Competitive Hotsheet Ssg5 Ssg20 v Cisco870

Competitive HotSheet: Juniper Networks SSG 5 / SSG 20 VS Cisco 870 Series and 1811 Routers

Page 1 - Copyright 2006, Juniper Networks, Inc. The information in this document is confidential to Juniper Networks and is intended for Juniper Sales and Channel Partners. Information regarding competitive offerings is derived from public sources, and is subject to change without notice. August, 2006.

Overview The Cisco Integrated Services Router (ISR) is Ciscos family of all-in-one routers that include routing, rudimentary security and now, SSL VPN capabilities. The ISRs are positioned to address WAN speed (broadband) performance requirements typical of the small branch office environment. The SSG 5 and SSG 20 compete with 871 and the 1811. Juniper SSG 5 and SSG 20 Strengths

Purpose-built platform. SSG is a new security-first platform designed specifically to address the performance requirements dictated by small office security and routing environments.

Flexible I/O options and supporting protocols. The SSG 20 is the lowest cost platform with I/O modularity. Integrated security and routing. The SSG delivers best-in-class security, LAN/WAN interfaces, protocols and

encapsulations to deliver powerful option of consolidating multiple devices (FW, Wireless AP, Router, Etc). ISR is a proven router with rudimentary security bolted on.

A complete set of Unified Threat Management (UTM) security features. UTM features include Stateful firewall, IPSec VPN, IPS, Antivirus (includes Anti-Spyware, Anti-Adware, Anti-Phishing), Anti-Spam, and Web Filtering.

Best-in-class UTM partners delivering key technology and support. o Kaspersky for AV/AntiPhishing, Antispyware - #1 in catch rate testing o SurfControl and Websense for Web filtering - Top vendors in the Web Filtering market o Symantec for Anti Spam Leading Anti-Spam Vendor

Proven advanced security features. Security Zones, virtual routers and virtual LANs deliver granular segmentation capabilities to facilitate internal security by dividing the network into secure domains, each with its own security policy.

o VPN Resiliency. Route-based VPNs leverage dynamic routing and VPN monitoring to deliver secure communications that are resilient to network failures.

Centralized management. Multiple SSGs and all security, routing and UTM features, can be managed centrally via NSM.

Complementary offerings. Best-in-class complementary solutions including: SSL VPN, FW/VPN appliances, application acceleration, and enterprise class routers.

Cisco Strengths

A market leader that can be successful based on reputation as opposed to actual capabilities. The adage is, you do not get fired for buying Cisco.

Strong enterprise presence and not afraid to bring in executives to apply sales pressure. Proven router with a wide range of interfaces, protocols and routing capabilities. But also known to have very weak

security and performance. Only router with integrated SSL VPN



Competitive Report Card SSG 5 Base /

Extended** Cisco 870 Series SSG 20 Base /

Extended** Cisco 1811

Performance & Capacities Firewall Throughput (large packets)

160 Mbps Not stated 160 Mbps 100 Mbps

Firewall Throughput* (IMIX) 90 Mbps Not stated 90 Mbps Not stated FW Packets per second (64 byte) 30,000 PPS Not stated 30,000 PPS Not stated VPN Throughput (3DES+SHA-1) 40 Mbps Not stated 40 Mbps 40 Mbps (1400 byte) Sessions** 4,000/8,000 Not stated 4,000/8,000 Not stated Tunnels** 25/40 10 25/40 50 Stateful FW\/VPN HA Active/Passive With Ext

License VPN only Active/Passive With Ext

License VPN only

Security applications Stateful FW Yes Yes Yes Yes IPS (Deep Inspection FW) Yes Yes (IOS IPS) Yes Yes (IOS IPS) Integrated File & Network based Antivirus

Yes Network based signatures as part of

IOS IPS

Yes Network based signatures as part of

IOS IPS Adware / Spyware / Keylogger protection

Yes (included in AV engine)

Not supported Yes (included in AV engine)

Not supported

Integrated Web Filtering Yes Not supported Yes Not supported Integrated Anti-Spam Yes Not supported Yes Not supported Redirect Web Filtering Yes Yes Yes Yes SSL VPN Not supported Not supported Not supported Not supported Interfaces and Routing Fixed I/O 7 10/100 2 10/100 + 4 switched

10/100 5 10/100 + 2 I/O expansion slots

2 10/100 + 8 switched 10/100

I/O Options RS-232 Serial/Aux or ISDN BRI S/T or V.92 (Factory configured)

Factory configured - 871 (10/100), 876

(ADSL over ISDN), 877 (ADSL), 878 (G.SHDSL)

