[j-nsp] Opinion about stateful firewall : SSG or ASM
Peter E. Fry
pfry-lists at redsword.com
Sun Sep 2 13:16:23 EDT 2007
On 2 Sep 2007 at 0:57, Affan Basalamah wrote:
[...]
> I want to look for Juniper solutions in order to do IP routing,
> together with stateful firewall devices.
[...]
Establishing interface requirements... Sounds like Ethernet only...
It's an interesting problem. Adding to what you've already
mentioned:
- The M-series has a much wider interface selection than the J-
series. I don't know if this would be an issue for you, given that
you're currently using a PC.
- The M7i will generally be performance-bound by the ASM, but
creative configuration (using the ASM only when necessary) can
stretch this considerably. Given your stated environment this
wouldn't seem to be an issue at this time.
- The two different management interfaces of the J (JunOS) plus SSG
(ScreenOS) may be an issue for you.
- The SSG has more firewall features than the M-(or J-)series. If
the features are potentially useful to you, you have a few other
elements to consider:
- Potential savings from using a J4350 router instead of the larger
J6350, as you'll generally be performance-bound by the SSG 550
firewall. The J4350 lacks redundant power options, though. It's
also not a direct replacement for the SSG 550, whereas the J6350 is,
if that would affect any sparing strategy you might have.
- Additional recurring cost of firewall feature licenses -- they can
add up.
Your choices seem to offer, at face value, more performance than
you'll need. Good! You can never have too much performance -- you
can only overrun your budget.
Speaking of budget, if you're coming from an open source, do-it-
yourself situation, be sure to factor in (recurring!) support and
licensing costs.
I don't know about anyone else here, but I always find bench-racing
networks (or nearly anything else) to be an endless source of
entertainment.
Peter E. Fry
More information about the juniper-nsp
mailing list