[j-nsp] Opinion about stateful firewall : SSG or ASM

[Affan Basalamah]

Hi all,

I want to ask for your opinion regarding to my planned equipment upgrade.

As a background, our network is connected to 5 bgp peer to Internet
and IX, mostly on 2 Mbps link, with one link connected to 45 Mbps
Research Education link.

Currently we have deployed one single PC router for our border router.
It is running FreeBSD and Quagga routing daemon, which also functioned
as stateful firewall using PF. We have quite good machine, Opteron
machine, 1GB RAM and dual Broadcom gigabit ethernet.

I want to look for Juniper solutions in order to do IP routing,
together with stateful firewall devices. It needs to have good
management solution (I know J-Web is good) and logical router
capabilities (allows me to add router without adding more machines).
For the IP routing, I think the clear choice would be M7i, when the
budget doesn't permit that, maybe I will go to J6350.

The problem comes when I want to pick firewall solutions. I have two choices :

- Use dedicated firewall, such as SSG550M, coupled with J6350 for
complete solutions.
- Use stateful firewall capabilities from ASM on M7i for integrated
routing-firewall solution

I see first choices has advantages in full-featured firewall
solutions, the web interface is good, but I don't like to manage
dedicated devices for firewall function. As for second choices, I know
that M7i can be installed with J-Web, but I don't know how J-Web can
manage stateful firewall with AS PIC/ASM.

I need your advices/suggestion/experience regarding to my proposed
solutions on IP routing and firewall devices.

Your help are appreciated.

Regards,

-affan