Cisco ASA 5505 vs Juniper SSG 5
Posted by Michael Dale on Thu, 21 Feb 2008 12:09 PMI thought it was about time I did proper review of the Cisco ASA 5505 and the Juniper SSG 5.
Both devices are at the low end of firewall security devices offered by Cisco and Juniper.
The ASA 5505 is part of Cisco's new range of Adaptive Security Appliances (ASA) the replacement for the PIX. The 5505 replaces the old PIX 501 and 506e.
The SSG 5 is Juniper's lowest end Secure Services Gateway (SSG). The SSG 5 replaces the old Netscreen 5GT.
There are many models of the SSG 5 and ASA 5505 available, for this review I will be looking at the non wireless SSG 5 256mb version and the unlimited user ASA 5505 K9 version.
Before we get started I should make it clear that I work with the Juniper range of hardware every day; so I may be bias.
Overview
The first thing I'll do is compare the two devices "on paper".
| Cisco ASA 5505 | Juniper SSG 5 | |
| Model | ASA5505-UL-BUN-K9 | SSG-5-SH SSG5 RS-232 256MB |
| RRP* | $AU1,681.90 inc GST | $AU1,125.00 inc GST |
| Firewall Throughput | 150 Mbps | 160 Mbps or 90 Mbps of IMIX** traffic |
| VPN Throughput | 100 Mbps | 40 Mbps |
| Sessions | 10,000 | 8,000 |
| Connections/Second | 4,000 | 2,800 |
| Packets Per Second (64 byte) | 85,000 | 30,000 |
| IPSec Tunnels | 10 | 25 |
| SSL Tunnels | 2 | N/A |
| Memory | 256 MB (upgradable) | 256 MB |
| Flash | 128 MB (upgradable) | 64 MB (fixed) |
| Ethernet Ports | 8x100 Mbps (2 of which are PoE) | 7x100 Mbps |
| USB | 3xUSB 2.0 | 1xUSB 1.1 |
| VLANs | 3 (trunking disabled, DMZ Restricted) | 10 |
| OS | ASA 8.0(2) - ASDM 6.0(2) | ScreenOS 6.1.0r1 |
| Users | Unlimited | Unlimited |
| Routing Protocols | RIP v1/v2, OSPF, EIGRP | RIP v1/v2, BGP, OSPF |
| Anti-Virus | No (possible future) | Yes (paid for subscription) |
| Deep Inspection | Yes | Yes |
| Anti-Spam | No (possible future) | Yes (paid for subscription) |
| Console | RJ45 | RJ45 |
| Dialup Modem | No | No (external modem can be connected via the AUX port) |
| IPv6 | Yes | Yes |
* RRP based on Ingram Micro's pricing
** IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network traffic.
The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.
So on paper the ASA 5505 has much better throughput and general hardware specifications, yet the SSG 5 supports more VPN tunnels, VLANS and has full UTM (Unified Threat Management).
The ASA 5505 is also about 50% more expensive (based on the retail prices), saying this wholesale prices of the two devices only differ by about $250 ext GST.
Cisco ASA 5505 out of the box
The ASA 5505 comes with the following:
- ASA 5505
- Power Supply
- Getting Started Guide (Software Version 7.2)
- Rollover console cable
- 90-Day Hardware Warranty
- Software and Documentation CD (Software Version 7.2)
- Regulatory Compliance and Safety Information Booklet
- 2 Ethernet Cables
Juniper SSG 5 out of the box
The SSG 5 comes with the following:
- SSG 5
- Power Supply
- Serial to RJ45 connector
- 1-Year Hardware Warranty
- 90-Day Software Warranty (from the date of shipment)
- Free download of the latest ScreenOS for the first 90-Days
- Software and Documentation CD
- 1 Ethernet Cable
- Desk Stand (allows the SSG 5 to stand upright)
The 90-Day software download for the Juniper device means that you can have to the latest software when you first purchase the device. Unfortunately this time period starts from when the device leaves Juniper. So if you purchase the device from a reseller the software update period may have already expired. This is still better than Cisco that requires you to purchase a SmartNet agreement before you can download anything.
