Categories

Bluetrait
        Bluetrait
                Bluetrait
                    Coding
                    Geek
                    General
                    Videos
                    Solar
                    Coding
                    Geek
                    General
                    Coding
                        PHP
                        Bluetrait
                        PHP
                        Bluetrait
                        WordPress
                            Plugins
                        PHP
                        Bluetrait (Program)
                    Geek
                        Juniper
                        Cisco
                        IBM N2200 8363
                        PCs
                        Spam
                        IPv6
                        Apple
                        NetScreen
                        Internet
                    General
                        Uni

Thu, 21 Feb 2008 12:09 PM

Cisco ASA 5505 vs Juniper SSG 5

Michael Dale

I thought it was about time I did proper review of the Cisco ASA 5505 and the Juniper SSG 5.

Both devices are at the low end of firewall security devices offered by Cisco and Juniper.

The ASA 5505 is part of Cisco's new range of Adaptive Security Appliances (ASA) the replacement for the PIX. The 5505 replaces the old PIX 501 and 506e.

The SSG 5 is Juniper's lowest end Secure Services Gateway (SSG). The SSG 5 replaces the old Netscreen 5GT.

There are many models of the SSG 5 and ASA 5505 available, for this review I will be looking at the non wireless SSG 5 256mb version and the unlimited user ASA 5505 K9 version.

Before we get started I should make it clear that I work with the Juniper range of hardware every day; so I may be bias.

Overview

The first thing I'll do is compare the two devices "on paper".

  Cisco ASA 5505 Juniper SSG 5
Model ASA5505-UL-BUN-K9 SSG-5-SH SSG5 RS-232 256MB
RRP* $AU1,681.90 inc GST $AU1,125.00 inc GST
Firewall Throughput 150 Mbps 160 Mbps or 90 Mbps of IMIX** traffic
VPN Throughput 100 Mbps 40 Mbps
Sessions 10,000 8,000
Connections/Second  4,000  2,800
Packets Per Second (64 byte) 85,000 30,000
IPSec Tunnels  10 25
SSL Tunnels 2 N/A
Memory 256 MB (upgradable) 256 MB
Flash 128 MB (upgradable) 64 MB (fixed)
Ethernet Ports 8x100 Mbps (2 of which are PoE) 7x100 Mbps
USB 3xUSB 2.0 1xUSB 1.1
VLANs 3 (trunking disabled, DMZ Restricted) 10
OS ASA 8.0(2) - ASDM 6.0(2) ScreenOS 6.1.0r1
Users Unlimited Unlimited
Routing Protocols RIP v1/v2, OSPF, EIGRP RIP v1/v2, BGP, OSPF
Anti-Virus No (possible future) Yes (paid for subscription)
Deep Inspection Yes Yes
Anti-Spam No (possible future) Yes (paid for subscription)
Console RJ45 RJ45
Dialup Modem No No (external modem can
be connected via the AUX port)
IPv6 Yes Yes

* RRP based on Ingram Micro's pricing
** IMIX traffic is more demanding than a single packet size performance test and as such is more representative of real-world customer network traffic.
The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.

So on paper the ASA 5505 has much better throughput and general hardware specifications, yet the SSG 5 supports more VPN tunnels, VLANS and has full UTM (Unified Threat Management).

The ASA 5505 is also about 50% more expensive (based on the retail prices), saying this wholesale prices of the two devices only differ by about $250 ext GST.

Cisco ASA 5505 Front and Juniper SSG 5 Front

Cisco ASA 5505 Back and Juniper SSG 5 Back

Cisco ASA 5505 out of the box

The ASA 5505 comes with the following:

  • ASA 5505
  • Power Supply
  • Getting Started Guide (Software Version 7.2)
  • Rollover console cable
  • 90-Day Hardware Warranty
  • Software and Documentation CD (Software Version 7.2)
  • Regulatory Compliance and Safety Information Booklet
  • 2 Ethernet Cables

Juniper SSG 5 out of the box

The SSG 5 comes with the following:

  • SSG 5
  • Power Supply
  • Serial to RJ45 connector
  • 1-Year Hardware Warranty
  • 90-Day Software Warranty (from the date of shipment)
  • Free download of the latest ScreenOS for the first 90-Days
  • Software and Documentation CD
  • 1 Ethernet Cable
  • Desk Stand (allows the SSG 5 to stand upright)

The 90-Day software download for the Juniper device means that you can have to the latest software when you first purchase the device. Unfortunately this time period starts from when the device leaves Juniper. So if you purchase the device from a reseller the software update period may have already expired. This is still better than Cisco that requires you to purchase a SmartNet agreement before you can download anything.

