Juniper SSG20 Review

Discussion in 'Networking, Telephony & Internet' started by samus, Oct 8, 2010.

  1. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,262
    Location:
    Baulkham Hills, Sydney.
    Hi I’m Mario, you may have heard of me from such threads as the Watchguard X750E review and DIY Firewalls.

    Today I’m finally going to post my review/thoughts on the Juniper SSG20, since it has to go back to Juniper today or tomorrow. It sucks when you have to do actual work. Or a sick for a few days.

    AS usual, pictures tell the bulk of the story:


    Click to view full size!



    Click to view full size!


    And since this time, I can take the case apart, we have these pictures!

    Note this is the wireless model, with the daughter board for the AP here:


    Click to view full size!


    Also the processor is an Intel IXP455 processor, running at 400MHZ, with 265MB RAM.


    Click to view full size!


    The RAM is user upgradeable, via a panel on the base of the unit:


    Click to view full size!


    To have the extra functionality, (UTM, DI etc.) the “hi-memory” option must be installed. The reality is you don’t buy a device like this and not have the UTM stuff enabled.


    Click to view full size!


    Note at the back the single USB port and Kensington lock slot. The USB port is for configuration backup only as far as I am aware.

    My unit didn’t come with rack ears, so I don’t know how sturdy they are. The SSG20 has a very basic, but functional case, I really like that you can get to it very easily.

    Power supply is a 12volt 3.3amp brick.

    Interfaces:


    Click to view full size!


    Firstly, Juniper has a unique approach to routing compared to anything else I use/have used before. It breaks its rules down like this:

    Virtual routers,
    Zones
    Interfaces
    Policy

    It gives you much more flexibility than a “traditional” router, for example routing many networks over the one unit, with complete separation of traffic.

    The easiest way to explain this is by example. Create one virtual router, called “trust-vr”, then 2 “zones “trust” for the cold side, (LAN) and “untrust” for the hot side (WAN). Then you can assign interfaces to the zones and then finally set policies for data going from the different zones. You can then expand on this with many zones, for example creating a DMZ zone or an intranet zone, then assigning interfaces to it. The advantage here is, one the zones are created, you can easily change interfaces assigned to the zones, without having to recreate your rules.

    This can be further expanded with the use of multiple virtual routers.

    This model can have up to 4 virtual routers I believe, so you can split up the unit in many ways.

    I’ll stop here for a second. A few important things to know: the SSG series are being phased out; replaced by the SRX series, one of which I have to finish my review of, the SRX210. Just as important, I believe they are phasing out the Screen OS system that runs on the SSG series, and moving everything to their JunOS product/operating system.

    So let’s move on with Screen OS, in its command-line form.

    The way you build commands in Screen OS is a bit like DOS, one command, many arguments. In comparision to IOS or JOS (JunOS), where you have menus to navigate, here you build the command from one “set” statement.

    Example:
    Code:
    SSG20->set interface ethernet0/1 ip 192.168.80.1 255.255.255.0
    Will set the interface 0/1 to the IP address 192.168.80.1, rather than having to navigate to interface with a configure command, then an interface command. I personally don’t like it as it slows you down when you are doing multiple things to the same interface, like setting a DHCP server for example, as you have to type the initial commands first every time.

    The SSG20 also has an “exec” set of commands, to execute different functions:


    Click to view full size!


    And again, you build the commands the same way you do with the “set” commands.

    You can also dump out the config to text and then batch it in.

    On to the web interface!

    Home screen:


    Click to view full size!


    The biggest problem that I have with this unit it right here: the web interface is entirely Java based, and is S-L-O-W. No matter what browser I use, it’s very slow to respond to input.

    Interface main screen:


    Click to view full size!


    This is where you can assign the physical interface to a virtual router and then a zone. In this case the “untrust-vr” is in a down state, so the zone in null.


    Click to view full size!


    There are a few wizards that can help you through the config process of basic NAT and VPN, which is great to get it up and running quickly.


    Click to view full size!


    Web filtering can be done internally, or a redirect service to another server. SurfControl is pretty easy to set up, and there is a default set of filters in place. My gripe here is while you can choose what category but not not anything more defined than that, other than manual URL block/allow.

    Overall, the router is average. The fact its EOL means I wouldn’t recommend you buy one. I don’t like the web interface and the UTM side is lacking granularity. As a router/firewall, performance is really good, and the complexity of the rules you can set up is a standout. One you get your head around the ScreenOS commands the CLI is a much faster way to configure the router.

    Thanks for reading, and comments are always welcome! I do apologise for the delay/brief nature of this review, by myself at work and sick means no time for routers.
     
    Last edited: Oct 14, 2010
  2. Agg

    Agg Lord of the Pings

    Joined:
    Jun 16, 2001
    Messages:
    31,555
    Location:
    A Reported Post Near You
    Thanks for the review. :) Will post on the news page soon.
     
  3. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,400
    Location:
    Canberra
    Screen OS isn't going anywhere for quite a while despite what Juniper are saying. ScreenOS is EAL4+ Junos isn't. ScreenOS is used in lots and lot of secure gateways. unless they want to sell there high profile high paying customers down the river...............
     
