The Juniper families
of SRX services gateways are the replacement platforms
for the SSG platforms, the ISG 1000 and
ISG 2000 as well as the NS 5000 Series
(NS-5200 and NS-5400).
The SRX
family include a set of branch platforms (SRX210,
SRX240 and SRX650), and the high
end platforms (SRX3000
and SRX5000).
The entire line of SRX platforms uses JUNOS, a very powerful
networking platform that
consolidates switching,
routing, security and applications into a single
OS. JUNOS is very different than ScreenOS and as such,
will place a significant
migration burden on Juniper, their customers and their partners.
Key points to consider:
The SRX Is not positioned as
a firewall.
• JUNOS is not a security OS and the SRX positioning
reflects this based on the
routing and switching
emphasis which Juniper uses as a means to compete with Cisco. With the SRX,
security is merely
a service that is enabled
along with switching.
Juniper does not try to address
the problem of the lack of innovation at the firewall which resulted in the loss of visibility and control
over applications, users and content.
They cannot do what we do—even with multiple components.
• Application visibility and
control belongs in the
firewall and
the port based SRX platforms cannot
deliver that functionality.
• Juniper
has taken the Cisco approach
to say they can do what we
do using multiple devices (SRX
with IDP, UAC Controller, a UAC
agent on every desktop and
multiple management components). Even with this “everything-but- the-kitchen-sink” approach,
they
cannot address the visibility
and control (applications,
users and content) problem.
Stuck on old technology.
• The SRX uses stateful
inspection which
relies
on port and protocol for policy
decisions, a technique that is ineffective at controlling applications
that use dynamic ports, encryption,
or tunnel across often used/allowed ports
to bypass
firewalls.
• Full
IDP is supported, and can
block a very limited set of, mostly bad applications like
P2P and IM – currently at
126, an incremental improvement over the 118. The threat focused approach
is inadequate in detecting and positively enabling
applications. Applications are not
threats. They should not be treated as such.
Faster at doing nothing.
• Their literature claims impressive performance
for port-based traffic classification (stateful inspection).
But based on packets per second
(PPS), a more accurate performance measurement, their performance is not all that great.
A management nightmare.
• Heavy reliance on CLI for tuning and troubleshooting with
no plans to enable management via a GUI.
• Palo
Alto Networks GUI and centralized management interfaces are identical, simplifying management.
A full CLI complements the graphical interfaces and, more importantly,
all commands can be accessed from any one
of the three interfaces.
• IDP is not part of the firewall policies, but rather part of the IDP policies, which
means that port/protocol still determines what
traffic the IDP feature sees giving
applications an easy way to
bypass
the IDP controls.