The 90-Day Cisco hardware warranty is also a bit rude.
Cisco ASA 5505 Starting it up
Out of the box the ASA is setup with Ethernet0/0 being the WAN side while the rest of ports are setup as the LAN side. The default IP address of the box is 192.168.1.1.
If you're running an internet connection where an ip address is handed out via DHCP then the ASA will give you basic internet access straight off, although most of the time you'll want to configure PPPoE or something.
For users who have not used Cisco gear before then the easiest way is through ASDM (Adaptive Security Device Manager), cisco's GUI setup interface. To access this browse to https://192.168.1.1/ and download the ASDM.
Once started you are greeted with some statistics of the ASA.
ASDM is up to version 6 and is it now fairly comprehensive; if you don't like the command line then most of the configuration can be done here.
By default the ASA blocks and filters certain traffic for example ICMP is blocked.
Juniper SSG 5 Starting it up
Out of the box the SSG 5 is setup with Eth0/0 being the WAN side, Eth0/1 being the DMZ and the rest of the ports being the LAN side. The default IP address of the box is 192.168.1.1.
The SSG 5 uses zones.
"A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic via policies. Security zones are logical entities to which one or more interfaces are bound."
So what Cisco call VLANs (or Security Levels) are basically what Juniper call Zones.
The SSG is managed through a web interface this can be found at http://192.168.1.1 (default username and password: netscreen).
Once you've logged in you are greated a general overview of the device.
Like the cisco device the SSG also allows configuration via the command line; although the WebUI is much more complete than the Cisco ASDM.
Personally I do most of my configuration in the WebUI.
By default all outbound traffic is allowed and the WAN interface (or Untrust as Juniper call it) is set in NAT mode. The Untrust interface isn't setup to receive an address via DHCP by default.
Cisco ASA 5505 The Hardware
The physical construction of the 5505 is very good. The outside casing is mostly plastic, while the base of the system is metal. The only point of concern is the power connector; it seems a bit flimsy and could be easily broken.
If you open up the 5505 you can see that both the flash and ram is upgradable. The flash is just a standard compact flash card, while the ram is PC3200 DDR UB NON-ECC CL3 DIMM 2.5v or 2.6v. It looks like the ASA 5505 can support up to 512mb of Ram.
The primary CPU is based on an AMD Geode chip, plus there is a hardware acceleration chip too (for VPN encryption etc).
The 5505 also has a Security Services Card slot allowing extra functionality to be added on. Although there are not any cards at this stage.
There are 2 USB 2.0 ports on the back and 1 on the front. Seems like a lot for a firewall! At this stage they don't do anything.
The inclusion of two Power over Ethernet ports is a great idea as it allows you to simply plug an IP phone in without the need for an extra power brick.
There is an internal battery that can be replaced if required.
Overall the ASA 5505 feel like it was built to last.
Juniper SSG 5 The Hardware
The physical construction of the SSG 5 is good, but it isn't has good as the 5505. My main point of concern is the single USB port on the back. It isn't attached to the outside casing and just feels a bit flimsy.
The SSG 5 allows for the memory to be upgraded, although 256mb is the max. I tried a 512mb DDR2 SODIMM in the device but it didn't boot. It is possible that I was using the wrong type of ram (on second look it may need DDR1). The flash memory is soldered onto the board and cannot be replaced.
The SSG 5 uses an Intel IXP455 chip running at 533MHz.
There is a single USB 1.1 port on the back of the device that can be used for storing log files or other firmware.
Cisco ASA 5505 The Software
At the time of writing software version 8.0(3) is currently the latest version for the ASA. Unfortunately I currently only have 8.0(2), saying this the differences should only be bug fixes.
The ASA software is simply a continuation of the PIX software. The configuration is stored in a single text file. With each version of the ASA/PIX software the command line configuration is slowly becoming more and more like Cisco IOS which is not a bad thing.
