[c-nsp] Cisco FWSM vs Juniper NetScreen 5400

Thu Aug 9 05:07:48 EDT 2007

On Thu, 2007-08-09 at 18:43 +1000, Dale Shaw wrote:
> Hi all,
> 
> I'm about to embark on a not-really-proper evaluation of the FWSM and
> the NetScreen 5x00 firewalls. I say "not-really-proper" because it's
> not really practical to tee up and run a full blown eval. I'm working
> from data sheets and anecdotes.
> 
> I'm an old PIX guy from way back. I guess I've accepted the platform's
> idiosyncrasies and I'm quite comfortable working with them. In the
> past few years, I've had less hands-on with ASAs and zero with FWSM,
> but I'm sure it would only take a little while to familiarise myself
> with the changes. I have never touched a NetScreen.
> 
> So what I'm asking for is for people with strong views for and against
> both products to spill their guts. I want to know what the data sheets
> don't tell me. I need a high throughput firewall solution for campus
> segmentation.

The 5400s (and the netscreen product line in general) are excellent
products, and though I'm not a PIX expert, what little I've seen of them
means I would rather drink boiling oil than swap my netscreens for
PIXen.

> 
> It'll be pretty standard packet filtering - no intrusion prevention,
> VPN or any other common "value add" type features. I need to be able
> to feed traffic to the firewall at up to 10Gbps (Ethernet) and not

Yep, they'll do that level without any trouble.

> have it vomit. It should support multicast but it's not essential. It

Yep, PIM-SM supported, works fine. I have had some problems doing PIM
between virtual routers, but that's a pretty specialised use-case.

> needs to be stable and have multi-chassis failover support.

This works, though NSRP can be a bit complex. You need to put interfaces
into VSDs (virtual security devices) and a VSD can only be active on one
device. Both the input and output interfaces For many topologies this
means running the firewalls in active-standby mode.

There are other solutions to this problem, using routing tricks to
ensure symmetry and pushing the traffic through both firewalls, then
disabling the "1st packet seen must have SYN bit" check to allow a TCP
session already in progress. We used that successfully for quite some
time, until the routing tricks became a maintenance overhead.

> 
> Alas, the routing protocol is EIGRP. This shouldn't pose too much of a
> problem though as I only need to segment about 20 VLANs.

The netscreens do not (of course) support EIGRP. Their OSPF and BGP
support is pretty good though, including reasonably good filtering and
route-map support.