Sunday, 6 November 2016

Juniper : The death of ScreenOS

The Juniper families of SRX services gateways are the replacement platforms for the SSG platforms, the ISG 1000 and ISG 2000 as well as the NS 5000 Series (NS-5200 and NS-5400). The SRX family include a set of branch platforms (SRX210, SRX240 and SRX650), and the high end platforms (SRX3000 and SRX5000).

The entire line of SRX platforms uses JUNOS, a very powerful networking platform that consolidates switching, routing, security and applications into a single OS. JUNOS is very different than ScreenOS and as such, will place a significant migration burden on Juniper, their customers and their partners.

Key points to consider:
The SRX Is not positioned as a firewall.
      JUNOS is not a security OS and the SRX positioning reflects this based on the routing and switching emphasis which Juniper uses as a means to compete with Cisco. With the SRX, security is merely a service that is enabled along with switching. Juniper does not try to address the problem of the lack of innovation at the firewall which resulted in the loss of visibility and control over applications, users and content.

They cannot do what we doeven with multiple components.
      Application visibility and control belongs in the firewall and the port based SRX platforms cannot deliver that functionality.
      Juniper has taken the Cisco approach to say they can do what we do using multiple devices (SRX with IDP, UAC Controller, a UAC agent on every desktop and multiple management components). Even with this “everything-but- the-kitchen-sink” approach, they cannot address the visibility and control (applications, users and content) problem.


Stuck on old technology.
      The SRX uses stateful inspection which relies on port and protocol for policy decisions, a technique that is ineffective at controlling applications that use dynamic ports, encryption, or tunnel across often used/allowed ports to bypass firewalls.
      Full IDP is supported, and can block a very limited set of, mostly bad applications like P2P and IM – currently at 126, an incremental improvement over the 118. The threat focused approach is inadequate in detecting and positively enabling applications. Applications are not threats. They should not be treated as such.

Faster at doing nothing.
      Their literature claims impressive performance for port-based traffic classification (stateful inspection). But based on packets per second (PPS), a more accurate performance measurement, their performance is not all that great.


A management nightmare.
      Heavy reliance on CLI for tuning and troubleshooting with no plans to enable management via a GUI.
      Palo Alto Networks GUI and centralized management interfaces are identical, simplifying management. A full CLI complements the graphical interfaces and, more importantly, all commands can be accessed from any one of the three interfaces.
      IDP is not part of the firewall policies, but rather part of the IDP policies, which means that port/protocol still determines what traffic the IDP feature sees giving applications an easy way to bypass the IDP controls.


loading...