The ASA has a stack of features for a device so small and cheap. It does everything that the PIX 506e does (IPsec VPN, SPI firewall etc) plus more (SSL VPN, EIGMP). The inclusion of SSL VPN means that this device can easily support teleworkers that may not have access to an unrestricted internet connection. SSL VPN gives the end user an option of a client based connection (similar to an IPsec VPN) or a clientless connection (a web portal to published files and services).
The ASA 5505 also provides basic routing and nat functionality, meaning that you can run this device without a separate router. Unfortunately there is no option for an integrated ADSL modem, so a modem will need to be purchased.
The configuration of the ASA can be scary for new users. ASDM is not particularly well laid out. NAT rules are in a different location to access rules and everytime you want to make a change you must save and upload the configuration again. The base license is also restrictive, you are limited to three "zones": untrust, trust and dmz. You cannot create pin holes in the DMZ to allow access the the Trust network either.
The SSL VPN is also very limited as you are only allowed 2 SSL VPN connections. IPsec is a little better with 10 tunnels allowed, but even cheap SOHO routers can do 10 IPsec tunnels.
All of these limits can be removed or increased with more expensive licenses, but they are much much more costly.
It is possible to get the ASA 5505 in 10 and 50 user versions (number of computers using the internet behind the ASA). Why Cisco have this limit is beond me. I've never seen a cheap SOHO router with a user limit.
The reporting options in ASA 5505 are fantastic. If you want to know what is going on it your network then the ASA will tell you. It can display the most used services, sources or destinations in a pie chart (plus a whole stack of other options).
Overall the ASA software is good, but there are far too many limits on the base 5505.
ASA Software Version 8.1 is due soon although I've yet to hear what extra features it will include.
Juniper SSG 5 The Software
The SSG 5 came out with ScreenOS 5.4 but since then Juniper have released 6.0 and 6.1 both adding lots of extra functionality. ScreenOS supports just about any routing protocol (BGP, OSPF, RIP etc) and has some really nice features that aren't found on the ASA 5505.
The base SSG 5 license supports unlimited users, 25 VPN tunnels and 10 zones. The extra zones really makes the SSG 5 stand out. For example you can have a Untrust, Trust, DMZ and VPN zone. All VPN tunnels can be bound to the VPN zone, separating it from internet traffic. There are also no limits on how the zones work so the DMZ can talk to the any zone if you so wish. With 10 zones every port on the SSG 5 can be part of a different network. So if I wanted to add a wireless access point I could create a zone that only allows the wireless users to access the internet.
Policy management is also much better than the ASA. Every change made via the web interface is automatically saved. You can quickly disable policies and move them around. You can fine tune each policy. For example you might want to enable NAT on a policy, or add anti-spam scanning on certain incoming SMTP connections. The policy management on the SSG 5 feels much more mature.
Again the SSG 5 like the ASA 5505 can be used as a stand alone device without the need for an extra router. The SSG 5 does have another nice option, you can purchase them with ADSL2+ modems built in (or ISDN or 56k modem). So you don't need to buy an extra modem. Saying this I find it easier and cheaper just to use an external modem as it can be upgraded if a new technology comes out.
ScreenOS 6.0 added Auto Connect VPN which works the same as Cisco's Dynamic Multipoint Virtual Private Network. This basically means that in a hub and spoke vpn setup the spoke sites (remote offices) can automatically establish a VPN tunnel between each other (based on the rules at the hub) to reduce the traffic going through the hub. This can increase bandwidth and decrease latency.
ScreenOS 6.1 added IKEv2 the next version of the Internet Key Exchange protocol which is used in IPsec.
UPDATE: Power Adapter
Just thought I'd add a quick section on the power adapter.
The Cisco ASA 5505's power adapter is quite large and seems to make a bit of noise (more than the device itself).
Conclusion
Both devices are fantastic yet each have their own strengths and weaknesses. For example the SSG doesn't support SSL VPNs while the ASA doesn't support built in Anti-Virus or Anti-Spam.
