PIX 535 Vs NetScreen ISG2000


We run a very highly demanded web and application servers in a server farm.  We're shopping around for a solid firewall solution.  Our vendors have made two recommendations which are PIX 535 and NetScreen ISG2000.  I wanted to know what you folks think is a better fit for our enviornment.  Please be clear in your recommendation and provide as much reference as possible.

- Our enviornment receives about 250,000 concurrent sessions.
- Latency is not an option.  The response must be instantaneous.
- Load balanced and fully redundant firewall is a must.
- Site to Site VPN termination needs to be terminated on the firewall itself.  There are currently about 25 VPN tunnels (site to site, no user tunnels).

Your input is appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The PIX 535 may even be a bit overpowered for your requirements. The 525 in a failover pair configuration would be more cost effective:
 The Cisco PIX 525 Unrestricted (PIX 525-UR) model extends the capabilities of the security appliance with support for stateful failover, additional LAN interfaces, and increased VPN throughput via integrated hardware-based VPN acceleration. It includes an integrated VAC or VAC+ hardware VPN accelerator, 256 MB of RAM, two 10/100 Fast Ethernet interfaces, and support for up to six additional 10/100 Fast Ethernet or three Gigabit Ethernet interfaces. The Cisco PIX 525-UR also adds the ability to share state information with a hot-standby Cisco PIX Security Appliance for resilient network protection.

Performance Summary
Cleartext throughput: Up to 330 Mbps
Concurrent connections: 280,000
168-bit 3DES IPSec VPN throughput: Up to 145 Mbps with VAC+ or 72 Mbps with VAC
128-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
256-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
Simultaneous VPN tunnels: 2000

If the Concurrent session limit of 280,000 does not give you enough growth headroom, then the 535 is the way to go, and you can put two of them into an auto failover pair:
Performance Summary
Cleartext throughput: Up to 1.7 Gbps
Concurrent connections: 500,000
168-bit 3DES IPSec VPN throughput: Up to 425 Mbps with VAC+ or 100 Mbps with VAC
128-bit AES IPSec VPN throughput: Up to 495 Mbps with VAC+
256-bit AES IPSec VPN throughput: Up to 425 Mbps with VAC+
Simultaneous VPN tunnels: 2000

The failover pair of PIX's don't load-balance. One is fully operational and the other is in "standby" mode at any one time.

The only thing I have against the NetScreen is that it has been bought out by Juniper Networks. Can you depend on the support for the next 5 years with a new parent? I have problems with companies that force you to register with them to even see their product whitepapers:
    http://www.juniper.net/products/integrated/   (see the "What's New" column for ISG2000 doc)

However, a side-by-side comparison of performance features blows the PIX 535 out of the water...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmelikaAuthor Commented:
Thanks for the clarification.

One last question.  Are you saying that you would prefer the NetScreen over PIX 535 for its performance but you are skeptical about it being a new stepchild to Juniper?  In other words.. :)

I have much direct experience with Cisco PIX - I've put over 100 into operation for various clients. It is the firewall of choice for the US Government. They are rock solid performers, have been around for years, and Cisco is not going anywhere.

Our own IT department uses Netscreen (our company has over 5000 employees worldwide) and is looking for a replacement (we have an older model) and are trying to move away from the Netscreen. The performance statistics look compelling, but there are other considerations. If I was betting my budget and my business, I'd go with the Cisco PIX.
jmelikaAuthor Commented:
Thanks for the clarification!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.