The Cisco ASA Vs. Juniper SRX was being hotly debated on the Cisco forum. Being a flow analysis company we always ask about NetFlow or IPFIX support before we purchase a network appliance, especially a firewall. Reporting on data in our organization is paramount as “he who stays in the know, stays ahead”. When it comes to firewall reporting, we are looking for:
- Traditional flow reporting
- Log reporting
- Other cool flow exports (e.g. usernames)
I think most people reading our blog are familiar with traditional NetFlow but, what about log reporting? Just about all firewalls today export syslogs and a few export logs in NetFlow datagrams which of course falls into our realm of competency. The Cisco ASA and SonicWALL firewalls support both.
Considering all of the Cisco ASA NetFlow problems (most are fixed in the next major release) when exporting NetFlow, we can still get some great NetFlow reports on:
- Top Talkers, Applications, Protocols, etc.
- Usernames which is very helpful in BYOD security monitoring
- Top Violated Access Control Lists
- Network Address Translations
Example Cisco ASA NSEL Report Below:
The Juniper SRX does not export logs and if you look into the J-Flow configuration (AKA NetFlow) it is basically sampled NetFlow. Who wants to be limited to sampling? It’s sort of like sFlow reporting. From what I read, there is significant overhead associated with J-Flow whereas on the Cisco ASA we haven’t seen any issues.
Exporting NetFlow is also important if you are looking to start detecting advanced persistent threats. Many NetFlow security solutions feed the flows into a host reputation database to try and detect communications with known C&C hosts and the like. NetFlow Sampling would lead to many missed threats.
NetFlow and Firewalls : The Bottom Line
All major players in the firewall market support a Flow technology. The Cisco ASA, Juniper SRX (sampled), SonicWALL, Barracuda, Palo Alto Networks, Checkpoint and Fortinet (sFlow) all understand this. Contact me if you would like your firewall added to this list and if you are a firewall company, we’ll give you a NFR copy of our NetFlow and IPFIX analyzer for development purposes.