I feel that the ASA 5505 is a little let down by its software and licensing limits. The reporting options in the ASA are much better then the SSG, but this doesn't make up for its other short comings. SSL VPN is nice but again far too limited with only 2 connections. The ASA 5505 hardware is clearly better than the SSG 5: PoE ports, USB 2, higher throughput.
On paper the SSG 5 isn't has good as the ASA 5505, yet the device is much less limited. I personally don't feel that the performance of the SSG 5 isn't an issue. These two devices are designed for small businesses and teleworkers, they're never going to see 150mbit/sec of traffic.
The SSG 5 comes with many more hardware options, you can even get a version with 802.11a/b/g wireless.
To me the SSG 5 makes a better router than the ASA 5505. While the ASA 5505 makes more sense for a business with teleworkers that require SSL VPN.
The SSG 5 can handle more VPN tunnels (up to 40 with an extended license) and has some technology that makes it better for site to site VPNs, such as running BGP over an IPsec tunnel.
If you're currently running a Cisco network stick to the ASA. Likewise if you're running a Juniper network use the SSG.
For new users you need to decide on what is important to you. Do you plan on using SSL VPN? Then get the ASA 5505. If you're just using IPsec or require some more complex networks/routing get the SSG 5.
Value for money? The SSG 5 is better as there are far less software limits.
On Mon, 03 Mar 2008 at 8:18 AM, Michael Dale wrote:
Hi Chris,
Thanks for commenting.
Let me know how you find the SSG 5.
On Thu, 06 Mar 2008 at 6:41 PM, Clay Maney wrote:
A little clarification on the ASA:
With the Security Plus license, the number of VLANs goes to 20 (and VLAN trunking is enabled) and the number of VPNs goes to 25. Even better, the VLANs can talk to each other, so the DMZ functions as expected. Other parameters also increase.
Also, you can purchase more simultaneous licenses for the SSL VPN, but it gets expensive fast.
Personally, I always recommend the Security Plus license if I'm recommending an ASA so I don't run into any licensing gotchas that are different from the bigger ASAs.
Anyway, thanks for the comparison!
On Thu, 06 Mar 2008 at 8:07 PM, Michael Dale wrote:
Thanks for the comment Clay.
Yes you're right. The SSG 5 also has an extended license that increases the VPN limit to 40, ups the sessions to 16,000, has 20 VLANs and allows for full active/active failover (which the ASA 5505 won't do).
On Fri, 07 Mar 2008 at 2:16 AM, Clay wrote:
Right, the ASA5505 will only do Active/Standby Failover. I've wondered about this though: how many offices are small enough to buy one of these low-end devices and still want to spend that much on *hardware* failover? I've yet to configure this on an ASA5505. The only clients I configure this for have 5510s or bigger.
I suspect this feature is far more of a "well, the competition has it, so we have to have it, too!" feature.
On Fri, 14 Mar 2008 at 5:45 PM, Jim Kay wrote:
Thanks for the great review. I love the PoE ports in the ASA5505 and the larger power supply is needed for PoE requirements. Zero issues with the power supply and connectors...have been using the ASA for over a year. I personally feel ASDM is very clean and intuitive although I have not played much with WebUI. When you get a chance, run the packet tracer tool and the packet capture wizzard. Really cool utilities that take care the "what if" and other troubleshooting issues. I hear Juniper is getting rid of ScreenOs. Hopefully, the new JunOS that replaces ScreenOS is mature enough to provide as good service as ScreenOS.
On Wed, 09 Apr 2008 at 4:02 AM, David Mooney wrote:
We recently got 5 SSG-5 units for use at our remote offices off campus.
Do you know of a good source for documentation for the SSG-5s?
I find the documentation that Juniper sent with the units to be a little
lite on the details and examples of how to set these units up. I have
a case open with them but I would really like to not have to rely on
opening a new case anytime I need to configure something. Any
help would be appreciated. Thanks.
