A comparative study of Palo Alto Networks and Juniper Networks next-generation firewalls for a small enterprise network

Abstract: This thesis is a comparative study of two Next-Generation Firewalls (NGFWs) with the aim to conclude which one is the most suitable for a small enterprise network. The network in question is Company A’s Office A1. Office A is in the process of upgrading their internal network and with the upgrade a new NGFW will be implemented. The two NGFW platforms that have been researched per Company A’s request are Juniper Networks’ SRX-series firewalls and Palo Alto Networks’ (PAN) PA-series, with focus on the SRX1500 and PA-3020 for a fair comparison. To be able to evaluate different platforms and appliances, the concept of NGFW and what it constitutes has been researched and presented. Both of the NGFW platforms have been tested and compared in terms of ease-of-use and cost analysis. The testing focused on the respective web-interfaces and shows no significant differences between the two NGFWs at a first glance in terms of functionality. However, PAN’s web-interface does objectively feel more up-to-date and provides application visibility natively, which Juniper offers as a separate service as part of the centralised management platform, which is excessive for Office A’s network. The research and collection of data has been conducted based on Office A’s needs and requirements. Third-party research has been collected from NSS Labs and Gartner and serves as a basis for the evaluation. The future network of Office A introduces new services and the general usage will mainly consist of office oriented application based traffic. The evaluation of the research of the two NGFWs and the collection of data, in the context of Office A’s network, shows that the PA-3020 would be favoured. The key points are as follows: PAN’s NGFWs are built specifically for application awareness whereas Juniper are new in the NGFW market and has recently started to add the more advanced application awareness features. PAN offers a one-box solution suited for smaller networks such as Office A whereas a Juniper implementation would require additional hardware (VM’s) to obtain similar features. PAN offers more features in terms of user identification which is a key factor in enabling a true context aware security environment seamlessly integrated and invisible to the users. No major difference in cost if a similar set of features are to be implemented, based on non-rebated list prices (additional hardware not included). 1 Note: Due to confidentiality, the name and details of the company has been anonymised throughout the report.