ASA 5505 or SRX210 for home lab?

grahamsaa

n00b
Joined
Aug 31, 2014
Messages
5
Hey all,

I'm interested in getting a 'branch' class firewall / router at home -- these are more expensive than what most people are willing to install at home, but as I'm learning more about enterprise networking I think it would be useful to have a lab environment at home and having a device that offers fine grained control and VPN access to my home server and VMs would be nice.

At this point I think I'm split between getting a Cisco ASA 5505 or a Juniper SRX210. Any advice you guys have to offer would be appreciated.

Pros for the ASA:
* I already use Cisco gear at work so I'm somewhat familiar with their operating system. This also means that having an ASA at home would be a good lab setup in that it will give me additional experience that will be useful at my day job.
* Having some experience with IOS means I should be able to get this up and running quickly.
* There are lots of good resources available on configuring these things, and probably a better 'community' around them than what's available for Juniper's offerings.

Cons for the ASA:
* The 5505 is a bit dated and close to end of life.
* No gigabit ports
* Licensing is pretty bad. The base license only allows for 10 connected devices and 2 VLANs. Licenses to extend this functionality are expensive, and since I'd probably have to buy one of these things used from eBay, I wouldn't have access to software updates.

Pros for the SRX:
* More features for roughly the same cost (used)
* More recent hardware
* 2 gigabit ports
* No artifical limit on number of connected devices or VLANs
* Licensing is slightly better, but still not great (still have to pay for software updates)

Cons for the SRX:
* I have no experience with JunOS, so I'm not sure how steep the learning curve will be.
* I don't currently use JunOS at work, so the experience I gain won't be relevant to my job right now (but could be useful in the future)
* It's hard to even find a decent review of this device, so I doubt it's very widely used (at least compared to the ASA).
* I'm not sure how well the VPN solution will work -- I expect it will work on Windows but I use Windows, Mac and Linux and would want to be certain that dynamic (not site to site) VPN would work for all the platforms I use.

While I've also considered pfSense, which would be a much cheaper option (open source), I'm not interested in using it for a lab setup right now. I've used pfSense quite a bit and I like it a lot, but it's not really used anywhere in enterprise environments. Cisco and Juniper are, which means that getting more experience with either of these platforms would be a good career move.

Thoughts?
 

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
While both the ASA5505 and SRX platforms are getting a bit long in the tooth, I'd almost say stick with the ASA as that experience is more applicable to your day job. If you switch to a Juniper shop you can repeat this all over again, or as a geek, just get bored with your firewall and try a different product further broadening your experiences.
 

bds1904

Gawd
Joined
Aug 10, 2011
Messages
1,007
Are you planning on buying either new? If you are, consider looking on ebay for a higher end cisco for the same price. Going the ebay route will benefit your at work experience a bit more.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
I honestly don't think that the SRX series will be an issue but it's not the kind of equipment you grab off Amazon/Newegg (usually) so it's probably why you don't see a lot of reviews. Cisco has used the PIX/ASA name for many years so it's probably the reason why you find a lot more. http://en.wikipedia.org/wiki/Cisco_PIX.

Please correct me if I'm wrong
//Danne
 

grahamsaa

n00b
Joined
Aug 31, 2014
Messages
5
Thanks for all your input! I think I've made a decision to go with the SRX210HE2, which I was able to find new on Amazon for under $400. This seems like a very good deal -- not much more than I would pay for a used ASA. I already work with ASAs at work, so I can continue to gain experience with those while also learning JunOS at home.
 

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
I have the same thing at home (srx 210) and have work experience with Juniper and Cisco. Feel free to send me a PM if you have questions on getting started.
 

mi7chy

2[H]4U
Joined
May 22, 2013
Messages
3,985
These SOHO SRX and ASA boxes are simple layer 4 stateful firewalls and are pricey for what little you get. You're better off investing in a layer 7 identify aware firewall like Palo Alto for the experience.
 

grahamsaa

n00b
Joined
Aug 31, 2014
Messages
5
These SOHO SRX and ASA boxes are simple layer 4 stateful firewalls and are pricey for what little you get. You're better off investing in a layer 7 identify aware firewall like Palo Alto for the experience.
I'm not sure if you're being serious. Where can I find a PA firewall for under $500? How widely are they deployed? What advantages would I get by using a PA? What does "identity aware" even mean?

I'm a Linux / Unix systems engineer by day, and I'm increasingly handling networking stuff on the side. It looks like the PA firewalls tend to integrate heavily with AD, which we don't use at all. All of our application stacks (or all the ones that I care about and have to support, secure and maintain) run on Linux or FreeBSD and I don't see myself managing application stacks on Windows in the near (or even medium) term. A PA firewall seems like the wrong device in this case, but I'm genuinely curious and I admit that I may well be wrong. Care to enlighten me?

Edit: I'm watching a video on Palo Alto's solution now, and it's interesting. It's definitely not a good fit for the kind of networking I do at work. We provide software as a service over the web, we deny everything except a few specified ports and we use ACLs pretty heavily. We also have a small group of people that have control of exactly what's running on our servers in our data centers -- we don't have 'rogue' applications running on our servers, and if a 'rogue' application were to try to kill a web server and bind to port 443, we have a pretty robust monitoring and alerting system that would start paging people immediately. We have thousands of employees, but there are only 7 of us with root access to servers, and only 4 of us have administrative access to our network devices.

That said, if I were managing a network for a large office that was largely Windows based, Palo Alto might be a good fit.

Edit #2: Is there a decent, script friendly CLI for Palo Alto's equipment? Pointy clicky is nice, but for some things a shell is far more efficient.
 
Last edited:

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
Edit #2: Is there a decent, script friendly CLI for Palo Alto's equipment? Pointy clicky is nice, but for some things a shell is far more efficient.
I'm not sure on this, but I *think* they support a restful API. the CLI itself is somewhat similar to JunOS, but not exactly alike. I don't know if they have scripting capabilities directly in the shell or not.... I haven't had a whole lot of experience on them yet.
 

cytech

Limp Gawd
Joined
Nov 20, 2007
Messages
284
you can completely administrate them via CLI or rest API, user ID stuff can also be used in non windows environments via captive portal for example. we have a few customers with mac setups and they just authenticate via captive portal.

not sure where you can find a PA for under 500$ =) if you find one let me know, I run one at home in vmware and that's expensive enough.

I have worked with PAs extensively for the last 4 years and they are great firewalls, but as you already stated, it depends on the setup, not every setup needs what PA offers and some of our clients who wanted PAs were pushed to other solutions (sophos, fortigate) as the PA is just not really what they needed and for some setups they don't have certain features which our customers want from a firewall(utm)
 

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
you can completely administrate them via CLI or rest API, user ID stuff can also be used in non windows environments via captive portal for example. we have a few customers with mac setups and they just authenticate via captive portal.

not sure where you can find a PA for under 500$ =) if you find one let me know, I run one at home in vmware and that's expensive enough.

I have worked with PAs extensively for the last 4 years and they are great firewalls, but as you already stated, it depends on the setup, not every setup needs what PA offers and some of our clients who wanted PAs were pushed to other solutions (sophos, fortigate) as the PA is just not really what they needed and for some setups they don't have certain features which our customers want from a firewall(utm)
for example, PA's are very weak in routing features
 
Top