Cisco 1811/1812 vs Netscreen 5GTE
Cisco, Firewalls, Forensics, Incident response, Intrusion management, Juniper Networks, NetScreen, Network security, Networking, Product evaluation, Routers, Security, Security products, VPN, Wireless
Hello all,
Did any of you have/had any experience with both Cisco 1811/1812 and Netscreen 5GT(E)? Which one is better/faster/has more features/more user friendly according to you?
What I need is a router/firewall/IPS appliance that will allow me to set up some DMZ and two LANs and that will serve as a VPN end point for remote offices.
Which device has better IPS and packet/application protocol inspection?
I heard that Cisco devices (like PIX and 1800 series) are PC-like with Cisco IOS running as an application on it (so it is more a software firewall, than a real hardware firewall) and Netscreen devices are real hardware firewall's, with specialized hardware and OS running as a firmware (based on some ASIC?). Is it true or not?
What is the performance of these devices in "real world environment" (not with test packets of 1400-1500 bytes)?
Thank you in advance, I hope your answers will help me choose between the two devices.
Regards
Maciej Sandecki
Software/Hardware used:
Software/Hardware used:
ASKED:
July 19, 2005 3:13 AM
UPDATED:
July 26, 2005 8:49 AM
Answer Wiki:
Maciek,
There is no such thing as a hardware firewall and don't ever let anyone tell you anything different. Hardware cannot function without software running on it, whether or not it's firmware/embedded or saved on some type of media. Now, with that said, some systems have been optimized for throughput for routing/switching packets quickly on their interfaces so that access speeds are faster (ASICS and hardware accellerators). That's nothing more than hardware thats been specifically designed to perform a function more efficiently.
That being said, I don't have experience with the Netscreens, but you will want to compare their throughput speeds vs. how secure they are to determine if that's what you want to use. Don't sacrifice security for speed. What good is a firewall that runs at OC-148 speeds but only correctly evaluates 1 out of every 6 packets? Look for comparison studies from someone like Network Magazine or an independant lab to get numbers. Sorry, I don't have the time to search on it right now.
Hope this helps,,
SF
To see all answers submitted to the Answer Wiki: View Answer History.
hi,
If you really want a firewall IDS from Cisco look at the ASA 5500 series..
It is the newest piece out there…
If you need a router with performance that does IDS/FW/routing.. look at the 2800 series..
the 1811/12 is limited.
now as for the PC running IOS….
Cisco routers/switches/firewalls are all basically a PC.. BUT there are purpose built, no PCI bus, no VGA etc, just RAM, FLASH(IE mini harddrive), and ports…..
As far as hardware firewall, the previous person was right… they just put ASICs etc in to optimize them….
check out miercom, they do indepedent reviews of alot of gear…..
Later,
J
The previous posters are absolutly right. All I can add is my experiences. EVERY installation I have been involved with over the years has ended up with CISCO no matter what they started out with. I do mean EVERY. I think there is a very good reason that they are number 1 out there. Yes, there are costs, but what does it cost to do it right? My advicce to you, as with anyone else, get the best you can afford that will do the job you want. Don’t get pushed into settling if you can avoid it. CISCO IOS can be tricky if you are new to it, but it pays off.
Best,
Paul
I beg to differ with some of my esteemed colleagues, while granting that they make a valid point.
When the terms “hardware firewall” and “software firewall” are used, what is really meant is “Standalone Firewall Appliance” vs. “Host-Based Firewall Application”
Both have their strengths and weakness. The major benefit of the “software” (Host-Based) type is its ability to identify the application that’s trying to get out (legit or not) and allow the user or administrator to make application based decisions.
The major benefit of the “hardware” (Appliance) is relative simplicity and centralization of administration and reporting.
They ALL require software – regardless of the chipsets used to accelerate performance. But I still maintain that the terms “hardware” and “software” provide a useful distinction in terms of ease of conversation and description.
My $.02,
Bob
you are right Bob….ooops….shame on me for missing that one too….especially since I have worked with both.
Humbly,
Paul
mmm.. for some contrian advice: Cisco are No1 because they have assumed a 1960′s IBM like mantle “no-one ever got sacked for buying Cisco”. They are not the best in all situations.
If you are considering the Netgear I am assuming you have a small network to protect /route, is this correct? If so you are also probably the only person supporting it. In which case I wouldn’t go near Cisco unless
1. you have used and understand Cisco IOS
2. You’ve plenty of spare time to learn it, the VPN client and are prepared to work with disparate suppliers.
If you have these then do buy Cisco, the experience is much more marketable.
However if you have neither of these go for an idiot proof, well supported ‘hardware’ platform. SonicWall and Watchguard are possibly the best of these. Both provide everything you want, firewall, Intrusion protection, secure VPN, routing,Anti-Virus & Anti Spyware, DMZ – different network zones, content filtering etc, all with simple to use configuration and 1st class support (its the market both are after).
