PIX 535 Vs NetScreen ISG2000

Posted on 2004-11-09
Last Modified: 2007-12-19

We run a very highly demanded web and application servers in a server farm.  We're shopping around for a solid firewall solution.  Our vendors have made two recommendations which are PIX 535 and NetScreen ISG2000.  I wanted to know what you folks think is a better fit for our enviornment.  Please be clear in your recommendation and provide as much reference as possible.

- Our enviornment receives about 250,000 concurrent sessions.
- Latency is not an option.  The response must be instantaneous.
- Load balanced and fully redundant firewall is a must.
- Site to Site VPN termination needs to be terminated on the firewall itself.  There are currently about 25 VPN tunnels (site to site, no user tunnels).

Your input is appreciated.

Question by:jmelika
    LVL 79

    Accepted Solution

    The PIX 535 may even be a bit overpowered for your requirements. The 525 in a failover pair configuration would be more cost effective:
     The Cisco PIX 525 Unrestricted (PIX 525-UR) model extends the capabilities of the security appliance with support for stateful failover, additional LAN interfaces, and increased VPN throughput via integrated hardware-based VPN acceleration. It includes an integrated VAC or VAC+ hardware VPN accelerator, 256 MB of RAM, two 10/100 Fast Ethernet interfaces, and support for up to six additional 10/100 Fast Ethernet or three Gigabit Ethernet interfaces. The Cisco PIX 525-UR also adds the ability to share state information with a hot-standby Cisco PIX Security Appliance for resilient network protection.

    Performance Summary
    Cleartext throughput: Up to 330 Mbps
    Concurrent connections: 280,000
    168-bit 3DES IPSec VPN throughput: Up to 145 Mbps with VAC+ or 72 Mbps with VAC
    128-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
    256-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
    Simultaneous VPN tunnels: 2000

    If the Concurrent session limit of 280,000 does not give you enough growth headroom, then the 535 is the way to go, and you can put two of them into an auto failover pair:
    Performance Summary
    Cleartext throughput: Up to 1.7 Gbps
    Concurrent connections: 500,000
    168-bit 3DES IPSec VPN throughput: Up to 425 Mbps with VAC+ or 100 Mbps with VAC
    128-bit AES IPSec VPN throughput: Up to 495 Mbps with VAC+
    256-bit AES IPSec VPN throughput: Up to 425 Mbps with VAC+
    Simultaneous VPN tunnels: 2000

    The failover pair of PIX's don't load-balance. One is fully operational and the other is in "standby" mode at any one time.

    The only thing I have against the NetScreen is that it has been bought out by Juniper Networks. Can you depend on the support for the next 5 years with a new parent? I have problems with companies that force you to register with them to even see their product whitepapers:   (see the "What's New" column for ISG2000 doc)

    However, a side-by-side comparison of performance features blows the PIX 535 out of the water...

    LVL 9

    Author Comment

    Thanks for the clarification.

    One last question.  Are you saying that you would prefer the NetScreen over PIX 535 for its performance but you are skeptical about it being a new stepchild to Juniper?  In other words.. :)

    LVL 79

    Expert Comment

    I have much direct experience with Cisco PIX - I've put over 100 into operation for various clients. It is the firewall of choice for the US Government. They are rock solid performers, have been around for years, and Cisco is not going anywhere.

    Our own IT department uses Netscreen (our company has over 5000 employees worldwide) and is looking for a replacement (we have an older model) and are trying to move away from the Netscreen. The performance statistics look compelling, but there are other considerations. If I was betting my budget and my business, I'd go with the Cisco PIX.
    LVL 9

    Author Comment

    Thanks for the clarification!


    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now