On Wed, 09 Apr 2008 at 7:12 AM, Michael Dale wrote:
This would be the best place.
On Tue, 22 Apr 2008 at 7:02 AM, park wrote:
You can find SSG-5 books in book store or in google books.
http://www.google.com/books?id=oRLniDWYwrMC&printsec=frontcover&sig=EeT0X8fUAnEs28Yx8jCxZr2Q7jA
By the way, I'm using SSG-5 for last 6 months, and I got to know Juniper cusotmer support is very nice.. But my SSG-5 has downed more than 5 times already, and took RMA once!!!
On Mon, 12 May 2008 at 7:54 PM, David wrote:
Hi,
Is there a simple way to enable Large ICMP on the SSG5's?
I have one at each end of a VPN to a satellite office, but things such as Group Policy is disrupted by the ICMP issue.
Thanks
On Thu, 05 Jun 2008 at 4:10 AM, Mark Stephens wrote:
I have just replaced 100 SSG5 with ASA 5505s. SSGs performance numbers are drastically over exaggerated and the more features that are enabled the box starts to crawl. It does not handle AES 256 and maintain decent throughput, extremely frustrating! Also the Juniper help desk was poor and let my cases just drop off of the map. SSGs will be end of lifed shortly as they will not support JUNOS which is the stated direction and is where al of the feature development is going. This is a deadend box.
On Thu, 05 Jun 2008 at 10:36 AM, Michael Dale wrote:
Hi Mark,
Thank you for you post, I do hope it is legitimate seeing that it has come from a Cisco IP address.
Personally I haven't had any issues with performance; and it will be many years before Juniper stops supporting the SSG range.
I'm sorry your experiance with Juniper wasn't good.
On Fri, 27 Jun 2008 at 7:37 AM, Mike Salvat wrote:
There will be active development of ScreenOS all the way until 2015.. and support for ScreenOS up until 2020. The SSG5's will not be discontinued anytime soon, it is only the larger versions of the SSG family that are going to be running Junos (and this is an option and not mandatory... for example an SSG 320-M - the M stands for Multi-OS, you can pick either Junos or ScreenOS whichever you prefer). Those little boxes are pound for pound some of the best firewalls on the market.
On Fri, 27 Jun 2008 at 11:23 AM, Hamza wrote:
I'm Curious to know something...the ASA 5505 doesn't state any limitations on how many access-lists (security Policies for the Juniper folks) it can have. The SSG 5 is limited to 200 security policies (access-lists). For those of us that have a bigger home network this is kind of an important piece of item one should note.
On Sat, 26 Jul 2008 at 10:26 PM, mjm wrote:
I saw the nortel 222 router for even 1/2 the price of the SSG 5... is it possible to have someone comment on this...
We are tight on budget, and it seems to work well, we purchased 7 to trial (no wireless option though)
On Sat, 26 Jul 2008 at 11:11 PM, Michael Dale wrote:
I just did a bit of searching. The nortel 222 router is a much cheaper and less featured router.
It doesn't support BGP/OSPF,Anti-Virus or Failover by the looks of it. It is also much slower. 20mbit VPN throughput vs 40mbit on the SSG and even more on the ASA.
Saying this it is probably suitable for most smaller networks.
On Tue, 29 Jul 2008 at 12:13 PM, Steve wrote:
Great comparison and thread - quick question:
Can the asa5505 be centrally managed, can I push policies or configurations remotely?
On Tue, 29 Jul 2008 at 1:00 PM, Michael Dale wrote:
Sorry I'm not sure about the ASA, I know you can do it with the SSG using an extra piece of (expensive) software.
On Thu, 04 Sep 2008 at 3:58 PM, Jared Brank wrote:
With the ASA you can push configs using something like Winagents HyperConf or Solarwinds Cirrus, just like many other devices that support terminal sessions. I'm not sure if there is a Cisco utility for doing this or not.
