Question : PIX 535 Vs NetScreen ISG2000

Hello,

We run a very highly demanded web and application servers in a server farm. We're shopping around for a solid firewall solution. Our vendors have made two recommendations which are PIX 535 and NetScreen ISG2000. I wanted to know what you folks think is a better fit for our enviornment. Please be clear in your recommendation and provide as much reference as possible.

- Our enviornment receives about 250,000 concurrent sessions.
- Latency is not an option. The response must be instantaneous.
- Load balanced and fully redundant firewall is a must.
- Site to Site VPN termination needs to be terminated on the firewall itself. There are currently about 25 VPN tunnels (site to site, no user tunnels).

Your input is appreciated.

JM

Answer : PIX 535 Vs NetScreen ISG2000

The PIX 535 may even be a bit overpowered for your requirements. The 525 in a failover pair configuration would be more cost effective:
The Cisco PIX 525 Unrestricted (PIX 525-UR) model extends the capabilities of the security appliance with support for stateful failover, additional LAN interfaces, and increased VPN throughput via integrated hardware-based VPN acceleration. It includes an integrated VAC or VAC+ hardware VPN accelerator, 256 MB of RAM, two 10/100 Fast Ethernet interfaces, and support for up to six additional 10/100 Fast Ethernet or three Gigabit Ethernet interfaces. The Cisco PIX 525-UR also adds the ability to share state information with a hot-standby Cisco PIX Security Appliance for resilient network protection.

Performance Summary
Cleartext throughput: Up to 330 Mbps
Concurrent connections: 280,000
168-bit 3DES IPSec VPN throughput: Up to 145 Mbps with VAC+ or 72 Mbps with VAC
128-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
256-bit AES IPSec VPN throughput: Up to 135 Mbps with VAC+
Simultaneous VPN tunnels: 2000

If the Concurrent session limit of 280,000 does not give you enough growth headroom, then the 535 is the way to go, and you can put two of them into an auto failover pair:
Performance Summary
Cleartext throughput: Up to 1.7 Gbps
Concurrent connections: 500,000
168-bit 3DES IPSec VPN throughput: Up to 425 Mbps with VAC+ or 100 Mbps with VAC
128-bit AES IPSec VPN throughput: Up to 495 Mbps with VAC+
256-bit AES IPSec VPN throughput: Up to 425 Mbps with VAC+
Simultaneous VPN tunnels: 2000

The failover pair of PIX's don't load-balance. One is fully operational and the other is in "standby" mode at any one time.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

The only thing I have against the NetScreen is that it has been bought out by Juniper Networks. Can you depend on the support for the next 5 years with a new parent? I have problems with companies that force you to register with them to even see their product whitepapers:
http://www.juniper.net/products/integrated/ (see the "What's New" column for ISG2000 doc)

However, a side-by-side comparison of performance features blows the PIX 535 out of the water...

Random Solutions

Sending emails on behalf of a common mail address and have the email saved in "Sent items" in the common mailbox (not my own)

Cisco 2811, two interfaces, two seperate ISP; is Load Balancing and Failover possible

Cisco 3560G Switch Question

Sporadic Delivery after change in MX records

Again, Detecting arrival of new SMS Messages!

Want to see what computer a user is logged into

Restricting Inbout SMTP IP Addresses in Groupwise

Windows Server 2003 not releasing file lock on Access database

docx files on Novell server are very slow to open