SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Distinguished Expert
Posts: 979
Registered: ‎09-10-2009

Re: what to replace my SRX with?

While it's no secret that I'm not the world's foremost fan of the SRX, I think we have to be fair...


1) The SRX doesn't support IPSec VPNs to sites with dynamic IP addresses. 


Sure it does.  Configure the VPN in aggressive mode.


2) The SRX doesn't support IPv6 DHCP Prefix Delegation, making it completely unusable for IPv6. 


I believe it does, actually.  It may be a more recent feature (perhaps in 11.X code?).

 

Example: Configuring DHCPv6 Server Options


3) The web interface is awful (it isn't easy to change firewall rules) and slow. 


Yeah, it certainly could be better.  I really think J-Web could have been better executed.  There's no reason for it to be as slow as it is.  The navigation and feature design leave a lot to be desired.  It's clunky, at best.  Other vendors really make the SRX look bad when it comes to the Web UI.


4) The SRX is slow to boot and I've seen it fail to boot if the power is pulled out of it (the boot up issue is mostly fixed). 


They do take an eternity to boot -- yes.  I'm not entirely sure why the SRX is so bloody slow to boot up.  I have also seen bootups fail after a power loss -- but I don't know if that's been fixed or in what version.


5) It takes much longer to upgrade than the SSG. 


Yup -- you're right on that too.  They're not *THAT* bad, but they do take a rather long time to do the upgrade.  There's a lot to the upgrade process on Junos though, it's more involved than ScreenOS where the firmware is just flashed and you boot from the new one.  Junos is a vastly more complex operating system.  It's almost like the difference between upgrading the firmware on your cell phone vs. upgrading a Linux workstation to a new distribution.  I've seen devices take longer to do upgrades (*cough* Cisco 2960?  sheeesh!), but the SRX is certainly not speedy.


Juniper also suck for not contiuning to upgrade ScreenOS. I have clients who purchased ASA 5505s and SSG 5s at around the same time. The ASA is still gets feature upgrades, the SSG has basically been left for dead with only very minor bug fixes done.


Juniper wanted to move everything to Junos, and thus the SRX was born.  I think the mistake they made was trying to make something like the SSG but on Junos.  I'd much rather have seen an entirely new product design/concept, something akin to what Palo Alto has done, and even SonicWall to a degree.  Trying to take ScreenOS and port it to Junos wasted years of R&D that they *could* have been working on a truly next-gen product.  Instead they sunk their efforts into reinventing yesterday's technology -- a layer 4 stateful firewall -- and fell years behind the curve of what the technology trend was dictating.  I'm not the CTO or product manager at Juniper, but I think they made a HUGE mistake choosing that direction.  They should have let the SSG live on for what it was, and put their R&D efforts and money into a new platform and new technology.  I think a SIGNIFICANT amount of the problems they've had with the SRX are because they're trying to duplicate the SSG's functionality, and to me, that's just a waste of time, money, and effort.

 

To me, the SRX offers very little beyond ScreenOS (and in a few key areas, 4 years into its life, it still can't even match the "old dog").  Ok, so it has a slightly better IDP engine, but, news flash Juniper, the IDP system still considerably sucks compared to the competition.  Sorry to rain on your parade.  They then took the IDP engine and bolted AppSecure on top of it -- which is, again in my opinion, the absolute wrong way to have approached that.  So now you've got a mediocre App ID/FW subsystem built on top of a mediocre IDP subsystem.  OOF -- Juniper, you're not doing yourselves any favors here.  And yes -- the SRX is Junos so it has enterprise routing that ScreenOS doesn't do... but I bought the SRX as a firewall, not a MPLS router.

 

Juniper is likely going to spend the next 3-5 years trying to make the SRX as stable / usable as the SSG, and at the end of it they'll have the pride and joy of a product that they reinvented when they had no real need to, meanwhile the parade will have completely passed them by.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?

I wouldn't recommend to set up IPSec VPNs in aggressive mode. That's highly insecure and can very easily be hacked. Not a good advise. But still, to be fair, aggressive mode is the only available option for IPSec VPNs with dynamic IPs with any other vendor too. It's a technical limitation, not a "brand limitation".
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 206
Registered: ‎03-11-2008

Re: what to replace my SRX with?

[ Edited ]

1) I should have been more clear. It doesn't support dynamic hostname lookups for main mode authentication. I have a number of netgear modems that run on dynamic ip addresses and they only support main mode IPSec VPNs.

