EXCLUSIVE: Juniper Networks SSG 550 UTM appliance

The acquisition of NetScreen in 2004 allowed Juniper Networks to move into the security appliance market with a wide range of products aimed at enterprise and small businesses. It has continued to improve the family and the latest SSG (Secure Services Gateway) products sees Juniper dropping the NetScreen moniker in an effort to amalgamate these into its product portfolio.

In this exclusive review we take a closer look at the SSG 550 which is aimed at regional branch offices and mid-sized businesses. It offers a complete UTM solution that can be customised easily to suit a wide range of scenarios. At its foundation is a standard SPI/NAT firewall along with support for site-to-site and mobile client IPsec VPNs but all other security services are optional and can be licensed individually. These comprise anti-virus, anti-spyware and anti-phishing scanning from Kaspersky, the SurfControl URL filtering service, anti-spam by Symantec's BrightMail and Juniper's own intrusion detection and prevention.

Although there's not an open source utility in sight these security services are pretty much standard across a range of vendors but Juniper's deep inspection capabilities make the SSG family stand out. The appliance benefits from protocol anomaly detection and signature inspection which have been taken from Juniper's IDP platforms. The former compares protocols with their RFC to ensure they conform whilst the latter looks for known attacks in the relevant parts of each packet. For example, signature inspection will look in the control portions of an email for a potential attack but not in the header or message body.

The SSG 550 offers plenty of expansion options as along with the four fixed network ports it has six slots that can accept a wide range of LAN and WAN modules. The latter is a feature that clearly differentiates the new SSG products from their elder NetScreen brethren as they have the ability to terminate WAN connections. Apart from the NetScreen 5GT, the older appliances have to sit behind a separate router but the new boxes can perform WAN encapsulation and interface options are impressive as along with E1 and T1, Juniper now includes options for ADSL2/2+ links. It's also worth noting that active-active and active-passive high availability is included in the standard license for the SSG 550.

Installation times will depend on the number and type of ports you're planning to use but we had no problems slipping the appliance in between our test LAN and the Internet using a couple of the fixed ports. The web management interface isn't the prettiest we've seen but it's easy enough to use and offers a quick start wizard to help create security policies. The SSG-550 defaults to blocking all traffic but it only took a minute or so to knock up a basic policy that blocked all unsolicited inbound traffic.

The appliance makes extensive use of objects so these should be defined first. They can encompass anything from a single IP address to an address range, a service, a local username and password or a time schedule. Now you can configure your security policies using security zones plus a combination of objects. Policies comprise interface zone combinations, source and destination addresses, a service, possibly an application and profiles for web filtering and scanning for viruses and spam. We've always found the SurfControl URL category database to be particularly good and you have options for using local or remote databases or the remote WebSense service instead. Profiles determine which of the forty categories you want to block or allow and we found the default profile worked well with it blocking all our attempts to access web sites in blocked categories. You can also create custom profiles where you decide which categories are to be blocked or allowed and you can add URL black and white lists as well. However, the blocking web page sent to clients is merely text based and cannot be customised with company logos or warnings that AUPs are in place.

The anti-spam measures are designed to act as a first line of defence in front of an existing anti-spam server. The appliance uses Symantec's BrightMail IP-based black lists and you can apply your own black and white lists as well. It inspects SMTP traffic so will only function with an internal mail server and you can ask for suspect spam messages to be tagged in the subject or header or dropped completely.

For anti-virus measures you can request regular signature updates as often as every ten minutes. There's more to play with here as scanning can be applied to web mail, separate policies can be created for FTP, HTTP, IMAP, SMTP and POP3 traffic and you can limit file download and attachment sizes. We tested the latter function and found that emails with oversized attachments were blocked and an advisory note sent to the recipient. General reporting leaves something to be desired as the system log displays a simple table of events although the search facility will provide handy. Counters in tabular format are provided for each interface, traffic flow and security zone and you can also view alarms by policy.

The SSG 550 offers a solid range of network security measures although some areas have a few rough edges. The level of reporting could be a lot better for the price so if you don't want anti-spam then take a closer look at Check Point's UTM-1 appliances (see IT Pro review of UTM-1 1050) as these offer a superior management and monitoring package courtesy of the bundled SmartCenter software. Multiple Juniper appliances can be centrally managed but you'll need to cough up for the optional NetScreen-Security Manager software. Note also that Check Point includes support for SSL VPNs as well as IPsec VPNs. It's also a shame that the user warning pages for viruses and web content filter actions can't be modified to look a lot more sophisticated. The SSG-550 can handle IM and P2P apps but at present it can only block or allow them but we have been advised that v6.0 of Juniper's ScreenOS will provide a more granular control where you could, for example, allow IM apps to run but block file transfers or video sessions.

Email to a friend

Print this page