Juniper/NetScreen deal bears fruit

By Joel Snyder
Network World, February 6, 2006

Original Article on Network World Web Site

Network World has exclusively tested Juniper's SSG 520, a security and routing platform available this week that is the first new fruit from the company's purchase of NetScreen 21 months ago.

Our test results show the device has impressive speed - it supports T-3s and Gigabit Ethernet WAN ports - at a relatively low price, a package that could more than adequately meet the firewall, security and routing needs of the branch offices for which it is designed.

The SSG 520 and its bigger brother, the SSG 550, represent the first serious threat to Cisco's 2000/3000 routers -- the most successful family of products Cisco has ever launched.

We tested the SSG 520 in our lab, replacing both a Cisco 3745 WAN router and an existing Juniper (NetScreen-208) firewall on one of our DS-3 connections to the Internet. The SSG 520 has everything we've come to expect from Juniper's firewall family, including enterprise-class firewall capabilities, centralized management and deep-packet inspection. Although our tests show that even the low-end SSG 520 can handle a DS-3 with ease, the dynamic routing features of the SSG 520 are still focused on branch offices.

Juniper's goal for the SSG line is to replace both WAN routers and firewalls at regional and branch offices (see an analysis of the SSG positioning). The SSG 520 can do that with power to spare. With four Gigabit Ethernet ports built into the base chassis, and LAN-to-LAN throughput of nearly 2Gbps, the SSG 520 can replace a network's edge router, edge firewall and internal firewall, simplifying topologies, increasing uptime and easing the burden of remote management. Although the hardware looks and performs like a data-center firewall, Juniper's price of $6,500 definitely targets this box at the midrange, updating the aging NetScreen-204 and -208 product lines.

All of the capabilities common to ScreenOS firewalls are included, such as Web-based and centralized policy control, packet filtering and an intrusion-prevention system (IPS), as well as very flexible site-to-site VPN services. What is missing are new features added with versions 5.2 and 5.3, specifically virus scanning. Juniper says it will be adding virus scanning - along with anti-spyware, key-logger and adware protection - into the SSG later this year with the release of Version 5.4 of ScreenOS.

What is different about the SSG is the hardware with its WAN interfaces. In this release, Juniper is making available six cards, including four-port 10/100Mbps Ethernet cards, copper and fiber one-port Gigabit Ethernet cards, two-port serial and T-1/E-1 cards and a DS-3 card. All of the cards are reasonably priced, in the $500 to $1,500 range, except for the DS-3 card, at a stratospheric $8,500.

The SSG series inherits many of the WAN capabilities of Juniper's J-series routers, but the dynamic routing code in the SSG models is classic NetScreen code. This means that the SSG 520 is not ready for deployments in which it would see the whole Internet routing table, because the maximum Border Gateway Protocol (BGP) table size it supports is 30,000. The Internet table is 180,000 routes this week.

Although our testing of both BGP and Open Shortest Path First dynamic routing showed that the SSG 520 routing is definitely solid, it lacks manageability and configurability. In previous tests, we did not really explore the ScreenOS's dynamic-routing capabilities. Because of the Juniper connection and new WAN interfaces, we tested these features carefully and held Juniper's firewalls to a higher standard.

Dynamic-routing configuration can be handled through the traditional NetScreen Web-based GUI or NetScreen Security Manager, which were both tested. The routing configuration in both interfaces doesn't measure up to the ease-of-use level of the rest of the firewall.

Even worse, the routing is essentially unmanageable through the GUI, as you can't filter displays to show just the information you need. In this case, we turned to the command-line interface (CLI) for management and found a more powerful tool set. However, CLI configuration of routing has its own faults because the ScreenOS configuration CLI is unsophisticated and difficult to use. Network managers with complex dynamic-routing or asymmetric traffic won't find the WAN aspects of the SSG as powerful or manageable as their existing Juniper and Cisco routers.

We tested the performance of the SSG 520 using Spirent Communications' Avalanche and Reflector to apply a heavy load of HTTP traffic. Our performance numbers exceed Juniper's official specifications, giving LAN-to-LAN streaming speeds of 1.9Gbps, firewall with IPS (Juniper calls this deep inspection) speeds of 680Mbps, and a connection rate of 13,520 session/sec.

Performance-testing the SSG 520 was difficult, because it has a software-enforced limit of 64,000 open connections - adequate for any branch network, but low enough that when we stressed the connection rate, we ran out of connections in a few seconds. The SSG 520 is heavily overpowered for most branch or regional networks and offers ample room for growth, both in LAN-to-WAN or LAN-to-Internet connectivity as well as internal LAN-to-LAN traffic.

When we discussed these numbers with Juniper engineers, they pointed out that they were reserving headroom in their specifications for future features of ScreenOS. Because a built-in IPS and other application-layer controls, such as anti-virus and anti-spyware, will stress firewalls significantly, the SSG 520 is an excellent investment for environments expecting to increase their perimeter threat-mitigation capabilities.

With a hole in Juniper's line between the 5GT firewall and the SSG 520, we can expect a slower, lower-priced SSG firewall, perhaps a 1U chassis with fewer interface-card slots.

At this price and performance level, the SSG 520 is a welcome addition to the Juniper firewall line. Although the SSG 520 and SSG 550 won't replace all external routers, the speed bump and addition of WAN interfaces give network managers additional options for high bandwidth and high security.