Peter
CISCO is OK but it is hardly the best. If you are really interested in a firewall system that is user friendly works on all platforms why aren’t you looking at Firewall-1. I’ve currently have bothe CISCO and Firewall-1 systems. Firewall-1 is the best and both GARTNER and GIGA have also said that.I’ve also had Firewall-1 work on Sun, Microsoft and Nokia boxes over the last 7 years and it has never gone down.
Maciek,
I thought you might want to hear from a Netscreen user. I took a job where a netscreen 5XT had recently been put in place, and spent a certain amount of time reading up and configuring it. I noticed you said 5GT, I believe that is the same applicance but limits you to 10 users. The 5XT is one that allows you unlimited users. I am using the firewall to protect a small network of about 50 users. By using mapped IPs I can route traffic from a public IP to an internal IP address, thus putting as many servers in the DMZ as I like while filtering what traffic will be allowed to flow to them. There is the normal permit/deny policy structure that allows you to quite finely tune what traffic you will allow in or out. Netscreen also has VPN support, and I have 3 users working remotely, on both Windows and Macintosh platforms. The Netscreen also has a “deep inspection” feature that looks beyond the protocol into the payload of the packets. This is updated via a subscription service similar to what you would do for anti-virus.
So far I have had very good results. You configure the appliance with a web based interface, so it is pretty user friendly. You do still need to understand the firewalling concepts, but I found that very straight forward to learn from the documentation. I have never had any throughput issues that led me to the Netscreen as the culprit, so for our network it seems to be fine. I should tell you that we are not doing any web hosting behind the firewall, so there is not a lot of incoming traffic, just email primarily.
I would also caution you to price the applicance carefully. There is an extra charge for the deep inspection service, for telephone support, for OS upgrades, etc. I have been content with the OS upgrades and the deep inspection subscription, and have been able to use their knowledgebase to solve any problem so far with one exception. I recently purchased their netscreen remote client to run on a wintel PC, and needed tech support to get that configured correctly. Just one of those times when what I thought the doc meant was not it at all.
Finally, this company was bought out by Juniper Networks a year or so ago. So far no problem with that, and they continue to support well. They added the deep inspection stuff after the buy out, and have continued to upgrade the OS.
If you are trying to protect a small network, and are connecting a few VPN users this is a good solution. I am not sure how it would scale up, but the company does have larger appliances as well.
Regards,
Doug
Hello all once again
First, thank you for all answers and opinions.
I am aware, there are no pure hardware firewalls, I understand hardware and software firewalls as you all said. I just wanted to know if Cisco IOS is a low level software (like firmware) running on some specialized hardware, or is it some higher level app running over some OS. Sorry for unclear question.
You are right, PeterBMartin, this is a small network, about 20 PCs, 5 servers (2 in DMZ, web, ftp and email), a few branch offices with 2-3 PCs each. My budget is around $2000 (Netcreen 5GTE is $2200 with support packs and VPN, Cisco 1812W is $1600). I don’t have any experience with Cisco IOS, but they now have SDM and I assume it is much easier to setup that clear IOS. I do have some experience with software firewalls (ipchains, iptables, some fw for Windows).
I have searched the web for comparisons, but found none. On Miercom I found Cisco 1812W performance test, but I’m still looking for some comparison/opinions from Cisco 1811/1812 and Netscreen 5GT(E) (not Netgear) users. What one has and the other doesn’t, what works better in one and worse in the other?
secGeek: Firewall-1 is too expensive for me and doesn’t have IPS AFAIK.
Douger: thanks for your message. 5GTE is more advanced version than 5XT, is allows unlimited users, 25 VPN connections, can have Deep Inspection and AntiVirus from MicroTrend. I know the pricing for this model.
I’m looking forward for more input from Cisco 1811/1812 and Netscreen 5 series (mainly 5GT/XT) users. What do you like/don’t like in them?
Regards
Maciek
The Cisco Pix software is essentially an OS running on a PC platform – in fact, the earliers Pix’s WERE a PC platform.
Bob
Contrary to previous statements, Cisco is not the leader in the firewall arena, and therefore I have little experience with the PIX. However, to assist you I do have plenty of Netscreen experience. We use 5XT, 5GT, 25, 204, and 208 models throughout our environment and have not had any problems with them. You need to get the right model to scale for your environment and traffic flow. The 5GT’s should be sufficient from what I’ve heard in your environment, just make sure you don’t bog it down too much with the VPN’s. We haven’t done a lot of VPN’s directly into the 5GT’s (usually just a single tunnel back to Corporate) so I don’t know how well they perform with a full load of VPN connections. Might be worth trying out one day…
VRy interesting to read it
