Contents
Juniper Networks SSG550M
(Credit: Juniper Networks)
Juniper's SSG550M is the bigger sibling to the 520. The main differentiators between these are performance and redundancy options. Juniper claims the 550 provides performance of 1Gbps stateful and 500Mbps IPSec, while the 520 is 650Mbps stateful and 300Mbps IPSec. The 550 can also support an optional redundant power supply while the 520 cannot. Both models are available with AC or DC power supplies — good news for the telcos out there.
The SSG550M is housed in a large black 2RU chassis. On the front, the device is dominated by six modular expansion slots — two of these occupied by a double height 16-port 10/100/1000 network module. One expansion slot was also occupied by a single port ADSL line card. Fixed ports on the front also include four additional 10/100/1000 network ports, two USB ports, a console port and an auxiliary port. Power and reset/config switches are recessed, and there are status LEDs for power, alarm, status and high availability. Each network port also features two LEDs showing connectivity, status and activity. The removal of a blue plastic bezel provides access to the ventilation filter; at the rear are more ventilation grilles. Access to the power supply modules is also from the rear, delivered via standard IEC connector power cables.
Juniper's elevator pitch for the 550M is that it offers a mix of high performance, security and LAN/WAN connectivity for regional and branch office deployments. ScreenOS is Juniper's real-time security specific operating system. It includes a specific set of security and management applications including:
- Common criteria and ICSA certified stateful inspection firewall
- ICSA certified IPSec VPN gateway for interoperable and secure communications
- Deep inspection for application-level attack protection
- Antivirus protection based on the Kaspersky Lab scanning engine that includes antiphishing, anti-spyware, anti-adware protection
- Anti-spam via a partnership with Symantec to block known spammers and phishers
- Content filtering using SurfControl to block access to known malicious sites or other inappropriate content
- Network segmentation through its virtualisation capabilities
- Denial of service (DoS) mitigation capabilities
- Application layer gateways to inspect common VoIP protocols (H.323, SIP, SCCP and MGCP)
Considering Juniper's networking heritage and impressive array of carrier grade services equipment, it is no wonder that the company's firewall platform also performs common networking functions supporting routing protocols such as BGP, OSPF and RIPv2. This integrated functionality provides enterprises with great network redundancy, allowing for multiple services/ISPs. Using dynamic-routing with path-monitoring, enables an automatic connection failover to an alternate route and/or ISP. Juniper's dynamic routing capability also enables route-based VPNs (the ability to define multiple VPN tunnels and based upon a routing decision select the best VPN tunnel for the traffic).
The design of the GUI for administration/configuration is now somewhat dated, although functional. For those familiar with the Netscreen/Juniper interface, it will have a traditional look and feel. It also retains a menu-based system that provides multi-level access to the device's operations. Juniper has added an option to toggle from the traditional menu to a much neater Java-enabled menu, ensuring that sub menus pop-up with a single click. Either way our engineers found locating the configuration/administration items easy.
The Juniper web GUI (Credit: CBS Interactive)
Juniper (with strong roots in the carrier industry) provides a number of ways to manage these devices — either remotely or locally. These range from its standard web GUI through to a traditional console-based session. Centralised management is also an option and, you'll find, necessary when deploying a number of devices in differing geographies.
Overall, it is a very robust and highly customisable device. Juniper has a history delivering mission-critical and highly available products. In the Australian corporate and government markets this category device would suit the medium to large organiaations in virtually any scenario.
Warranty is for one year from the date of purchase. Juniper also offers two support/maintenance models for all products:
- JCARE Support: the Juniper partner or reseller will (in addition to selling you the product) sell a maintenance contract for the device. This is based on return-to-factory, next-day or same-day support models (as per the customer's SLA). All support requests (JTAC, hardware, software etc) are provided direct by Juniper to the end-customer.
- JNASC Partner enabled: as a Juniper Networks authorised support centre partner, the partner provides level 1 and level 2 support services directly to the end customer. The partner maintains the primary support relationship with the customer while relying on Juniper for escalation support. Juniper assists the JNASC partner with all escalation and level 3 support issues to resolve an end-customer problem
The price of the 550M we tested, considering the design, intended application, features and functionality is very reasonable at AU$15,487.
| The bottom line | If you are in the market for an enterprise-level mission critical network security device then shortlist Juniper's SSG500 series for evaluation. |
|---|---|
| Vendor | Juniper Networks |
| Price | AU$$15,487 |
| Warranty & support | Juniper warrants that for a period of one year from the date of purchase, the hardware shall be free of defects in material and workmanship under normal authorised use consistent with the product instructions. |
| Juniper currently operates two distinct support models for all products: JCARE Support and JNASC Partner enabled. | |
| The good | Configurable/customisable |
| Feature rich | |
| High reliability could be expected | |
| The bad | May be overkill in some environments |
| Densely packed networking ports with limited cable management may confuse and sometimes obscure status indicators |
I'm amazed that you didn't bother to test the platform with the most impressive security track record known to man - OpenBSD.
It's easy to configure. There are no licensing costs. The rule set for PF is human readable. It supports IPv6.