  4. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    You know you can do all the junos config by 'set' one liners yea?
     
  5. silverfish

    silverfish Member

    Joined:
    Sep 13, 2001
    Messages:
    145
    Location:
    Melbourne
    Yeh SSG are great firewalls. The layers of routers/zones/interfaces allow a great deal of flexibility. Takes a while to get your head around if you are coming from a different background in firewalls.
    Surfcontrol sucks, had nothing but problems with it previously and its a subscription service. Time/money would be much better spent on a proper proxy service. Earlier firmware revisions were slightly buggy, but later revisions are solid and will stay up for years happily especially if you stay away from making lots of changes in the GUI.
    I wouldn't recommend them for home use as they are overkill and probably too complex. Great for a small/medium business especially if they have multiple networks/sites that require access control or vpns. A number of large corporations will use these as the firewalls at satellite offices and a larger unit at the head office.
     
  6. OP
    OP
    samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,262
    Location:
    Baulkham Hills, Sydney.
    Cheers Agg and everyone else for the feedback.

    I've been a member for so song and only recently am I really contributing. It's nice.

    I know ScreenOS isn't going anywhere for a while, but the distie I sourced this from said that the SSG/Screen OS is on it's way out. I would guess that they are consolidating their line up, and really pushing their switching platform, as the next thing he tried to do was sell me a switch.

    Thanks, Mario.
     
  7. AzzKikr

    AzzKikr Member

    Joined:
    Aug 25, 2002
    Messages:
    1,078
    Location:
    .au
    Is that an SRX210 sitting on top of the SSG in the first picture? :)

    -A.
     
  8. OP
    OP
    samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,262
    Location:
    Baulkham Hills, Sydney.
    Sure is, and it's sitting on my desk now.

    Review will be up shortly!

    Mario.
     
  9. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    I bricked the srx210 in our lab.... playing with the shell is fun.
     
  10. mwd

    mwd Member

    Joined:
    Jul 12, 2002
    Messages:
    257
    Location:
    Sydney
    Nice review Samus,

    I have done a couple myself that you might be interested in:
    http://michaeldale.com.au/archive/2010/01/29/juniper-srx210-review/
    http://michaeldale.com.au/archive/2008/02/21/cisco-asa-5505-vs-juniper-ssg-5/

    And some other random stuff:
    http://michaeldale.com.au/archive/2007/04/02/photos-of-inside-a-juniper-netscreen-ssg-5/
    http://michaeldale.com.au/archive/2009/08/13/jflow-on-srx210/

    I am still not really ready to start selling the SRX to clients. The SSG range is very stable and still has most of the features people require.
     
  11. silverfish

    silverfish Member

    Joined:
    Sep 13, 2001
    Messages:
    145
    Location:
    Melbourne
    FYI just because I happened to be browsing the list and spotted it. JUNOS 10 on j-series and SRX are in the process of EAL3 certification. The netscreen family is listed at EAL4 with screenos 5.0 and 5.4, getting pretty old now :(
     
  12. OP
    OP
    samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,262
    Location:
    Baulkham Hills, Sydney.
    Hey Michael,

    I read all your reviews before I even got the review units mate, didn't realise you were on here as well! Thanks for your feedback. SRX210 review will be up shortly.
     
  13. mwd

    mwd Member

    Joined:
    Jul 12, 2002
    Messages:
    257
    Location:
    Sydney
    Awesome I'm looking forward to your SRX210 review.

    Just make sure you run either JunOS 10.2 or 10.3.

    JunOS 10.2r3 should be out next month which is the firmware that I suspect I would recommend.
     
  14. MrvNDMrtN

    MrvNDMrtN Member

    Joined:
    Dec 24, 2001
    Messages:
    1,355
    Location:
    SW Syd
    ssg hardware can run junos if you install it and behaves like a router.
     
  15. mwd

    mwd Member

    Joined:
    Jul 12, 2002
    Messages:
    257
    Location:
    Sydney
    Only on the SSG320M and higher.

    The SSG 5,20,140,520 (non m),550 (non m) cannot run JunOS.
     
  16. MrvNDMrtN

    MrvNDMrtN Member

    Joined:
    Dec 24, 2001
    Messages:
    1,355
    Location:
    SW Syd
    I should've mentioned the fine print :Pirate:

    Anyone buying Juniper data switches?
     
  17. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    shit in my experience
     
  18. silverfish

    silverfish Member

    Joined:
    Sep 13, 2001
    Messages:
    145
    Location:
    Melbourne
    My experience also has been that they are flakey. That said, I haven't played with the recent releases and they have a pretty busy release schedule. I do like their feature set, and their speed and features vs price is much better than cisco. If only the uptime was better :-/
     
  19. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    If only the clock worked well enough to report the correct uptime......
     
  20. OP
    OP
    samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,262
    Location:
    Baulkham Hills, Sydney.
    Hey guys, I finished the SRX210 review. Ill be away until Monday though, so thanks for reading!

    Mario.
     

Share This Page

Advertisement: