I think I get ask what's the better firewall between these 2 vendors at least every month now.
It's a hard question to answer, but I would like to point out just some of the few differences that you should be aware of. This comparison list is not 100% complete, and is just a few of the highlights that I've found or crossed when designing and deploying security gateways for enterprises and service-providers networks.
1st I would like to say, neither vendors are a slam dunk in all categories, but many differences exists between these 2 platforms. Both of these platform could be very well become a multi-box solution if you need advance security services and to take advantage of UTM features.
======================================================================
The SRX is used in every sector from SME to Enterprise, but is not well received like that of the cisco ASA and the former PIX. You will probably find more cisco ASA products out on the streets, and that's because cisco is better at peddling the ASA, than what juniper is at selling the SRX. But keep in mind, the meer more appliances ( volume ) don't always mean better. I 'm sure there's more Hyundai KIA cars on the streets of NYC than the Mercedes Benz, but that doesn't make the KIA a better car over the Mercedes.
^
PRO cisco ASA widely used & more than SRX in the NA/EU markets more support and more Security Engineers aligned with cisco
The Jweb WebGUI interface is integral, you do not need an "asdm" package software like that of a cisco ASA. The jweb runs okay, but it's not speedy as the cisco asdm and this more evident under the smaller branch series models, ( think a tortoise vrs a rabbit ). I tried to avoid the jweb at all cost, 78-92% of the time I'm in the CLI. This holds true on the cisco ASA, but I don't have any real complaints with ASDM accept it's awkward for me to use.
^
PRO cisco ASDM
Junos works, but some of the basic features somethings ; just don't work, and when they don't work; " it a very bad outcome ". ASA has been slightly better with asa code and it has been a more stable within the codeset from my experiences. JTAC will resolve the issues and identify the problems but you could struggle to get the resolution.
^
PRO cisco ASA for stability in the OS releases
Routing features, the ASA is a few years behind the SRX ( period ). No need to go further in this area. Juniper has shared a lot of the routing features in the SRX & from the M series. The cisco folks are still playing catch-up.
^
PRO juniper SRX for routing and advance L3 unicast/multicast support
Config archival and rollback, hands down a SRX has better diff controls on cfg and retsoral. I really wish cisco would make improvements in this area. Change controls and configuration commits and restores is not very well planned in a cisco or to recovery.
^
PRO juniper SRX cfg management and control points locally within CLI
IPV6 support, more mature, better and much stronger in a SRX
^
PRO juniper SRX IPV6
For WAN interface models or add-on WAN interfaces, hands-down the SRX leads the pack in this area. Your not going to get a E1/T1, ISDN, 3gCelluar or ADSL interface in a cisco ASA, but you can easily do this with a cisco ISR and their security ios codeset.
In fact cisco off-load these lacking features to a cisco router as a quick sell and pitch to the end-user, but they forget to tell you that the router is not going to be as quick or have high thruput as the firewall.
^
PRO juniper SRX WAN availability
For services restarts ( daemons ) the SRX is hands down better. In a ASA, you have very little to no means to restart a services for the most part. If it stops, you need the reboot the appliance to get it rolling again.
^
PRO juniper SRX services managements start and kill
The https/ssh allow-access is much easier to deploy in in a cisco ASA. Also the SRX is complicated with simple services enabling from dhcp to ipv6 neighbor-discovery and the various filter. When local source features and functions don't work, 9 out of 10 times it's due to the service filter.
^
PRO cisco ASA for management access configuration
The SRX has higher port density than a ASA, in fact you have more ports and more 10gige ports than the top-end cisco ASA. I believe the SRX was the 1st to offer 40gige and 100gige interfaces iirc. This is not even on the grid or radar for our cisco ASA. Both the 40 & 100gige interfaces are foreign words for the cisco ASA lineup ;)
^
PRO juniper SRX for higher thruput and faster interfaces
The SRX allows you access to a limited shell. here you can do captures, execute scripts, and do stuff that you can do from the simple unix sysadmin approach. For the cisco ASA ... this is not going to happen.
^
PRO juniper SRX for the shell access
Software code upgrades or download.....The ASA is a breeze in this area. The juniper requires more thought and preparations when doing systems upgrades.
^
PRO ciscoASA for code deployment ( simple , sweet ,and to the spot )
For the SRX SNAT, much easier to manipulate. Cisco requires a PhD to just about NAT any thing outside of a 1-to-Many ;)
^
PRO juniper SRX NAT'ing
Firewall HA clustering is very straight forward in the cisco ASA and you need a PhD to figure it out in a SRX ;). Doing a ISSU is simpler and let's of an issues in a cisco ASA. I always recommend opening a JTAC case, and get a 2nd opinions on your maintenace-operation-plan for any upgrades when you have a clustered pair.
^
PRO cisco failover creation and management
Integration into a l2/l3switch, will the cisco ASA has a firewall blade. But be careful and review what features are NOT available on the blade.
