EXCLUSIVE: Juniper Networks SSG 550 UTM appliance review

The acquisition of NetScreen in 2004 allowed Juniper Networks to move into the security appliance market with a wide range of products aimed at enterprise and small businesses. It has continued to improve the family and the latest SSG (Secure Services Gateway) products sees Juniper dropping the NetScreen moniker in an effort to amalgamate these into its product portfolio.

In this exclusive review we take a closer look at the SSG 550 which is aimed at regional branch offices and mid-sized businesses. It offers a complete UTM solution that can be customised easily to suit a wide range of scenarios. At its foundation is a standard SPI/NAT firewall along with support for site-to-site and mobile client IPsec VPNs but all other security services are optional and can be licensed individually. These comprise anti-virus, anti-spyware and anti-phishing scanning from Kaspersky, the SurfControl URL filtering service, anti-spam by Symantec's BrightMail and Juniper's own intrusion detection and prevention.

Although there's not an open source utility in sight these security services are pretty much standard across a range of vendors but Juniper's deep inspection capabilities make the SSG family stand out. The appliance benefits from protocol anomaly detection and signature inspection which have been taken from Juniper's IDP platforms. The former compares protocols with their RFC to ensure they conform whilst the latter looks for known attacks in the relevant parts of each packet. For example, signature inspection will look in the control portions of an email for a potential attack but not in the header or message body.

The SSG 550 offers plenty of expansion options as along with the four fixed network ports it has six slots that can accept a wide range of LAN and WAN modules. The latter is a feature that clearly differentiates the new SSG products from their elder NetScreen brethren as they have the ability to terminate WAN connections. Apart from the NetScreen 5GT, the older appliances have to sit behind a separate router but the new boxes can perform WAN encapsulation and interface options are impressive as along with E1 and T1, Juniper now includes options for ADSL2/2+ links. It's also worth noting that active-active and active-passive high availability is included in the standard license for the SSG 550.

Installation times will depend on the number and type of ports you're planning to use but we had no problems slipping the appliance in between our test LAN and the Internet using a couple of the fixed ports. The web management interface isn't the prettiest we've seen but it's easy enough to use and offers a quick start wizard to help create security policies. The SSG-550 defaults to blocking all traffic but it only took a minute or so to knock up a basic policy that blocked all unsolicited inbound traffic.

The appliance makes extensive use of objects so these should be defined first. They can encompass anything from a single IP address to an address range, a service, a local username and password or a time schedule. Now you can configure your security policies using security zones plus a combination of objects. Policies comprise interface zone combinations, source and destination addresses, a service, possibly an application and profiles for web filtering and scanning for viruses and spam. We've always found the SurfControl URL category database to be particularly good and you have options for using local or remote databases or the remote WebSense service instead. Profiles determine which of the forty categories you want to block or allow and we found the default profile worked well with it blocking all our attempts to access web sites in blocked categories. You can also create custom profiles where you decide which categories are to be blocked or allowed and you can add URL black and white lists as well. However, the blocking web page sent to clients is merely text based and cannot be customised with company logos or warnings that AUPs are in place.