1st off, all of the vendors ( JNPR / CSCO / FTNT ) produces great firewalls products. They all have numerous strengths and weakness. I 've always tried to be fair and unbiasis in my reviews.
If you think you will run a 100% ipv6-only network & with no dependencies with ipv4, I hate to bust your bubble. Some features and services have NOT been ipv6 enabled or offered in most of these vendors firewalls.
Take the fortinet fortigate series runing 5.2.x, they have a cool DNS server function. It allows you to build AAAA records ( but limited in ResourceRecord types...... ) and query via ipv6 protocol.
e.g ( a query using host record for a DNS server on a fortigate )
SOC01>
SOC01>host -6 -t aaaa ip6net.hyperfeed.net 2001:db8:99:101::1 -v
Using domain server:
Name: 2001:db8:99:101::1
Address: 2001:db8:99:101::1#53
Aliases:
ip6net.hyperfeed.net has IPv6 address 64:ff9b::b8a8:dd68
SOC01>
But you can't enable a ipv6 dns forwarder. All forwarding has to be executed by ipv4 forwarders
Same goes for snmpv3 support and ipv6 in all three vendors solutions. You just can't do it with ipv6.
Here's the table of the features we test and validated. The findings are quite interesting;
Conclusion:
The cisco ASA, a well known firewall, but barely has ipv6 support imho & when compared to the other 2. Cisco has executed the bare minimum just to claim ipv6 support imho. It's sad they are way behind the other 2 vendors that I have evaluated, but more ipv6 support is being added as time goes by.
- the lack of DHCPv6 server feature is a big show stopper for me
- the same holds true of the DHCPv6 client features and ipv6-PD
- lack of any IPv6 bgp router process
We can only hope for more improvements in the cisco ASA camp and with time, this will happen, but for the time-being cisco is lacking and slow for any new features.
http://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html
The Fortigates, a not so well known vendor & depending on the area or vertical you work in, yet it has overall a very good ipv6 support and has offered ipv6 support for over a decade or maybe more iirc.
It's a good buy and the best bang for the buck imho. Mainly due to the lack of any licensed features models, accept for forticlient and vdoms. The integral AP controller is a added bonus & with a wide range of APs offered.
But be advise, FTNT has struggled for awhile with building a reliable FortiOS, so you might walk away very upset in the reliability area & in the latest 5.0 or 5.2 FortiOS versions. You should keep your eyes open on this company.
http://www.fortinet.com/products/fortigate/
The JuniperSRXs are a very good deal. Very strong & rich in features from routing to tunneling, but it lacking or not as good with UTM features in the smaller units. It can be a pricey solution with it's licensing model and in the same camp of a cisco ASA. But in the SRX area it's a strong ipv6 solution firewalls. If you need 10/100gig firewalls and with ipv6 solutions, the SRXs are a good choice if not the best.
If I was working only in a SP/ISP sector, I would look at the top end SRX firewalls for these areas. A SRX is hard to hate and works very well imho.
http://www.juniper.net/us/en/products-services/security/srx-series/
Note, we did not test or evaluate any CheckPoint, PaloAlto, Cyberoam or Dell-Sonicwalls products. Also UTM features where never enable in any of the three firewalls that I looked at. All firewalls where ran in multi-routed modes and with max virutal-routers/context/vdoms based on that hardware.
So when deciding on your nextgenfw model & in a ipv6 network, you need to look at the whole complete pictures. Where one area shines, you might find darkness in another area.
The features of IPv6-PD and PPPoEv6 supports seems to be a big issues in the end-user/home device segment, where dynamic routing support is the #1 issues in a enterprise and SP arena.
All three vendors offers various degree of ipv6 support & cost. You need to lay all out & on the table and determine your needs based on your budget.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment