[j-nsp] Opinion about stateful firewall : SSG or ASM
Affan Basalamah
affanzbasalamah at gmail.com
Mon Sep 3 05:17:55 EDT 2007
On 9/3/07, Peter E. Fry <pfry-lists at redsword.com> wrote:
> On 2 Sep 2007 at 0:57, Affan Basalamah wrote:
> [...]
> > I want to look for Juniper solutions in order to do IP routing,
> > together with stateful firewall devices.
> [...]
>
> Establishing interface requirements... Sounds like Ethernet only...
> It's an interesting problem. Adding to what you've already
> mentioned:
>
> - The M-series has a much wider interface selection than the J-
> series. I don't know if this would be an issue for you, given that
> you're currently using a PC.
>
> - The M7i will generally be performance-bound by the ASM, but
> creative configuration (using the ASM only when necessary) can
> stretch this considerably. Given your stated environment this
> wouldn't seem to be an issue at this time.
>
> - The two different management interfaces of the J (JunOS) plus SSG
> (ScreenOS) may be an issue for you.
>
> - The SSG has more firewall features than the M-(or J-)series. If
> the features are potentially useful to you, you have a few other
> elements to consider:
> - Potential savings from using a J4350 router instead of the larger
> J6350, as you'll generally be performance-bound by the SSG 550
> firewall. The J4350 lacks redundant power options, though. It's
> also not a direct replacement for the SSG 550, whereas the J6350 is,
> if that would affect any sparing strategy you might have.
> - Additional recurring cost of firewall feature licenses -- they can
> add up.
>
> Your choices seem to offer, at face value, more performance than
> you'll need. Good! You can never have too much performance -- you
> can only overrun your budget.
> Speaking of budget, if you're coming from an open source, do-it-
> yourself situation, be sure to factor in (recurring!) support and
> licensing costs.
> I don't know about anyone else here, but I always find bench-racing
> networks (or nearly anything else) to be an endless source of
> entertainment.
>
> Peter E. Fry
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
Hi all,
Thank you for your response,
Based on all of your suggestion, I think the best solution would be
managing separated platform for routing and firewall, JunOS (whether
it is M-series or J-series) and Netscreen (on bridging mode).
I'm sorry that I've forgot to mention another constrain for this
design, to whom suggesting J-series solution. Currently our campus is
connected to REN and there are times that we need to run IPv6
multicast stream and DVTS stream. IPv6 multicast stream usually run
with 2 Mbps UDP stream, and DVTS stream consist of two-way 30 Mbps UDP
stream. Now I wonder whether J-series can cope with that challenge.
That's why I like M-series because the confidence of accepting the
challenge :) Not to mention if there are bandwidth upgrade to STM-1 in
one/two year, and I want this solution to be lasts in more than five
year.
Thank you for all your help,
Regards,
-affan
More information about the juniper-nsp
mailing list