Juniper has always offered a fine range of UTM security appliances for branch offices, but above-average prices have made them an expensive choice for SMBs. The latest SSG (secure services gateway) appliances aim to remedy this oversight, and in this exclusive review we look at the entry-level SSG 5.

Usefully, the SSG 5 can be customised, with the base product offering an SPI/NAT firewall and support for site-to-site and mobile client IPsec VPNs. All other features can be licensed separately and you have antivirus, antispyware and antiphishing scanning courtesy of Kaspersky, antispam by Symantec’s Brightmail, the SurfControl URL-filtering service, and Juniper’s own intrusion detection and prevention. Juniper also offers deep inspection functions with its protocol anomaly detection and stateful signature inspection. These come from its IDP platforms, with the former comparing protocols with their RFC to ensure they conform and the latter looking for known attacks in each packet.

The model on review comes with support for 802.11a/b/g wireless and an integral ISDN TA for backup duties, although Juniper also offers V.92 modem and RS-232 serial port options. If you want the UTM functions, you’ll need the extended version with 256MB of memory, although the module is accessible from a panel below the unit.

Installation is quick, aided admirably by plenty of wizards, and the appliance uses zones to bind interfaces together. We opted to place one port in a trusted zone for our LAN users, another exposed to the internet in an untrusted zone and a third for wireless access. Policies control traffic between zones, and for each one you decide which security functions are enabled. It’s worth getting your objects defined first, as these define single IP addresses or ranges, a service, a local username and password or a time schedule. The wireless AP supports up to 16 SSIDs and with WPA in force, up to four can be active simultaneously. Drop down to WEP and only one can be active.
The antispam function supports SMTP, so will only scan email being sent to an internal server. It’s designed to support existing anti-spam services and uses Symantec’s IP-based blocking lists and custom black and white lists. If a suspect message is detected, you have options to drop it or tag the header or subject.

Profiles control the content filtering and antivirus scanner, so you can use different actions across your policies. Both Kaspersky and SurfControl worked well during testing, and the former can be applied separately to FTP, HTTP, IMAP, SMTP and POP3 traffic and used to limit file download and attachment sizes. However, the warning web page sent to users contains only a simple text message, and can’t be customised with company logos or advisories on AUPs in force. Reporting is also limited, as the appliance provides basic system logs, interface counters and details of the wireless interfaces. To manage multiple appliances and for more detailed reports, you’ll need Juniper’s optional NetScreen-Security Manager software.

The SSG 5 offers good value, especially as the user licence is unrestricted. Although anti-spam and reporting are weaknesses, it delivers a fine range of security services and is particularly versatile.