PIX vs Juniper
Results 1 to 8 of 8

Thread: PIX vs Juniper

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    64

    PIX vs Juniper

    Is it possible for me to get as much input as possbile on which firewall solution is better. I tried to get a comparison on the net but couldnt find anything. I would really appreciate some experinced input. At the moment im looking at the features they provide i will look at some of the reviews on the net and vuls found.

    Thanks

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    the pix is made by cisco, which is industry standard. you will find craploads of documentation about it all over, we use a few different pix firewalls at our company (for us and clients) and I have no complaints. they work very well. I havent toyed with the juniper brand at all so i have no imput on those.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I have solutions in place from both vendors. The key to your question (which is missing) is what specific requirements do you have?

    The PIX solution is a stateful packet filtering firewall with a very robust CLI. It's not meant to be managed by a beginner. The flexibility of the device is mind bogling but you must understand some of the proprietary lingo used only by Cisco (i.e. Spanning port for Cisco == mirror port for everyone esle)

    Now, if you like pretty GUIs then Juniper has just the thing for you. Clicky clicky and everything's pretty. Cisco does have a web front-end for the PIX but I have found that it lacks many commands that I use, thus, earning it the crap stamp of approval. Juniper uses Application Specific Integrated Circuits(at least the Netscreen 5200 does). This makes it (according to Juniper) a true hardware firewall. This approach has some people feeling a little uneasy about the product (upgrade concerns about circuits). I've never had a problem though.

    The PIX IOS is pretty buggy. I'm constantly updating IOS builds and on some occasions had to use an engineering build on the production FW farm. This never makes me happy. Juniper has had several minor issues but nothing in the league of the PIX IOS. Juniper does have some interesting things happen when you write rules so be careful. One example is that we found that DNS traffic came through the FW even though we had a deny all rule in there but no specific port 53 rule. You have to be very specific with the Juniper rulesets. The PIX is a little more forgiving but not much. When it comes to perfrormance, we've noticed that the PIX is still a little faster but not to the point where it is significant.

    Both come with a VPN. Juniper's VPN is far superior to the Cisco VPN. Both are IPSEC based but Juniper does a much better job of implementation both in stability and ease of use. Performance also rocks the house on the Juniper box.

    To sum it up, I'd rather have the Juniper box. Overall I feel it's a better product.

    Anyway, this is the best I can do without specifics.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Yeah PIXes do (or used to) have their little quircks and oddities, like no outbound filtering on interfaces, not being able to have packets reenter on the same interface they went out...;
    though alot of that is supposed to have changed in PIX OS 7.0*.
    Speaking of which, has anybody had a chance to play with it yet?
    We'll be installing and testing it this week probably.

    *Just to clear things up, pix os is not related to ios, cisco pix and routers don't run the same software at all, although the CLI is similar (even more so in 7.0 apparently).


    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    dammit horse, now i need to go get me a juniper fw to play with.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Just to clear things up, pix os is not related to ios, cisco pix and routers don't run the same software at all, although the CLI is similar
    Yep, I didn't know that I was unclear about that but indeed, Cisco routers and PIX firewalls do not run the same IOS.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Member
    Join Date
    May 2005
    Posts
    92
    Yeah... we shouldn't even bother discussing the web front end for PIX. That is crap. Not that I would want to use the accesslist builder feature, but you can't access it if you have an access list applied to more than one interface. So to properly use it you have to apply the same access list to each interface as a different name. This is of course if you have any interfaces that are configured for the same types of traffic. If not, you will not experience this... bug.

    Cisco is normally cheaper than Juniper, but Juniper is way more high end out of the box. I noticed that looking at prices on insite.com a while back. Cisco has plug in cards for the higher end 525 and 535 to give you more than the base 330 mbps (clear text) and 1.7 mbps (clear text) respectively default maximum throughput. (FOS 6.3.3)

    Having not programmed or worked with Juniper I do not know how their command line stacks up. But I will say that Cisco syntax is something you have to spend some time learning, but once you do the concepts span all of their devices.

    We will be going to 7 sometime in the next few months. Things happen slowly at my organization. We have a "reactive practice" that I'm trying to change.
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

  8. #8
    Junior Member
    Join Date
    Aug 2005
    Posts
    1
    some interesting information about firewall solution are here
    http://i.cmpnet.com/nc/1608/graphics/1608f2_file.pdf
    and some more here:
    http://i.cmpnet.com/nc/1608/graphics/1608f1_file.pdf

    actually we like cisco pix but we are strongly considering new fortinet solution.
    GR

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides