SRX

Hi Experts, You might have been asked this question many a time in your organization "SRX vs...... Others" by the Company Executive . All true Junos and SRX lovers will certainly find out many ways to convenience their organization decision maker why SRX should be inducted instead of others. But SRX competitors offers many a thing which SRX don not offer are at least a step behind from its competitor in certain features. e.g. Many High End firewall vendors offering SSL VPN which is certain  requirement in any enterprise data centre, High End SRX dont offer this feature (branch SRX only offer dynamic VPN for 50 users) . L2TP over IPsec is being offered by many a vendor in their High End Firewalls but SRX dont offer.  Few vendors claims that their Application sensisng and App secure features are much better than SRX due to their dedicated designed hardware (e.g Pala Alto) and SRX has introduced this feature as "add on" which reduces its performance. "Gartner Magic Quadrant  http://www.abies.com.cn/wp-content/uploads/2013/03/229302_1.png" also depicting "Check Point" and "Palo Alto" as leaders in network security and Juniper as Challenger. Now this situation is worrisome for Junos and SRX lovers and hopefully Juniper is also aware about the concerns and making plans to figure out these discrepancies. Because it is difficult to convenience Executives to go far for SRX , MAG (for SSL vpn) , Netsreen for L2TP over IPsec while other vendors are offering all these feature in a single platform

Hi Kashif!

I hear your concerns, but am a little confused as to your post. Are you looking at different vendors for a firewall solution currently? It just sounds like it's more of a statement than a question.

Our company went through something like this a few years back, and typically we go through this process every time we're looking at major changes. You will always have people on either side of the fence pulling for their vendor/solution of choice, but you really have to look at what it is the business/customer needs, cost is always a factor, and go from there. That's my 10,000 foot-view perspective, and I know it can be more complicated...but you catch my drift.

I'd be happy to help in any way that I can if you're looking for advice, experience, etc.

Kashif,

 

I am sure that the Juniper SRX team is well aware of their "challenger" status in the Gartner world of firewalls.  I too am disappointed that the feature set comparisons with Palo Alto and Checkpoint don't bring the SRX into the market leader quadrent yet.

 

I do see features like SSL vpn as very important to reach leader status and gain feature parity.

 

But I don't see peformance as an issue for SRX versus Palo Alto or Checkpoint.  When running full inspection on Palo Alto even with the dedicated hardware, they cannot touch the throughput of the high end SRX.

 

All the related layer 4-7 features for next generation firewalls seem to be coming along well for Junos.  I have confidence that these features are near parity with the competion.

Steve thank a lot for your through provoking reply. I agree with you that when speaking in terms of through put SRX is better than it competitors and it also offer lot of flexibility how you build you platform by choosing number of SPC and IOCs etc. Palo Alto offering user based Application Firewalling mean it can be integrated with with third party agent using LDAP and then profile users acceding to application usage. SRX also claims that it can do application firewalling for user group but how to get authenticate application user from external agent e.g MS Domain Controller , perhaps through integration of UAC with SRX and user based policy enforcement through Infrant Controller. Please offer your comments and correct me if i am wrong and mixing the things.

Palo Alto offering user based Application Firewalling mean it can be integrated with with third party agent using LDAP and then profile users acceding to application usage.

SRX also claims that it can do application firewalling for user group but how to get authenticate application user from external agent e.g MS Domain Controller , perhaps through integration of UAC with SRX and user based policy enforcement through Infrant Controller. 

Your assessment seems right to me.  With Palo Alto you install an agent that can communicate with MS domain sources of ip address information connected to user login id.  They have agents for domain controllers, terminal servers and exchange server for example.  Thus the firewall gets an ip address to associate with a user or group for the purpose of writting rules.

 

The SRX competitor to this seems to be AppSecure as the marketing overview lists user and group as possible for writting rules.  But in spending 20 minutes in the support portal I can't find any documentation on HOW to use users or groups in rules, much less how to get the user/group information from the domain.  So I don't know how this works in the SRX world.  

 

So AppSecure is the Palo Alto comepetitor, we just need to get full information on how the deploy works with AD user and groups information.

 

The SRX has had other mechanisms.  For ftp or http traffic you can write rules that require a user to login and you can direct that login to a MS RADIUS server associated with an AD user group.

 

The UAC solution can write user based rules to AD and do so even on the fly.  But this requires you depoly 802.1x to acheive this result.