Either way, I love these ASA 5505s. They are unbeatable in performance and flexibility. The ASDM (monitoring and configuration GUI) is amazing and has every kind of info you can possibly desire. I've deployed about 20 of these for large and small customers, used them as edge firewalls, internal site-to-site VPN endpoints, and in other configurations and they are outstanding.
On Sat, 06 Sep 2008 at 2:05 PM, EA wrote:
Working for Cisco I should be rooting for the ASA, but the truth is I think that the Juniper line of firewalls are soon going to pass Cisco by. I started with the Netscreen line before juniper bought it and have used all the netscreens up to the juniper 5000 series (Very much enjoyed the 5gt for home use), and have extensive experience with cisco and check point. Being a bit of a command line junkie I have to say I find the juniper command line structure well thought out and easier to use then the pix. Plus I like that a few very powerful options are not available in the Juniper GUI for some one to play with in the event some junior and (some times) senior SecAdmin forget to log out a session. The hard ware issue is a moot point once you get past the SOHO appliances and I feel is not a big deal in this instance. There is a good reason juniper over took nortel for the number 2 spot, and if cisco doesn't watch out maybe the 1 spot at least in firewall appliances.
I can't wait to get a ssg 5 for my home.
On Fri, 12 Sep 2008 at 4:09 AM, Aleksey Tsalolikhin wrote:
What a great review, thanks!
On Sun, 21 Sep 2008 at 4:19 AM, Anonymous wrote:
Does the SSG 5 allow for dynamic site-to-site VPN Tunnels using a DDNS host name rather than the IP Address? This is one drawback as far as I am concerned with the ASA. I mean YES in a perfect world each of your sites should have a static IP but it is not always offered depending on the location/carrier. I was just wondering... Great review BTW... I have been looking for something like this...
On Sun, 21 Sep 2008 at 9:03 AM, Michael Dale wrote:
You can have standard site-to-site VPN using a DDNS host name. But I'm not sure if you can have a dynamic site-to-site VPN.
On Fri, 03 Oct 2008 at 10:58 AM, mauramir wrote:
You can definetly have dynamic VPN's with ASA5505 with any cisco device. Integration with Juniper is the problem, why would you need a Peer-ID ? you have the IP address already.
On Mon, 06 Oct 2008 at 8:54 PM, Ian Wilson wrote:
If you are not sure about which one to go for, and need some more independant advice, Gartners report on Enterprise Firewalls will certainly surprise a few people. I would include a link, but not allowed to - so google gartner and firewalls.
On Thu, 09 Oct 2008 at 3:39 AM, Dan Allen wrote:
I've worked with Cisco products for many years, and I've done quite a bit of engineering on pix's and asa's from small to huge organizations. I've found plenty of flaws and bugs in the OS for pix's and asa's and I'm looking to move away from them. ASDM is a joke when it comes to a webgui although I have to say I'm a command line junkie myself. I have minimal experience with Junipers Netscreen product but after helping out a few customers with them and reading the documentation I was really impressed. From a network engineers stand point I need something that'll do auto failover for both wan services and VPN tunnels, along with Antivirus and spam filtering. I've found some great features when it comes to detecting WAN failure and failover that the Netscreen product had way before Cisco did on their PIX's/ASA's... although they had it on their 800 series routers. My biggest gripe with Cisco's line of security products is the lack of features that their routers have had for years (GRE tunnels that work correctly, WAN failover) and that they don't support antivirus/spam at lower end models when everyone else seems to be doing it at a reasonable price.
Comments?
HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>
Your comment may need to be reviewed before it is published.
This is a very informative write-up, thanks for sharing! Most of my firewall experience has been with Cisco's PIX / ASA boxes. We are currently looking to buy a pair of firewalls mainly for LAN-to-LAN tunneling, but also for remote VPN capabilities so we were leaning towards the ASA 5505's just because I knew about them. A network engineer acquaintance recommended we check out the SSG 5. I believe in buying the best product for the job, rather than always sticking with a particular brand just because it might be marketed better. Your review reinforces that idea so we're going to try and demo the SSG 5 soon.