Comparison of Cisco with Juniper firewalls

Unanswered Question
Jan 4th, 2010
User Badges:

Hi Folks,

We have been working with Cisco PIX and ASA firewalls in past. Recently, we have started to evaluate Juniper firewalls in comparison to Cisco. Initial comparison puts Juniper on top of everything in Security. Here are few stats.


FeatureSRX 3600SRX 3400
ASA 5580-20ASA 5580-40
Max FW Throughput30 Gbps20 Gbps5 Gbps/10 Gbps JF10 Gbps/20 Gbps JF
Max IPS Throughput10 Gbps6 GbpsNANA
Max VPN Throughput10 Gbps6 Gbps1 Gbps1 Gbps
Interfaces8x Gig-Copper+4 SFP builtin
2x 10 Gig XFP
16x Gig Copper, 16 SFP
8x Gig-Copper+4 SFP builtin
2x 10 Gig XFP
16x Gig Copper, 16 SFP
4x Gig copper, 4x SFP,
2x10 G
4x Gig copper, 4x SFP,
2x10 G
Concurrent VPN
Sessions
20,00010,00010,00010,000
Max Sessions2.25 Mill2.25 Mill1 Mill2 Mill
Security Context25625650
(with no support of dynamic routing)
50
(with no support of dynamic routing)
In Service software upgradeYesYesNANA


It would be interesting to see if there is any hidden untold story

that we might be missing.


Also, we have compared Juniper SRX 650 with 5520 (even with 5550) and stats are also in the favor of Juniper. Any comments?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 01/04/2010 - 09:45
User Badges:
  • Cisco Employee,

Hi,


Well, to compare 2 boxes I believe we need to compare apples with apples. Cisco has not come up with a very high end edge firewall yet, whereas other vendors claim they have come up with. The biggest ASA namely throughput is 10Gps(20Gbps with Jumbo Frames) so we should compare it with other vendor of the same magnitude to compare performance.


There was a performance testbed that was done by a third party that showed the 5580-40 is much better than the competitors products of the same category and it is located here: http://www.miercom.com/dl.html?fid=20080509&type=report

ASA for the 5520 there another testbed that proves almost the same thing http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd80350d4e.pdf It is not against SRX, but against NS508 (that was the competitor when it came out). I don't think the SRX650 is the competitor for the 5520. I think the 5580-20 would be its competitor that would need to be compared to.


Now, I don't think there is a doc that compares the ASA5580 with the SRXs. But I believe that Cisco would perform better compared to firewalls of comparative magnitude (at least proven in the testbed). Now if your needs are 25Gbps through your firewall I don't think that you could do it using only one ASA so you would either want to see if other vendors indeed support the speeds they say or evaluate an active/active or multiple ASA5580 solution, potentially with jumbo frames.


I hope it helps.


PK



3400

cciesec2011 Mon, 01/04/2010 - 10:56
User Badges:

"Now if your needs are 25Gbps through your firewall I don't think that you could do it using only one ASA so you would either want to see if other vendors indeed support the speeds they say or evaluate an active/active or multiple ASA5580 solution, potentially with jumbo frames"


The problem with this is that if your test also involves IPSec VPN termination, then you can not do this on ASA Active/Active configuration whereas other vendors can do this. Most firewall vendors such as Palo Alto use clustering technology to increase throughput performance by adding additional

hardware.  In other words, you can combine 8 different nodes into a single system and can terminate VPN as well.  With Cisco ASA technology, you can

only have two node to Active/Active but when you do that, you lose the ability to do site-2-site IPSec VPN


To the original poster, how do you manage these Juniper firewalls?  do you use Netscreen Security Manager, NSM, to manage these boxes?

mohsin.khan@tel... Mon, 01/04/2010 - 23:59
User Badges:

@pkampana, from a customer point of view, pricing is the criteria where apples can be compared with apples if the features are same. If a single box of other vendor can outperform ASA, why should i go for the pair of Cisco ASA?  All the tests that you have provided do not compare apples with apples in terms of the cost associated with each box.


@ cciesec2011, We currently do not have those firewalls, however they will be on JunOS and i guess JunOS is supported on NSM.

Panos Kampanakis Tue, 01/05/2010 - 06:55
User Badges:
  • Cisco Employee,

I am not trying to sell Cisco products here. Just wanted to provide some specs and comparison by a third party.

I see your point about cost.

To me "apples and apples" are performance specs by category and name speeds because they are more objective. Price has more tangible and intangible things people might or might not appreciate tied to it.


PK

Actions

This Discussion