The 90-Day Cisco hardware warranty is also a bit rude.

Cisco ASA 5505 Starting it up

Out of the box the ASA is setup with Ethernet0/0 being the WAN side while the rest of ports are setup as the LAN side. The default IP address of the box is 192.168.1.1.

If you're running an internet connection where an ip address is handed out via DHCP then the ASA will give you basic internet access straight off, although most of the time you'll want to configure PPPoE or something.

For users who have not used Cisco gear before then the easiest way is through ASDM (Adaptive Security Device Manager), cisco's GUI setup interface. To access this browse to https://192.168.1.1/ and download the ASDM.

Once started you are greeted with some statistics of the ASA.

Cisco ASDM Interface

ASDM is up to version 6 and is it now fairly comprehensive; if you don't like the command line then most of the configuration can be done here.

By default the ASA blocks and filters certain traffic for example ICMP is blocked.

Juniper SSG 5 Starting it up

Out of the box the SSG 5 is setup with Eth0/0 being the WAN side, Eth0/1 being the DMZ and the rest of the ports being the LAN side. The default IP address of the box is 192.168.1.1.

The SSG 5 uses zones.

"A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic via policies. Security zones are logical entities to which one or more interfaces are bound."

So what Cisco call VLANs (or Security Levels) are basically what Juniper call Zones.

The SSG is managed through a web interface this can be found at http://192.168.1.1 (default username and password: netscreen).

Once you've logged in you are greated a general overview of the device.

Netscreen WebUI

Like the cisco device the SSG also allows configuration via the command line; although the WebUI is much more complete than the Cisco ASDM.

Personally I do most of my configuration in the WebUI.

By default all outbound traffic is allowed and the WAN interface (or Untrust as Juniper call it) is set in NAT mode. The Untrust interface isn't setup to receive an address via DHCP by default.

Cisco ASA 5505 The Hardware

The physical construction of the 5505 is very good. The outside casing is mostly plastic, while the base of the system is metal. The only point of concern is the power connector; it seems a bit flimsy and could be easily broken.

If you open up the 5505 you can see that both the flash and ram is upgradable. The flash is just a standard compact flash card, while the ram is PC3200 DDR UB NON-ECC CL3 DIMM 2.5v or 2.6v. It looks like the ASA 5505 can support up to 512mb of Ram.

The primary CPU is based on an AMD Geode chip, plus there is a hardware acceleration chip too (for VPN encryption etc).

The 5505 also has a Security Services Card slot allowing extra functionality to be added on. Although there are not any cards at this stage.

There are 2 USB 2.0 ports on the back and 1 on the front. Seems like a lot for a firewall! At this stage they don't do anything.

The inclusion of two Power over Ethernet ports is a great idea as it allows you to simply plug an IP phone in without the need for an extra power brick.

There is an internal battery that can be replaced if required.

Overall the ASA 5505 feel like it was built to last.

Juniper SSG 5 The Hardware

The physical construction of the SSG 5 is good, but it isn't has good as the 5505. My main point of concern is the single USB port on the back. It isn't attached to the outside casing and just feels a bit flimsy.

The SSG 5 allows for the memory to be upgraded, although 256mb is the max. I tried a 512mb DDR2 SODIMM in the device but it didn't boot. It is possible that I was using the wrong type of ram (on second look it may need DDR1). The flash memory is soldered onto the board and cannot be replaced.

The SSG 5 uses an Intel IXP455 chip running at 533MHz.

There is a single USB 1.1 port on the back of the device that can be used for storing log files or other firmware.

Cisco ASA 5505 The Software

At the time of writing software version 8.0(3) is currently the latest version for the ASA. Unfortunately I currently only have 8.0(2), saying this the differences should only be bug fixes.

The ASA software is simply a continuation of the PIX software. The configuration is stored in a single text file. With each version of the ASA/PIX software the command line configuration is slowly becoming more and more like Cisco IOS which is not a bad thing.

The ASA has a stack of features for a device so small and cheap. It does everything that the PIX 506e does (IPsec VPN, SPI firewall etc) plus more (SSL VPN, EIGMP). The inclusion of SSL VPN means that this device can easily support teleworkers that may not have access to an unrestricted internet connection. SSL VPN gives the end user an option of a client based connection (similar to an IPsec VPN) or a clientless connection (a web portal to published files and services).

