Five Reasons I Love Juniper's SRX Firewall (and am cynical of NGFW)

A fair bit of my job is spent comparing network vendor solutions, and one of those solutions is network firewalls for the cloud tenant edge. While Cisco and other incumbents seem to be busy playing a game of catch-up to market leader Palo Alto, I meanwhile still need solutions that aren't so intently focused on the enterprise.

To be clear, I totally understand the value in an organization wanting a clean way to view a spyglass of information and intelligence gathering, however some of us aren't designing for those features specifically, yet it's where the firewall market seems to be quickly heading.

It's for this reason I find Juniper's SRX to nicely blur the lines between functions by blending features of a traditional firewall and a traditional router in just a single piece of metal (or VM). Here's five [opinionated] reasons behind that stance.

1. Has the Heart of Junos OS

A firewall appliance that doesn't compromise on robust routing, VPN, control-plane protection, stateful flow inspection and clustering features? Umm...Yes, please?

Juniper SRX runs the backbone carrier-grade Junos OS and allows me to use all of it's wonderful features (sans BGP route reflection). By comparison, Cisco has never implemented an IOS variant into a security appliance. Instead you get a diverged ASA-OS, FX-OS, FTD or some other watered-down variant (not to be mean but let's be honest). SRX, on the other hand, is rooted in the real thing.

By the way, once you're accustomed to using a network operating system like Junos OS, who's ever come away not loving it?

2. Low Cost

Part of me was a bit reluctant to include cost in this list just because of the number of possible variables. However when it comes to comparable offerings and bang for your buck, let's conduct a bellwether exercise by comparing what's currently available on the AWS marketplace (as snapshotted today):

Marketplace Costs: vSRX vs. Cisco ASAv vs. Cisco CSR vs. Palo Alto VM

ASAv: Starting from $1.589/hr*
PA-VM: Starting from $1.48/hr*
CSR: Starting from $1.466/hr*
vSRX: Starting from $0.85/hr*

Shockingly, Cisco's standalone ASAv (not even w/ firepower services) is the most expensive option, which doesn't make any sense.

*Total hourly cost including the most fully loaded, UTM-enabled software available from each vendor, and compute charges running on current-gen c4.xlarge or m4.xlarge instance types

3. Innovative Performance

Juniper were pioneers in the space of really capitalizing on shipping compact appliances re-architected to use innovative DPDK data-plane packet forwarding versus heavy specialized chipsets, and I honestly don't think that they get enough credit for it. Lower form-factor chassis' means in-turn lower opex power/cooling costs and higher rack densities.

Ancillary: The SRX 4200 delivers 40Gbps IMIX firewall on a 1RU pizza box...I mean, are you kidding me?? Better yet, being architected around vSRX means you can ditch the chassis and scale up even more freakishly on your own x86 servers, if you felt like it.

4. There's No Pretending

Over the past year the entire firewall market has gone though a re-branding exercise nearly to the tune of "web host" to "cloud".

Go ahead and try and find a relevant player peddling a 'regular' firewall in their brochures. No really, go ahead. I'll wait. (Hint: You wont.)

That's because the only type of firewall for sale these days is of the "Next-Gen" variety. What an NGFW is however is mostly up to the imagination. Some say it's better user correlation visibility. Others say that it's the seamless DPI-IPS integration w/ TLS offload. And while I can't deny that some customers are willing to empty their wallets for those features (you PAN guys can be creepy), what I can say is there's a very real cost attached, and that there's still no such thing as one-size-fits-all in computer networking.

Instead of promising two dozen security functions, the SRX performs stateful, zone-based firewalling, routing and VPN, and does those things quite well. To me, this is perfect for tenant cloud-edge deployments. While I'm sure Juniper likely wants a piece of the enterprise dashboard miracle pie, I don't think many people would agree that, right now, it's the product's sweet spot. Which, by the way, is perfectly OK.

5. No Forced Central Management

While Junos Space is very much a thing, Juniper doesn't try to paint me into a corner of forcing the use of a centralized management system to simply put the device in the network (I'm looking at you, Cisco Firepower). Where niche players with focused development efforts do have superior on-box UI's (Palo Alto, F5, etc.), Juniper's core competency is still in the CLI, which ships with Netconf programmability allowing a team to manage a fleet of devices as they see fit, NOT as the vendor does. That's an important distinction to make I think, since trying to predict how an organization like mine will centrally manage and query endpoints is a losing battle from the start. Let us have the management our way.


From reading this you may gather that I'm being endorsed by Juniper or that this is a subliminal advertisement. Not the case. I have good relationships with many vendors and Juniper is no more perfect or imperfect than any of the others mentioned here. In this instance though, I really do believe that they have a great product which really shines in at least my corner of the networking world. So much so in-fact that I can't seem to accurately place the SRX properly within the good-cheap-fast venn, which is...a strange feeling if not a treasurable one.

Perhaps that's the simpler message here. That for the value prop of a product to really make sense it should perform a few functions really well, not a dozen half-assed (remember UTM?) and all at a reasonable price.

Popular posts from this blog

Running ASA on Firepower 2100: An End-to-End Guide

Configuring Cisco ASA for Route-Based VPN

Up and Rawring with TRex: Cisco's Open Traffic Generator

GCP Network Design: The Basics