^
PRO cisco integration for existing multislot chassis
The Cisco software virtual firewall has been out ahead of juniper Firefly, but one key plus here is that the juniper version has support for KVM, where cisco is all VMware. If you have access to Junos software you can still get a 60day eval image for testing.
^
PRO juniper SRX firefly
UTM features like Anti-Spam exists in a SRX but requires a license and is not available across all models. I believe that cisco ASA NGFW still don't have am on appliance AS/AV UTM feature. Most of any UTM features in a cisco ASA 5558-X will be external or a cloud based solution & at some extra-license and cost.
Application visibility is a big weak spot in the cisco ASA, where-as Juniper AppSecure is available but not refined as let's say PaloAlto or Fortinets , but it works and can be buggy in earlier JunOS codes. Also Juniper AppSecure is for a higher end model SRX and is not available across all platforms. Cisco has recently bought and now includes FirePower, but little information and use can be found about it's accuracy in application visibility.
^
PRO juniper SRX for application awareness but still is not a single-box solution , & neither is the cisco ASA
Layer3 and 4 attack mitigation is slightly better with Juniper "Screens" in the SRX. At least the concept and controls are better.
The Cisco ASA will probably need a few ACL and service policys or other methods. Everything in a SRX is "security screen" single line configuration item.
^
PRO juniper SRX for simple L3/4 flooding and L3/4 based attacks
GRE tunneling support is available in a SRX and not even an options in a ASA.
^
PRO juniper SRX for ad-hoc GRE tunnels or other tunneling-support
Multiple VirtualRouter instances is probably better designed within the SRX than the ASA 's multi-context. You don't need to reboot the firewall when deploying VRinstances as what you need to do when converting from single context to multi-context or back in a ASA.
^
PRO for juniper on multiple instances support, design and exchange of information between instances
Cisco TAC and Juniper JTAC have both declined in the past 5 years or so.Cisco still has a better RMA process for relacement and delivery. Juniper has gotten better with Kb knowledge. It's still hit & miss on each person feedback and experience with working with these 2 outfits, but cisco has a slight edge.
^
PRO cisco
For SSLvpn , we have the availability in the cisco ASA for ipv4/v6 sslvpns, but still the SRX has no means for SSL based vpns. For Juniper, you will need a SecureAccess appliance or a MAG, which is yet another box.
^
PRO for cisco ASA on webvpn availabilities integral to the appliance
Speaking of SSLVPN, the Juniper SA/MAG is a cheaper solution for SSLVPN users. The average cost for example with a SA2500 vrs the basic 100 cisco-ASA-webvpn license will place the Juniper SA/MAG appliance cheaper per sslvpn-users.
^
PRO juniper per sslvpn seat cost
======================================================================
Okay that's a wrap on my SRX vrs ASA comparison. Keep in mind, they both offer great firewall in the security realm & the sectors they serve. To be fair, don't try to think of "which one is better", but look at what's your need and them decide after doing a 1-to -1 comparison and cost analysis.
With these appliances, you have understand that the Juniper SRX is a zone-based firewall & where the cisco ASA is a ACL based filter firewall. They do the same thing, but the concepts are very different. There's pro/cons within these 2 strategies but that another thread and only become a factor when you have dozens+ of interfaces or more.
lastly, I hate the cisco/juniper shops that only expect one vendor to be present from switching/routing./firewall/others services. Some of the best networks that I ever worked and consulted for, where a mix of everything from A to Z.
Ken Felix
Freelance Network/Security Engineer Mail Security Specialist
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( % $ )=
@
/ \
Actually I was looking for a good comparison between Juniper SRX and the Cisco's new ASA. As Cisco claims that it does application filtering. Thanks for sharing this nice post.
ReplyDeleteNP
ReplyDeleteThere's good things to be found in both platforms. The Cisco approach to application filtering & awareness, " is not a leading feature imho".
Stay tune for more.
Which of the different models of cisco asa would you recommend to buy? I was reading some reviews in http://ciscoasa.com but still not sure
ReplyDeleteLizz,
ReplyDeleteIt depends on your business needs and requirements. Review the cisco datasheets and contract with a consultant or reseller. Your question is too broad to give a reasonable reply.
What would you recommend, to use of route base IPsec tunnels and enable full UTM feature for internal 500 users. cisco 5516x with firepower services or SRX300 series or else.
ReplyDeleteOkay where to start;
ReplyDeleteHow many user is good, but what thruput are you expecting from BW ?
With regards to users are you expecting SSL or IPSEC connectivity, the former will rule out the SRX300 and with the ciscoASA that could be a license issue if you need SSLVPN aka webvpn access
Next, the 2 models are great ( I have a SRX300 btw ) so do you need only copper interfaces? The SRX will support SFP interface if so desired
And lastly are you looking for HA? Both should be find in that area.
Finally, routed-based is a "must" or preferred for vans in a SRX platform. I would not do a policy based vpn for any means. Route based with a "routed tunnel interfaces" are so much better from a diagnostic and collection standpoint.
I hope that helps
Ken