The ASA 5505 also provides basic routing and nat functionality, meaning that you can run this device without a separate router. Unfortunately there is no option for an integrated ADSL modem, so a modem will need to be purchased.

The configuration of the ASA can be scary for new users. ASDM is not particularly well laid out. NAT rules are in a different location to access rules and everytime you want to make a change you must save and upload the configuration again. The base license is also restrictive, you are limited to three "zones": untrust, trust and dmz. You cannot create pin holes in the DMZ to allow access the the Trust network either.

The SSL VPN is also very limited as you are only allowed 2 SSL VPN connections. IPsec is a little better with 10 tunnels allowed, but even cheap SOHO routers can do 10 IPsec tunnels.

All of these limits can be removed or increased with more expensive licenses, but they are much much more costly.

It is possible to get the ASA 5505 in 10 and 50 user versions (number of computers using the internet behind the ASA). Why Cisco have this limit is beond me. I've never seen a cheap SOHO router with a user limit.

The reporting options in ASA 5505 are fantastic. If you want to know what is going on it your network then the ASA will tell you. It can display the most used services, sources or destinations in a pie chart (plus a whole stack of other options).

Overall the ASA software is good, but there are far too many limits on the base 5505.

ASA Software Version 8.1 is due soon although I've yet to hear what extra features it will include.

Cisco ASA 5505 Policy Management

Juniper SSG 5 The Software

The SSG 5 came out with ScreenOS 5.4 but since then Juniper have released 6.0 and 6.1 both adding lots of extra functionality. ScreenOS supports just about any routing protocol (BGP, OSPF, RIP etc) and has some really nice features that aren't found on the ASA 5505.

The base SSG 5 license supports unlimited users, 25 VPN tunnels and 10 zones. The extra zones really makes the SSG 5 stand out. For example you can have a Untrust, Trust, DMZ and VPN zone. All VPN tunnels can be bound to the VPN zone, separating it from internet traffic. There are also no limits on how the zones work so the DMZ can talk to the any zone if you so wish. With 10 zones every port on the SSG 5 can be part of a different network. So if I wanted to add a wireless access point I could create a zone that only allows the wireless users to access the internet.

Policy management is also much better than the ASA. Every change made via the web interface is automatically saved. You can quickly disable policies and move them around. You can fine tune each policy. For example you might want to enable NAT on a policy, or add anti-spam scanning on certain incoming SMTP connections. The policy management on the SSG 5 feels much more mature.

Again the SSG 5 like the ASA 5505 can be used as a stand alone device without the need for an extra router. The SSG 5 does have another nice option, you can purchase them with ADSL2+ modems built in (or ISDN or 56k modem). So you don't need to buy an extra modem. Saying this I find it easier and cheaper just to use an external modem as it can be upgraded if a new technology comes out.

ScreenOS 6.0 added Auto Connect VPN which works the same as Cisco's Dynamic Multipoint Virtual Private Network. This basically means that in a hub and spoke vpn setup the spoke sites (remote offices) can automatically establish a VPN tunnel between each other (based on the rules at the hub) to reduce the traffic going through the hub. This can increase bandwidth and decrease latency.

ScreenOS 6.1 added IKEv2 the next version of the Internet Key Exchange protocol which is used in IPsec.

Juniper SSG 5 Policy Management

UPDATE: Power Adapter

Just thought I'd add a quick section on the power adapter.

The Cisco ASA 5505's power adapter is quite large and seems to make a bit of noise (more than the device itself).

Juniper SSG 5 and Cisco ASA 5505 power adapters


Conclusion

Both devices are fantastic yet each have their own strengths and weaknesses. For example the SSG doesn't support SSL VPNs while the ASA doesn't support built in Anti-Virus or Anti-Spam.

I feel that the ASA 5505 is a little let down by its software and licensing limits. The reporting options in the ASA are much better then the SSG, but this doesn't make up for its other short comings. SSL VPN is nice but again far too limited with only 2 connections. The ASA 5505 hardware is clearly better than the SSG 5: PoE ports, USB 2, higher throughput.

On paper the SSG 5 isn't has good as the ASA 5505, yet the device is much less limited. I personally don't feel that the performance of the SSG 5 isn't an issue. These two devices are designed for small businesses and teleworkers, they're never going to see 150mbit/sec of traffic.