Interface modules: IDSN BRI S/T, T1, E1,

V.92, ADSL 2+

Not supported

802.11 a/b/g option Yes (factory configured)

802.11 b/g only (factory configured)

Yes (factory configured)

802.11 b/g only (factory configured)

LAN/WAN protocols RIPv1/2, OSPF, BGP, Frame Relay, Multilink

Frame Relay, PPP, Multilink PPP, HDLC

RIPv1/2, OSPF, BGP, (E)IGRP, Frame Relay, Multilink Frame Relay,

PPP, Multilink PPP, ATM

RIPv1/2, OSPF, BGP, Frame Relay, Multilink

Frame Relay, PPP, Multilink PPP, HDLC

RIPv1/2, OSPF, BGP, (E)IGRP, Frame Relay, Multilink Frame Relay,

PPP, Multilink PPP, ATM

Legacy protocols Not supported Not supported Appletalk, SNA, others Appletalk, SNA, others

Security Zones 10 Not supported 10 Not supported

Virtual LANs** 10/50 4 10/50 8 Virtual Routers 3 Yes 3 Yes VoIP Security (ALGs) SIP, H.323, MGCP,

SCCP SIP, H.323, MGCP,



SCCP * IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network traffic. The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic. ** The SSG 5 and SSG 20 have an Extended License key option that increases key capacities as outlined below. Extended License Feature SSG 5 / SSG 20 Sessions Increases max from 4,000 to 8,000 VPN Tunnels Increases max from 25 to 40 VLANS Increases max from 10 to 50 HA Adds support for full Active/Passive (or HA LIte) VoIP capacities Ups max from 32 to 48 (SIP, H.323, MGCP, SCCP)



Key Feature Comparison SSG 5 / SSG 20 Cisco 871/1811 Why it Matters Architecture Security optimized processing

provides more linear throughput when FW, VPN, DI, NAT and routing are enabled.

Routing optimized architecture takes severe performance hit when FW, NAT and VPN are enabled.

Security processing requires performance headroom to spare.

Integrated Stateful FW

ICSA Certified Stateful inspection FW supports over 50 services and is tightly integrated with OS and other security applications.

Firewall is a series of 6 different types of ACLs, one of which (Reflexive ACL) does monitor state information so they can call it Stateful. Each ACL is created for the protocol to be filtered, then applied to the interfaceorder of lists is critical for both protection and performance. ACLs must have a routing update statement built into it, otherwise, if topology changes, the router will not recognize it.

Managing ACLs is cumbersome, error prone and a drain on performance.

Integrated IPS (Deep Inspection FW)

3rd generation inline detection and protection against application level attacks across 10 protocols using a combination of Stateful signatures and protocol analysis.

Basic signature-based IPS offering that is relies solely on approximately signatures to detect attacks. Pure signature based IPS offerings are prone to high false positive rates.

Pure signature based offerings

Number of attack response mechanisms

(8) Connection, Close Connection, Session, Packet Log, Session Summary, E-mail, Custom, Log

Cisco has 2, perhaps 3 response mechanisms including the IDS holdover of a TCP reset. This limited number of responses will tend to limit the ability to deploy inline prevention due to the lack of comfort administrators will have in removing the human decision making process.

Number of Attack Notification / Administrative options

(6) Session Packet Log, Session Summary, E-mail, SNMP, Syslog, Webtrends

Unknown

Attack response and administrative notification flexibility is key to maximizing network protection

Integrated Web filtering

Integrated web filtering from SurfControl helps companies enforce appropriate web usage policies.

Integrated web filtering requires addition of an extra cost network module

Adding new security services while maintaining low capital investment and management investments helps extend the return on investment.

Integrated DoS Stateful protection against over 30 of the most common attacks.

Manage another type of ACL (TCP Intercept list). Protects against the most common type of attack (TCP SYN flood). It is not Stateful and will impact performance.

Managing ACLs is cumbersome, error prone and a drain on performance.

Integrated File-based AV

File-based inspection ensures the highest virus catch rate

Network-based will only catch those viruses with known signatures and prone to high false positives

File based signatures are known to generate a high number of false positives

Integrated Anti-Spam

Integrated Anti-Spam using Brightmail provides ability to minimize SPAM impact at the gateway.

No Anti-Spam support Stopping SPAM initially at the gateway can help minimize the amount of worthless emails.

Management Using any one of 3 mechanisms (CLI, WebUI or NSM), administrators have access to all features and functionality.

Inconsistent management depending upon what features you are trying to control.

Consistent management is critical to maximizing efficiency.

Documents

Competitive Hotsheet Ssg5 Ssg20 v Cisco870