Replacing our Firewalls

We currently use Cisco PIX firewalls in both our data centres and office, we haven’t really had any problems with these but asCisco stopped providing software maintenance at the end of July now seems a good time to replace them.

The obvious choice seemed to be the Cisco ASA range, probably the ASA5510, but in some areas the changes between the PIX and ASA platforms seem quite significant, so we thought we’d look at the competition too.

A little research narrowed us down to two suppliers that could provide all the features we need within a sensible budget, Cisco and Juniper. Cisco are a safe bet, we’ve used them before and you don’t get any surprises, Juniper on the other hand have only recently started targeting smaller networks, most of their products are used in core networks.

The main contenders were:

Cisco ASA5510

The ASA line is a new improved version of the PIX. They run the same OS and have a number of new features such as SSL VPN tunnels.

Juniper SSG140

The Juniper SSG range is based on the products previously made by Netscreen (acquired by Juniper a few years back). They run a custom OS called ScreenOS and very similar to the ASA5510 in all features we need.

Juniper SRX210

Juniper have only recently introduced the smaller models in their SRX range, these run Junos, the same OS as Junipers core routers. From the figures we obtained they appear to have considerably higher throughput and performance then either the ASA or SSG ranges and a number of additional features.

At the moment Juniper seem to be really pushing the SRX line, they’ve got really competitive pricing and free online training including certification, and given that they have more features than either of the other products we’ve going to give them a try.

A friendly Juniper reseller has agreed to lend us one for a couple of weeks while we see if they’re as good as they look on paper.

Once we’ve got our hands on one I’ll add another post letting you know what we think.