and to be quite honest - going either the Cisco or Juniper route from the path we were taking before (l2l VPN's created in the web interface of the Linksys routers to a Linksys router on our IT network strictly for remote access) is going to be a bit of a learning curve either way.

The SSG5's allure are they seem to be available now which is important, and they have a more attractive price. On paper they seem to be a bit lower end when comparing specifications to an ASA 5505 but I'm confident our load isn't going to be much of a burden on either platform. Thoughts?

Comments

  • EzliteEzlite Member Posts: 27 ■□□□□□□□□□
    The SSG will get the job done, and I prefer it over the ASA.

    But ... The real cost to look at is OPeX ..ie .. the deployment, setup, and management.

    Sooo ...

    I think you may want to look at the SRX line. The newer SRX line runs on Junos and you get significantly more functionality. Juniper also has a nice management system for distributed deployments.

    I think the SRX is much much better then ASA and available.

    SRX 100 - SRX100 Services Gateways - Entry Level Enterprise Secure Router - Juniper Networks

    SRX 210 - SRX210 Services Gateway - Dynamic Services Architecture - Juniper Networks

    The 210 is very nice, especially the pim slots which provide alot of flexibility. (Like back up WAN over 3G, or direct connect to cable via DOCSIS3.0 PIM)

    "The SRX210 Services Gateway is a secure router that supports up to 750 Mbps firewall, 75 Mbps IPSec VPN, and 80 Mbps IPS. Additional security features include Unified Threat Management (UTM), which consists of: IPS, antispam, antivirus, and Web filtering. With wired and 3G wireless connectivity options, the SRX210 Services Gateway is ideally suited for securing small distributed enterprise locations and took top honors in the SMB Infrastructure category at Interop Tokyo in 2009"

    SRX210 Services Gateway
    • 2 10/100/1000 Ethernet and 6 10/100 Ethernet LAN ports, 1 Mini-PIM slot, 1 ExpressCard slot and 2 USB ports
    • Factory option of 4 dynamic Power over Ethernet (PoE) ports 802.3af
    • Support for T1/E1, serial, ADSL/2/2+, VDSL, G.SHDSL, DOCSIS3, Ethernet small form-factor pluggable transceiver (SFP), and Gigabit Ethernet interfaces
    • Content Security Accelerator hardware for faster performance of IPS and ExpressAV
    • Full UTM
    2; antivirus2, antispam2, Web filtering2, intrusion prevention system2 (with high memory version)
    • Unified Access Control (UAC) and content filtering
    • 512 MB DRAM default, optional factory 1 GB DRAM, 1 GB flash default



    My thoughts on the options ..
    TB

    JNCIP-M: Late June 2010
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Member Posts: 1,915 ■■■■■■■■□□
    i havent touched the SSG5, i myself would stick with the ASA5505s. 40+ of any IT hardware is going to take some time icon_rolleyes.gif
    2020 Goals:
    Courses: VHL (3 month pass)
    Certs: OSCP (in-progress), AZ-500 (in-progress), MS-500, Pentester Academy - PACES, Pentester Academy - CRTE
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    We ordered some 5505s at work recently through a large Cisco partner and the delivery date was set at 99 days, which is the max. From what I've heard Cisco had manufacturing issues at one of their plants which has caused delays on some of their products.

    I'm not familiar with SSG5s but barring any major feature you need in the SSG5 that the ASA doesn't have I tend to recommend going with what you know.
  • cablegodcablegod Member Posts: 294
    Another vote for SSG or SRX. Juniper all the way. I have had both and much prefer the SSG.
    “Government is a disease masquerading as its own cure.” -Robert LeFevre
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    kalebksp wrote: »
    We ordered some 5505s at work recently through a large Cisco partner and the delivery date was set at 99 days, which is the max. From what I've heard Cisco had manufacturing issues at one of their plants which has caused delays on some of their products.

    This is what we had heard as well.

