Network World has exclusively tested Juniper’s SSG 520, a security and routing platform that is the first new fruit from the company’s purchase of NetScreen two years ago.
Our test results show the SSG 520 has impressive speed — it supports T-3s and there are plans for Gigabit Ethernet WAN ports — at a relatively low price, a package that could more than adequately meet the firewall, security and routing needs of the branch offices for which it is designed.
We tested the SSG 520 in our lab, replacing both a Cisco 3745 WAN router and an existing Juniper (NetScreen-208) firewall on one of our DS-3 connections to the Internet. The SSG 520 includes enterprise-class firewall capabilities, centralized management and deep-packet inspection. Although our tests show that even the low-end SSG 520 can handle a DS-3 with ease, the dynamic routing features of the SSG 520 are still focused on branch offices.
Juniper’s goal for the SSG line is to replace both WAN routers and firewalls at regional and branch offices. The SSG 520 can do that with power to spare. With four Gigabit Ethernet ports built into the base chassis, and LAN-to-LAN throughput of nearly 2Gbps, the SSG 520 can replace a network’s edge router, edge firewall and internal firewall, simplifying topologies, increasing uptime and easing the burden of remote management. Although the hardware looks and performs like a data centre firewall, Juniper’s price targets the midrange.
All of the capabilities common to ScreenOS firewalls are included, such as Web-based and centralized policy control, packet filtering and intrusion prevention (IPS), as well as flexible site-to-site VPN services. What is missing are new features added with versions 5.2 and 5.3, specifically virus scanning. Juniper says it will be adding virus scanning — along with anti-spyware, key logger and adware protection — into the SSG later this year.
What is different about the SSG is the hardware with its WAN interfaces. In this release, Juniper is making available six different cards, including four-port 10/100Mbps Ethernet cards, copper and fibre one-port Gigabit Ethernet cards, two-port serial and T-1/E-1 cards and a DS-3 card.
Although our testing of both BGP and Open Shortest Path First dynamic routing showed that the SSG 520 routing is definitely solid, it lacks manageability and configurability. In previous tests, we did not really explore the ScreenOS’s dynamic routing capabilities. Because of the Juniper connection and new WAN interfaces, we tested these features carefully and held Juniper’s firewalls to a higher standard.
Dynamic routing configuration can be handled through the traditional NetScreen Web-based GUI or NetScreen Security Manager, which were both tested. The routing configuration in both interfaces doesn’t measure up to the ease-of-use level of the rest of the firewall.
Even worse, the routing is essentially unmanageable through the GUI, as you can’t filter displays to just show the information you need. In this case, we turned to the command-line interface (CLI) for management and found a more powerful tool set. However, CLI configuration of routing has its own faults because the ScreenOS configuration CLI is unsophisticated and difficult to use. Network managers with complex dynamic routing or asymmetric traffic won’t find the WAN aspects of the SSG as powerful or manageable as their existing Juniper and Cisco routers.
We tested the performance of the SSG 520 using Spirent Communications’ Avalanche and Reflector to apply a heavy load of HTTP traffic. Our performance numbers exceed Juniper’s official specifications, giving LAN-to-LAN streaming speeds of 1.9Gbps, firewall with IPS (Juniper calls this deep inspection) speeds of 680Mbps, and a connection rate of 13,520 session/sec.
Performance-testing the SSG 520 was difficult, because it has a software-enforced limit of 64,000 open connections — adequate for any branch network, but low enough that when we stressed the connection rate, we ran out of connections in a few seconds. The SSG 520 is heavily overpowered for most branch or regional networks and offers ample room for growth, both in LAN-to-WAN or LAN-to-Internet connectivity as well as internal LAN-to-LAN traffic.
When we discussed these numbers with Juniper engineers, they pointed out that they were reserving headroom in their specifications for future features of ScreenOS. Because a built-in IPS and other application-layer controls such as anti-virus and anti-spyware will stress firewalls significantly, the SSG 520 is an excellent investment for environments expecting to increase their perimeter threat-mitigation capabilities.
With a hole in Juniper’s line between the 5GT firewall and the SSG 520, we can expect a slower, lower-priced SSG firewall, perhaps a 1U chassis with fewer interface card slots. At this price and performance level, the SSG 520 is a welcome addition to the Juniper firewall line. Although the SSG 520 and SSG 550 won’t replace all external routers, the speed bump and addition of WAN interfaces give network managers additional options for high bandwidth and high security.
The rise of smarter application layer security products, such as Juniper’s deep inspection or Cisco’s intrusion prevention system, are coming from a clear need to improve security and perimeter defences. This pull away from a networking-centric world to a security-centric one suggests that Juniper is better positioned to move forward with the security-oriented products that network managers need.
–Snyder is a senior partner at Tucson, Ariz.-based consulting firm Opus One. He can be reached atJoel.Snyder@opus1.com.