Juniper/NetScreen deal bears fruit

SSG 520 has security, routing features that could give Cisco gear a good run.

Network World's tests Juniper's SSG 520, a security and routing platform available this week that is the first new effort from the company's purchase of NetScreen 21 months ago. Our test results show the device has impressive speed - it supports T-3s and there are plans for Gigabit Ethernet WAN ports - at a relatively low price, a package that could more than adequately meet the firewall, security and routing needs of the branch offices for which it is designed.

Network World has exclusively tested Juniper's SSG 520, a security and routing platform available this week that is the first new fruit from the company's purchase of NetScreen 21 months ago.

Our test results show the device has impressive speed - it supports T-3s and Gigabit Ethernet WAN ports - at a relatively low price, a package that could more than adequately meet the firewall, security and routing needs of the branch offices for which it is designed.


Fast branch-office security

The big C vs. the big J

How we did it

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter


The SSG 520 and its bigger brother, the SSG 550, represent the first serious threat to Cisco's 2000/3000 routers -- the most successful family of products Cisco has ever launched.

We tested the SSG 520 in our lab, replacing both a Cisco 3745 WAN router and an existing Juniper (NetScreen-208) firewall on one of our DS-3 connections to the Internet. The SSG 520 has everything we've come to expect from Juniper's firewall family, including enterprise-class firewall capabilities, centralized management and deep-packet inspection. Although our tests show that even the low-end SSG 520 can handle a DS-3 with ease, the dynamic routing features of the SSG 520 are still focused on branch offices.

SECURE SERVICES GATEWAY 520OVERALL RATING
4.1
Company: Juniper Networks Cost: Basic price with 1GB RAM and four fixed 10/100/1000Mbps interfaces, $6,500. Price as tested, $18,000 (including one DS-3 interface and two extra Gigabit Ethernet interfaces.) Pros: High speed; small form factor; outstanding price/performance; six slots offer good interface flexibility; comfortable ScreenOS interface for firewall and VPN. Cons: Fast enough for the data center, but the routing capabilities don’t fit that environment.
The breakdown  
Firewall features 35%4.5

Hardware performance

and flexibility 25%
4.5
WAN and dynamic routing management 15%3
Scalability and suitability for enterprise deployment15%4
Management integration and manageability10%3.5
TOTAL SCORE 4.1
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar

Juniper's goal for the SSG line is to replace both WAN routers and firewalls at regional and branch offices (see an analysis of the SSG positioning). The SSG 520 can do that with power to spare. With four Gigabit Ethernet ports built into the base chassis, and LAN-to-LAN throughput of nearly 2Gbps, the SSG 520 can replace a network's edge router, edge firewall and internal firewall, simplifying topologies, increasing uptime and easing the burden of remote management. Although the hardware looks and performs like a data-center firewall, Juniper's price of $6,500 definitely targets this box at the midrange, updating the aging NetScreen-204 and -208 product lines.

All of the capabilities common to ScreenOS firewalls are included, such as Web-based and centralized policy control, packet filtering and an intrusion-prevention system (IPS), as well as very flexible site-to-site VPN services. What is missing are new features added with versions 5.2 and 5.3, specifically virus scanning. Juniper says it will be adding virus scanning - along with anti-spyware, key-logger and adware protection - into the SSG later this year with the release of Version 5.4 of ScreenOS.

What is different about the SSG is the hardware with its WAN interfaces. In this release, Juniper is making available six cards, including four-port 10/100Mbps Ethernet cards, copper and fiber one-port Gigabit Ethernet cards, two-port serial and T-1/E-1 cards and a DS-3 card. All of the cards are reasonably priced, in the $500 to $1,500 range, except for the DS-3 card, at a stratospheric $8,500.

The SSG series inherits many of the WAN capabilities of Juniper's J-series routers, but the dynamic routing code in the SSG models is classic NetScreen code. This means that the SSG 520 is not ready for deployments in which it would see the whole Internet routing table, because the maximum Border Gateway Protocol (BGP) table size it supports is 30,000. The Internet table is 180,000 routes this week.

Although our testing of both BGP and Open Shortest Path First dynamic routing showed that the SSG 520 routing is definitely solid, it lacks manageability and configurability. In previous tests, we did not really explore the ScreenOS's dynamic-routing capabilities. Because of the Juniper connection and new WAN interfaces, we tested these features carefully and held Juniper's firewalls to a higher standard.

Dynamic-routing configuration can be handled through the traditional NetScreen Web-based GUI or NetScreen Security Manager, which were both tested. The routing configuration in both interfaces doesn't measure up to the ease-of-use level of the rest of the firewall.

Even worse, the routing is essentially unmanageable through the GUI, as you can't filter displays to show just the information you need. In this case, we turned to the command-line interface (CLI) for management and found a more powerful tool set. However, CLI configuration of routing has its own faults because the ScreenOS configuration CLI is unsophisticated and difficult to use. Network managers with complex dynamic-routing or asymmetric traffic won't find the WAN aspects of the SSG as powerful or manageable as their existing Juniper and Cisco routers.

We tested the performance of the SSG 520 using Spirent Communications' Avalanche and Reflector to apply a heavy load of HTTP traffic. Our performance numbers exceed Juniper's official specifications, giving LAN-to-LAN streaming speeds of 1.9Gbps, firewall with IPS (Juniper calls this deep inspection) speeds of 680Mbps, and a connection rate of 13,520 session/sec.

Performance-testing the SSG 520 was difficult, because it has a software-enforced limit of 64,000 open connections - adequate for any branch network, but low enough that when we stressed the connection rate, we ran out of connections in a few seconds. The SSG 520 is heavily overpowered for most branch or regional networks and offers ample room for growth, both in LAN-to-WAN or LAN-to-Internet connectivity as well as internal LAN-to-LAN traffic.

When we discussed these numbers with Juniper engineers, they pointed out that they were reserving headroom in their specifications for future features of ScreenOS. Because a built-in IPS and other application-layer controls, such as anti-virus and anti-spyware, will stress firewalls significantly, the SSG 520 is an excellent investment for environments expecting to increase their perimeter threat-mitigation capabilities.

Juniper SSG 520, security and routing platform

With a hole in Juniper's line between the 5GT firewall and the SSG 520, we can expect a slower, lower-priced SSG firewall, perhaps a 1U chassis with fewer interface-card slots.

At this price and performance level, the SSG 520 is a welcome addition to the Juniper firewall line. Although the SSG 520 and SSG 550 won't replace all external routers, the speed bump and addition of WAN interfaces give network managers additional options for high bandwidth and high security.

Snyder is a senior partner at Opus One, a consulting firm, in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

NW Lab Alliance

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Tracking performance for the SSG 520

TestFirewall enabled onlyFirewall with IPS enabled
TCP connections/second13,520 in our test (Juniper’s spec is 10,000)5,100 in our test
Steady-state throughput test with Network Address Translation enabled985Mbps in our test (Juniper’s spec is 600Mbps)  680Mbps in our test (Juniper’s spec is 500Mbps)  
Transfer rate1.9Gbps768Mbps in our test (Juniper’s spec is 600Mbps )
We tried to map Juniper’s specifications to ours, and our performance testing shows that the SSG 520 beats Juniper’s own numbers. The SSG 520 has plenty of performance to handle both Internet-bound and LAN-to-LAN traffic for branch and regional office environments.

Learn more about this topic

Cisco, Juniper face unique challenges 01/30/06

Opinion

Security infrastructure: Juniper's NetScreen

02/28/05

NetScreen deal may transform Juniper

02/13/04

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10