The SSG 5 comes with many more hardware options, you can even get a version with 802.11a/b/g wireless.

To me the SSG 5 makes a better router than the ASA 5505. While the ASA 5505 makes more sense for a business with teleworkers that require SSL VPN.

The SSG 5 can handle more VPN tunnels (up to 40 with an extended license) and has some technology that makes it better for site to site VPNs, such as running BGP over an IPsec tunnel.

If you're currently running a Cisco network stick to the ASA. Likewise if you're running a Juniper network use the SSG.

For new users you need to decide on what is important to you. Do you plan on using SSL VPN? Then get the ASA 5505. If you're just using IPsec or require some more complex networks/routing get the SSG 5.

Value for money? The SSG 5 is better as there are far less software limits.


Wed, 06 Feb 2008 10:00 AM

IPv6

Michael Dale

I spent a bit of time last night getting more of my network IPv6 ready.

  • My Bind DNS server can now answer queries on IPv6.
  • dalegroup.net now has an IPv6 address
  • I'm in the process of trying to get my name server (ns1.dalegroup.net) to have an IPv6 address.
  • Mail server has an IPv6 address (although nothing is routed to the IPv6 address yet)

EDIT: And now my IPv6 tunnel is completely broken :( I've email aarnet and hopefully it will be working soon!


Thu, 31 Jan 2008 9:22 AM

Setting up a route based site-to-site vpn using aggressive mode

Michael Dale

The following howto guide explains how to setup a route based site-to-site VPN with one site using a firewalled internet connection and a dyanmic ip address.

So the background:
We have a client who is currently uses a Next G wireless connection who requires a link back into head office.

The wireless connection is limited in the follownig ways:

  • No public ip address
  • No static ip address
  • No port forwarding capabilities

So the connection is locked down.

The client required a site-to-site vpn for their business to operate (main application is running in head office).

So the following guide will show you how to set this up.

Network Details:
Head Office

  • Real internet connection with a static IP address
  • 192.168.0.x internal network

Remote Office

  • Internet connection without public ip address and/or port forwards
  • 192.168.6.x internal network

Head Office Setup

  1. Create a new IKE user (Objects->Users->Local)
  2. Create a new Unnumbered Tunnel Interface mapped to the untrust zone (Network->Interfaces (List)) and connected to your untrust Interface
  3. Create a new "Dialup User" VPN Gateway (VPNs->AutoKey Advanced->Gateway),
    1. Dialup user being the one you created in step 1.
    2. Outgoing interface is your untrust port.
    3. Enter a preshared key.
    4. In the advanced settings:
      1. Mode (Initiator) Aggressive
      2. Enable NAT-Traversal
  4. Create a new AutoKey IKE (VPNs->AutoKey IKE).
    1. Security Level: Custom
    2. Remote gateway is the one you setup in step 3
    3. In the advanced settings
      1. Replay Protection
      2. Bind to the Tunnel Interface you created in step 2
      3. VPN Monitor
      4. Rekey
  5. Create Routes (Network->Routing->Routing Entries)
    1. Network (remote network): 192.168.6.0/255.255.255.0
    2. Gateway
    3. Interface: Tunnel Interface you created in step 2
  6. Create polcies:
    1. From Trust to Untrust:
      1. Source: 192.168.0.0/24
      2. Destination: 192.168.6.0/24 
    2. From Untrust to Trust: 
      1. Source: 192.168.6.0/24
      2. Destination: 192.168.0.0/24
          

Remote Office Setup

  1. Create a new Unnumbered Tunnel Interface mapped to the untrust zone (Network->Interfaces (List)) and connected to your untrust Interface
  2. Create a new "Dialup User" VPN Gateway (VPNs->AutoKey Advanced->Gateway),
    1. Local ID being the IKE Identity you created in step 1 on the Head Office setup.
    2. Outgoing interface is your untrust port.
    3. Enter a preshared key (same as Head Office setup).
    4. In the advanced settings:
      1. Mode (Initiator) Aggressive
      2. Enable NAT-Traversal
  3. Create a new AutoKey IKE (VPNs->AutoKey IKE).
    1. Security Level: Custom
    2. Remote gateway is the one you setup in step 2
    3. In the advanced settings
      1. Replay Protection
      2. Bind to the Tunnel Interface you created in step 1
      3. VPN Monitor
      4. Rekey
  4. Create Routes (Network->Routing->Routing Entries)
    1. Network (remote network): 192.168.0.0/255.255.255.0
    2. Gateway
    3. Interface: Tunnel Interface you created in step 1
  5. Create polcies:
    1. From Trust to Untrust:
      1. Source: 192.168.6.0/24
      2. Destination: 192.168.0.0/24 
    2. From Untrust to Trust: 
      1. Source: 192.168.0.0/24
      2. Destination: 192.168.6.0/24

So that should be all you need to do. The Remote Office will be the side that starts the VPN. Make sure the encryption settings are the same for each side.