 

With the SSG I could setup a dyndns hostname and then it worked sweet. It doesn't work on the SRX.

 

2) I'm not talking about DHCP v6 Server, but Prefix Delegation for client DHCPv6. This is used by a large ISP here in Australia to hand out IPv6 subnets to ADSL users. This doesn't work on the SRX. It works on the SSG. This means that the SRX cannot be used for IPv6 where as the SSG can.

 

The only thing I can say in favour of the SRX is that the command line interface is better than ScreenOS. But the web interface in ScreenOS was so good that I never needed to use the command line.

 

Everytime I load up Jweb I want to shoot myself in the face. At least the newer versions of JunOS don't have a 500k image on the login page (WTF!?!?!).

 

Juniper are epic fail. I've spent days/weeks trying to find a replacement for the SSG but can't. I love my SSG5s and I purchased a couple of SSG140s and they are good too. I used to run a SSG520 cluster, it was awesome. I tried todo that with a pair of SRX240s (back when JunOS was on 9.6) and it just didn't work, we spent thousands on new hardware and they were crap, complete crap.

 

I'd love an SSG5 with Gigabit, iOS VPN Support and better reporting, that is about all I really need.

 

RIP NetScreen, Juniper you completely killed them, good work.

 

/posted from behind an SRX210H (which they have already upgraded to the E model, as they were too cheap to put a good CPU in it the first time) running JunOS 12.1.

Super Contributor
Posts: 498
Registered: ‎03-29-2008

Re: what to replace my SRX with?

As for Netscreen, the guys who invented these devices in the first place moved on after they saw what Juniper did to the firewalls and founded a new company: Fortinet. They do make awesome firewalls today. Check them out. It's a very nice alternative to SSGs.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Visitor
Posts: 6
Registered: ‎06-05-2011
0 Kudos

Re: what to replace my SRX with?

[ Edited ]

Dear Experts,

 

Any more negative feedback?.

 

As in a consulting situation in one case, I am strongly speaking against SRX and suggesting my loyal customer that don't go for it and don't even think changing your Netscreen 5400 (Many boxes and complex setup) with SRX.

 

Any feedback will help me to further convenience customer don't go for SRX.

 

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0 Kudos

Re: what to replace my SRX with?

The SRX is now finally a stable platform. There are some features missing that the SSG devices support, but if you are aware of the limitations then the SRX isn't a bad platform.

 

I still think there is a good 5 years worth of features needed and the WebUI needs to be rewritten. The CLI in the SRX is awesome and much better than ScreenOS.

 

I purchased a Fortinet device (I think a 60B so a bit old), not to my liking, still prefer the SRX.

 

Things I want:

  • PPPoE IPv6 Prefix Delegation.
  • SSL VPN Support and/or iOS VPN Support.
  • DNS for hostnames in VPN.
  • Better WebUI (not a major issue as the CLI is good)
  • More gig ports on low end devices. I got an Edgemax Lite device with 3 gig ports for $100.

The list is getting smaller which is good.

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?

I agree that the SRX has become a better platform, but there are still too
many problems that would make me think twice before buying. For example,
you still can't do a software upgrade on a branch series cluster without
network interruption. And although Junos Space is quickly becoming better
and better, the recommended management platform is still NSM, and NSM is
just a no go.

Before making a decision, you should figure out what you need. The SRX is a
good choice in some situation, in others it's not.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 146
Registered: ‎02-08-2008
0 Kudos

Re: what to replace my SRX with?


cryptochrome wrote:
I wouldn't recommend to set up IPSec VPNs in aggressive mode. That's highly insecure and can very easily be hacked.

 

I'd like you to back up your statement that an aggressive mode VPN is "highly insecure", with details on how to "easily" hack one, please. It takes far more than an ID being sent in plain text to attack IPSec, and throwing phrases like 'highly insecure' and 'very easily hacked' is irresponsibly flippant if you can't back them up.

 

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?


 

I'd like you to back up your statement that an aggressive mode VPN is "highly insecure", with details on how to "easily" hack one, please. It takes far more than an ID being sent in plain text to attack IPSec, and throwing phrases like 'highly insecure' and 'very easily hacked' is irresponsibly flippant if you can't back them up.