    We ended up sourcing these through Vology Data Systems (Formerly Network Liquidators). They deal with new and used gear and claim they should be able to have no difficulty fulfilling 40 pieces in about 30 days so we shall see how they come through on that. If they can get me all 40 in a month or month and a half I'll be fine with that, it's not like I'm going to be able to get these all over Wisconsin any quicker if I got them all in a few days time :)

    I checked out some of the other Juniper offerings and it was tempting, feature set looked better but in the end time constraints rule my shop. When you have 3 guys with 40 offices and a bunch of users to support it's hard to allocate time to pickup something new and get rolling. I'm no ASA genius but I've done enough with our 5510 at the office and my 5505 at home to feel at an advantage over another vendor ;)
  • EzliteEzlite Member Posts: 27 ■□□□□□□□□□
    I would get at least 1 unit from a 2nd vendor for learning. Getting stuck with single vendor implementations that use proprietary solutions is often a recipe for Migraines ...

    Pick a 2nd vendor and get 1 unit. Do a little interoperability testing when time permits. It may just save your backside down the road.

    Hope for the best and plan for the worst icon_wink.gif
    TB

    JNCIP-M: Late June 2010
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    Guess I'll be getting my feet wet with Juniper gear after all. Turns out the salesperson I was working with was either hoping they would be able to acquire ASA 5505's and lost the wager or he really thought they could, either way - they can't and we're not in a position to wait.

    Have a Juniper SRX100B on order, will see how it works out and if all goes well we will order 39 more. I guess of all of this if one good thing came out of it was we finally were able to convince corporate to lease. We often struggle trying to get the budget we need for projects and they had always been completely against leasing so hopefully in the future we will be able to more easily implement projects that are not as budget friendly as corporate would like.
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Very cool to hear that you're gonna give the SRX a shot. Let us know how it goes.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • EzliteEzlite Member Posts: 27 ■□□□□□□□□□
    Add me too that ... please let us know how it goes.
    TB

    JNCIP-M: Late June 2010
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    Hardware came in a couple days ago, but I haven't had nearly as much time as I wanted to play around yet. Downloaded a bunch of various Juniper training resources to go through, that's one nice thing about Juniper - seems to be a lot more freely available for training resources. Had hoped to get a basic configuration up and running today but the other day I took a spill down some rickety old stairs leading to the basement of one of our offices (old downtown building, replacing another failed unit that these Juniper devices should end up replacing no less) and my back has been progressively getting worse till a basically laying flat all day situation keeping me from doing much of anything.

    Hopefully tomorrow I get to get my hands into it more, my stubbornness of not wanting to look through documentation after I consoled into it after unboxing it was to account for the 5-10 minutes of frustration as I logged in and couldn't get any commands or anything to work. Ego deflated I opted to do some quick reading of the basics and once I discovered how one needs to issue the "cli" command upon logging in we were moving along much better :)
  • EzliteEzlite Member Posts: 27 ■□□□□□□□□□
    ouch .. I hope you recover quickly

    and yeah .. I have had to look in the mirror say RTFM icon_rolleyes.gif to myself more times then I care to admit
    TB

    JNCIP-M: Late June 2010
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Downloaded a bunch of various Juniper training resources to go through, that's one nice thing about Juniper - seems to be a lot more freely available for training resources.

    The fast track stuff they have for the JNCIS-SEC is definitely good stuff. With that and one srx210 to play around with I picked up the cert in about 2 months.
    Had hoped to get a basic configuration up and running today but the other day I took a spill down some rickety old stairs leading to the basement of one of our offices (old downtown building, replacing another failed unit that these Juniper devices should end up replacing no less) and my back has been progressively getting worse till a basically laying flat all day situation keeping me from doing much of anything.

    Ouch man, I know the feeling of being put out with a bad back. Last summer my back went out and I had to take some time off and then work from home for about 3 weeks. Nothing says I don't feel like a man like not being able to get up to do anything icon_sad.gif

    Here's to hoping for a quick recovery.
    Ego deflated I opted to do some quick reading of the basics and once I discovered how one needs to issue the "cli" command upon logging in we were moving along much better :)

    Heh, don't feel to bad, I don't know how many times I've been asked how to get out of the percent sign prompt only to receive an elongated "sigh" after revealing the secret combination ;)
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • EzliteEzlite Member Posts: 27 ■□□□□□□□□□
    So ... how is it going ???
    TB

    JNCIP-M: Late June 2010
Sign In or Register to comment.