The good thing about this setup is that you don't need to use a service like DynDNS so it should be a bit more reliable.

If I get a chance I'll try and add some screen shots.


Mon, 14 Jan 2008 3:20 PM

.au domains for $21.45 2/year

Michael Dale

Jumba have a special on at the moment; .au domains for $21.45 for two years. Thats cheaper than what I pay for a standard .com!

Anyway I picked up dalegroup.net.au


Wed, 19 Dec 2007 6:32 PM

My Website History

Michael Dale

I've just spent the last half hour restoring some of my old websites (dating back to around 2004).

I thought it would be interesting to see how they'd changed.

I did something like this back in early 2004, and ended up with a PDF document called "Dalegroup Evolved".

This time it is a little more interactive as the websites are live (click on the screen shots to visit the site) :)

So the first on my list:

dalegroup.net - 2004

dalegroup.net 2004

Dalegroup.net was my primary website before I started a blog. This site ran on one of my first CMS' and it is still working on PHP5 :)

I setup GD to generate the news titles into a coloured image that changed for each news item.

blog.dalegroup.net - 2005

blog.dalegroup.net 2005

This site was my first "real" blog and could be found at blog.dalegroup.net (no longer exists). This site ran on a script I called getnews and was simply a basic blog program I wrote during the HSC.

The customised CSS styles still work too!

bluetrait.com - 2007

bluetrait.com 2007

Bluetrait was my first site completely separate from dalegroup. I don't remember where the name came from but the idea behind it was to write a blog script that people could download and use.

So bluetrait ran on Bluetrait 1 which worked pretty well for a few years.

And now we're at the end of 2007. Bluetrait.com is still around and is currently running Bluetrait 2 Alpha-2.

 


Tue, 18 Dec 2007 3:38 PM

Gravatar

Michael Dale

I've added Gravatar support to this site.

A gravatar, or globally recognized avatar, is quite simply an 80×80 pixel avatar image that follows you from weblog to weblog appearing beside your name when you comment on gravatar enabled sites.

Fri, 23 Nov 2007 8:57 PM

Mac Mini

Michael Dale

I got a Mac Mini for my birthday on the 21st. Specs:

Core 2 Duo 1.83GHz
1gb Ram
80gb HDD
Leopard.

It's awesome! I'll post some pictures later.


Mon, 19 Nov 2007 10:15 AM

Creating a VIP in a different subnet

Michael Dale
Recently the company I work for got another subnet to use, let's call it b.b.b.0/24 (and our current one is a.a.a.0/24). We want to use this subnet to create more VIPs (Virtual IPs). So we currently have: a.a.a.2:80 -> 10.0.0.2:80 We wanted to add: b.b.b.2:80 -> 10.0.0.3:80 Unfortunately trying to do this via the standard method fails with this error: VIP error With the help of the juniperforum website a way was worked out. Steps: 1) Make sure the new subnet is routed to your netscreen (in this case to our untrust int) untrust untrust policy 2) Create a new policy from UNTRUST to UNTRUST (yes this is not a mistake) with the following details: Source Address: ANY Destination Address: The external IP address you want to use i.e b.b.b.2 Service: The service you want Under the advanced settings: Enable Destination Translation Translate to IP 10.0.0.3 policyuntrust untrust policy 3) To create more services to the IP address simply add another policy with the "Service" and "Translate to IP" details changed. Note: This method mostly acts like a normal VIP. The only thing to look out for is that requests from the TRUST zone won't be translated. More details can be found in the forum thread here.

Sat, 17 Nov 2007 11:49 AM

Defensio

Michael Dale
Defensio is an anti-spam service very similar to Akismet, except that they provide in depth spam statistics for your website. I've just written a basic Defensio plugin for Bluetrait 2 and am giving it a test. It looks pretty cool!