 

 


 

It is actually very easy to do if agressive mode is mixed with preshared keys. That's because the hash for the preshared key will be transmitted in clear-text, unencrypted. You can easily "crack" this with dictionary based attacks. There is even a tool out there that does it for you (google 'IKECrack').

 

And here is a nice proof of concept:

https://www.ernw.de/download/pskattack.pdf

 

Is that enough back up for you? I don't think that telling the truth is irresponsibly flippant. 

 

By the way: No problems if certificates or IKEv2 are being used.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 146
Registered: ‎02-08-2008
0 Kudos

Re: what to replace my SRX with?

[ Edited ]

cryptochrome wrote:
 

And here is a nice proof of concept:

https://www.ernw.de/download/pskattack.pdf

 

Is that enough back up for you?


 

No. The tool you mentioned is designed to prove a concept, it is not a hack tool. Being able to determine a PSK under a very specific set of contrived conditions is a long, long way away from aggressive mode IKE being 'very easy to hack'.

 

The document you linked demonstrates the concept by cracking a short, dictionary word-based PSK. I haven't seen a professional security engineer use a dictionary word (let alone a 5-letter one) as a PSK outside of testing in my entire career. Bruteforcing a hash of a long PSK with special characters is going to take a LONG time, even on a GPU. By 'long time', I'm talking literally decades for a 20-character PSK containing a mix of alphanumeric and special characters hashed with HMAC-MD5. Even longer if SHA1 is used. As long as sensible precautions have been taken with the PSK, nobody's getting in there any time soon unless they work for a three-letter organisation or have access to a GPU farm.

 

And that's just phase 1. If the endpoint is using Proxy-IDs (or policy-based VPN), you'll need this information to complete phase 2. If the VPN is a client VPN (which most Aggressive-mode VPNs are), chances are X-Auth is being used, and you'll need these credentials to even begin Phase 2 negotiation.

 

In summary, agressive mode IKE with PSK auth: flawed? Certainly. 'Very easy to hack'? Not with sensible precautions.

 

Contributor
Posts: 18
Registered: ‎10-25-2011
0 Kudos

Re: what to replace my SRX with?

I would exchange the 650s for 550s

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?


Spud wrote:

In summary, agressive mode IKE with PSK auth: flawed? Certainly. 'Very easy to hack'? Not with sensible precautions.


 

Let's just say we disagree. It's hackable, which in my book means unsafe. The perception of "easy" might be different for you and me. I don't consider the need of GPUs or even a GPU-grid to be much of a problem for someone with enough criminal energy (and money). Think big.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?


Matt Richardson wrote:

I would exchange the 650s for 550s


Why? What makes the 550 better (it actually has less throughput)?

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
New User
Posts: 2
Registered: ‎04-01-2009
0 Kudos

Re: what to replace my SRX with?

I stick to CLI.. 

IN the enterprise environment i work on (3k +) devices and up cli is revered 

 

JWEB sucks and i am even more upset that juni does not have a holistic solutution for legacy devices and the junos platform for admin and monitoring 

NSM-Netscreens 

Junosphere - JUNOS 

 

As for performance ill stick to  the juniper product lines for performance ..

The srx 5800's are unequalled and we are now testing 40ge.... upgrades. 

 

stabilitiy ? have fewer problems on maintainng the datacenter devices than the brance devices. 

 

However JUNOS is buggy

 

e.g mysterious chassis cluster failover failure and traffic blackhole due to some usb electrical interrupt in the 3600 series 

 

5800 traceoptions having littered metadata etc .......

 

As for the other vendors i wont vouch for fortigate since the support and cost is apalling . 

I will be looking into palo alto so gauge viability. 

 

 

Cisco- BAH   enuff said.

New User
Posts: 2
Registered: ‎04-01-2009
0 Kudos

Re: what to replace my SRX with?

no negative feedback from me .The srx is stable for teh most part and is taking names.

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?


crawlord wrote:

 

 

JWEB sucks and i am even more upset that juni does not have a holistic solutution for legacy devices and the junos platform for admin and monitoring 

NSM-Netscreens 

Junosphere - JUNOS 

 


JWEB sucks, agreed. However, you should take a look at Juniper's new management system Junos SPACE. It has a component called "Security Director" which is about to replace NSM. It's completely web based, runs circles around NSM, much more stable, better usability. It's actually really good. Support for legacy devices (e.g. ScreenOS) has been announced and will come by the end of the year or within Q1/2014. 

 

It has many features you would expect form a Check Point Provider-1 installation!

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860