We'll I finally got my new Juniper SSG 5 firewall (the replacement model for my old Netscreen 5gt).
I ordered it back in November, originally I was going to get the wireless version but they were still out of stock early this year so I ended up getting the base model (with 256mb of ram).
The main reason for the upgrade was that we'd run out of VPN tunnels (the 5gt did 10). The new version supports 25, plus it upgradeable to 40.
The SSG also has the following advantages over the 5gt (I'm comparing the base model 5gt and SSG 5):
- 4000 sessions, up from 2000
- 25 VPN tunnels, up from 10
- Unlimited users, up from 20 (my 5gt has an upgrade to support 20 users)
- 7 ethernet interfaces, up from 5 (plus they aren't limited in terms of zones like the 5gt).
- DMZ support (we've just got a subnet so this should be useful)
- Support for ScreenOS 6 which should be out this year
- Faster (160mb firewall (from 75mb), 40mb VPN (from 20mb))
- 256mb Ram, up from 128mb
- 64mb Flash, up from 32mb
So the device is pretty much double everything that the 5gt is.
It also cost me double. I got the 5gt off ebay for $320, where as the SSG 5 new cost me $640. I got a really good price on it has Bryn was able to sign up as a Juniper reseller, the SSG 5 is about $1200 retail.
The main limitation of the old Netscreen 5gt was the port modes.
The port mode defines what zone (untrust, trust, dmz etc) each ethernet interface is in. Any time you needed to change this you were required to reset the device and config (see below).
Where as the SSG 5 has something called bridge groups allowing you to easily change what zone each interface is in without resetting the device and/or config.
Much more useful if you're playing round with different network topologies (see below).
I've updated some of the IPSEC benchmarks to include both the SSG 5 and an old Netscreen 100 I picked up.
