• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1513
  • Last Modified:

PIX 535 Vs NetScreen ISG2000

Hello,

We run a very highly demanded web and application servers in a server farm.  We're shopping around for a solid firewall solution.  Our vendors have made two recommendations which are PIX 535 and NetScreen ISG2000.  I wanted to know what you folks think is a better fit for our enviornment.  Please be clear in your recommendation and provide as much reference as possible.

- Our enviornment receives about 250,000 concurrent sessions.
- Latency is not an option.  The response must be instantaneous.
- Load balanced and fully redundant firewall is a must.
- Site to Site VPN termination needs to be terminated on the firewall itself.  There are currently about 25 VPN tunnels (site to site, no user tunnels).

Your input is appreciated.

JM
0
jmelika
Asked:
jmelika
  • 2
  • 2
1 Solution
 
lrmooreCommented:
The PIX 535 may even be a bit overpowered for your requirements. The 525 in a failover pair configuration would be more cost effective:
 The Cisco PIX 525 Unrestricted (PIX 525-UR) model extends the capabilities of the security appliance with support for stateful failover, additional LAN interfaces, and increased VPN throughput via integrated hardware-based VPN acceleration. It includes an integrated VAC or VAC+ hardware VPN accelerator, 256 MB of RAM, two 10/100 Fast Ethernet interfaces, and support for up to six additional 10/100 Fast Ethernet or three Gigabit Ethernet interfaces. The Cisco PIX 525-UR also adds the ability to share state information with a hot-standby Cisco PIX Security Appliance for resilient network protection.

Performance Summary
Cleartext throughput: Up to 330 Mbps
Concurrent connections: 280,000
168-bit 3DES IPSec VPN throughput: Up to 145 Mbps with VAC+ or 72 Mbps with VAC
128-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
256-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
Simultaneous VPN tunnels: 2000

If the Concurrent session limit of 280,000 does not give you enough growth headroom, then the 535 is the way to go, and you can put two of them into an auto failover pair:
Performance Summary
Cleartext throughput: Up to 1.7 Gbps
Concurrent connections: 500,000
168-bit 3DES IPSec VPN throughput: Up to 425 Mbps with VAC+ or 100 Mbps with VAC
128-bit AES IPSec VPN throughput: Up to 495 Mbps with VAC+
256-bit AES IPSec VPN throughput: Up to 425 Mbps with VAC+
Simultaneous VPN tunnels: 2000

The failover pair of PIX's don't load-balance. One is fully operational and the other is in "standby" mode at any one time.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

The only thing I have against the NetScreen is that it has been bought out by Juniper Networks. Can you depend on the support for the next 5 years with a new parent? I have problems with companies that force you to register with them to even see their product whitepapers:
    http://www.juniper.net/products/integrated/   (see the "What's New" column for ISG2000 doc)

However, a side-by-side comparison of performance features blows the PIX 535 out of the water...

0
 
jmelikaAuthor Commented:
Thanks for the clarification.

One last question.  Are you saying that you would prefer the NetScreen over PIX 535 for its performance but you are skeptical about it being a new stepchild to Juniper?  In other words.. :)

JM
0
 
lrmooreCommented:
I have much direct experience with Cisco PIX - I've put over 100 into operation for various clients. It is the firewall of choice for the US Government. They are rock solid performers, have been around for years, and Cisco is not going anywhere.

Our own IT department uses Netscreen (our company has over 5000 employees worldwide) and is looking for a replacement (we have an older model) and are trying to move away from the Netscreen. The performance statistics look compelling, but there are other considerations. If I was betting my budget and my business, I'd go with the Cisco PIX.
0
 
jmelikaAuthor Commented:
Thanks for the clarification!

JM
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now