Thursday, December 16, 2010

Juniper ScreenOS & Fortigate FortiOS revisited 2010

This month, I had the opportunity of installing a Juniper SSG appliance (with ScreenOS) and two units of Fortigate (with FortiOS) for three separate clients. These two firewall brands really bring back interesting memories after years of deploying Watchguard which to date, STILL does not support IPv6 (what does that tell you about Watchguard's development cycles ?).

Checkout the list of IPv6 capable security product's here: https://www.icsalabs.com/technology-program/ipv6/ipv6-capable-security-products

At first look, it seems there's nothing much that have changed on the ScreenOS; I guess maybe most of Juniper's  development efforts were concentrated on the JunOS.

This could either be a good or a bad thing. In ScreenOS's case if it ain't broke, why fix it ?

As one of the first Active/Active capable firewalls that I had the opportunity to deploy, ScreenOS's NSRP is still the same reliable protocol it has always been.

It's Active/Active HA works on the principle of concurrent Virtual Security Groups (VSI) sharing the same cluster ID. Furthermore, it failovers PPPoE links too :)

The only downside is you'd need one IP addresses per Interface; one for each VSI group's interface. That would normally be translated into two IP addresses per HA interface/zone in a production environment.

FortiOS on the other hand works on the principle of Multicast ARP. From a first look, it operates as good, or even better than ScreenOS (maybe not the debugging bit) and you only need ONE IP addresses per HA interface. That simple capability saves your precious Public IP addresses (and end-user confusion) when doing HA on the Public IP segment.

And of course, ScreenOS stubbornly sticks with its trusted PPTP and L2TP as its user-based VPN methods while FortiOS have included all of the above AND SSL-based VPN as well. Mind you this includes SSL Tunnelling (OpenVPN) as well as Virtual Desktop functionalities (Java applet based). How cool is that ?

Maybe I'll try JunOS sometime and see if its worth cost-to-cost with FortiOS :)

No comments: