Having tried a Juniper SRX for a fortnight we were left with the impression that a few features aren’t quite finished yet. The routing side, which Juniper are traditionally associated with, was really powerful and easy to use, but for a firewall it seemed to be lacking a few useful features found on the majority of the competition. These included authenticating VPN users locally if your Radius server is down and assigning IP addresses without an additional DHCP server. From talking to a couple of Juniper experts it sounds like these and many other features are coming soon, unfortunately for Juniper we needed them now.

The Juniper SSG range were almost identical to the Cisco products both in features and price, in the end we rejected these because we had major trouble obtaining some competitive quotes. One major international IT reseller were that frustrating to deal with that we’ve vowed never to use them again.

One of our core requirements was dynamic VPN access so we can reach our servers when on-call and people can work from home. Given that Microsoft have just released Windows 7 and that 64bit operating systems are now being pre-installed on laptops it had to work with both of these. The Juniper VPN client only works on a 32bit OS, we’d have to purchase some third party software to connect from a 64bit OS, Cisco on the other hand have added full 64bit support to their AnyConnect client.

Our final reason is that Cisco were willing to accept our current PIX firewalls as trade-in. Of all the reasons we considered this was least important but it became a small factor once we realised the features were essentially the same. The same international IT supplier strung us along for 3 weeks while trying to sort out this trade-in with Cisco, they then gave up. Our normal, much smaller, UK supplier had it all sorted in an afternoon and managed a much better price too.

These new firewalls should be with us shortly and I’ll post an update once we’re ready to put them live.

The obvious choice seemed to be the Cisco ASA range, probably the ASA5510, but in some areas the changes between the PIX and ASA platforms seem quite significant, so we thought we’d look at the competition too.

A little research narrowed us down to two suppliers that could provide all the features we need within a sensible budget, Cisco and Juniper. Cisco are a safe bet, we’ve used them before and you don’t get any surprises, Juniper on the other hand have only recently started targeting smaller networks, most of their products are used in core networks.

The main contenders were:

Cisco ASA5510

The ASA line is a new improved version of the PIX. They run the same OS and have a number of new features such as SSL VPN tunnels.

Juniper SSG140

The Juniper SSG range is based on the products previously made by Netscreen (acquired by Juniper a few years back). They run a custom OS called ScreenOS and very similar to the ASA5510 in all features we need.

Juniper SRX210

Juniper have only recently introduced the smaller models in their SRX range, these run Junos, the same OS as Junipers core routers. From the figures we obtained they appear to have considerably higher throughput and performance then either the ASA or SSG ranges and a number of additional features.

At the moment Juniper seem to be really pushing the SRX line, they’ve got really competitive pricing and free online training including certification, and given that they have more features than either of the other products we’ve going to give them a try.

A friendly Juniper reseller has agreed to lend us one for a couple of weeks while we see if they’re as good as they look on paper.

Once we’ve got our hands on one I’ll add another post letting you know what we think.