We’ve now ordered our new firewalls, we’ve gone with a pair of Cisco ASA5510s for the data centres and an ASA5505 for our office. We chose the Cisco firewalls for a few reasons I’ll explain below.
Having tried a Juniper SRX for a fortnight we were left with the impression that a few features aren’t quite finished yet. The routing side, which Juniper are traditionally associated with, was really powerful and easy to use, but for a firewall it seemed to be lacking a few useful features found on the majority of the competition. These included authenticating VPN users locally if your Radius server is down and assigning IP addresses without an additional DHCP server. From talking to a couple of Juniper experts it sounds like these and many other features are coming soon, unfortunately for Juniper we needed them now.
The Juniper SSG range were almost identical to the Cisco products both in features and price, in the end we rejected these because we had major trouble obtaining some competitive quotes. One major international IT reseller were that frustrating to deal with that we’ve vowed never to use them again.
One of our core requirements was dynamic VPN access so we can reach our servers when on-call and people can work from home. Given that Microsoft have just released Windows 7 and that 64bit operating systems are now being pre-installed on laptops it had to work with both of these. The Juniper VPN client only works on a 32bit OS, we’d have to purchase some third party software to connect from a 64bit OS, Cisco on the other hand have added full 64bit support to their AnyConnect client.
Our final reason is that Cisco were willing to accept our current PIX firewalls as trade-in. Of all the reasons we considered this was least important but it became a small factor once we realised the features were essentially the same. The same international IT supplier strung us along for 3 weeks while trying to sort out this trade-in with Cisco, they then gave up. Our normal, much smaller, UK supplier had it all sorted in an afternoon and managed a much better price too.
These new firewalls should be with us shortly and I’ll post an update once we’re ready to put them live.