JUNIPER NETWORKS CONFIDENTIAL—DO NOT DISTRIBUTE

Competitive Hot Sheet

Cisco vs. Juniper Networks

Executive Summary
Cisco Systems is a multinational corporation headquartered in San Jose, California, USA, that designs and sells
consumer electronics, networking, voice, and communications technology and services. Founded in 1984, it is a publicly-
traded company (NASDAQ: CSCO) with FY2010 revenues of nearly $40.0B and approximately 71,800 employees.

Competitive Overview and Positioning

Juniper continues to hold the #1 position in high-end firewall and SSL VPN and regained the #2 position in Total Network
Security from the #3 position in 2Q2011 due primarily to strong High-end Firewall revenues (3Q2011 Infonetics report;
Cisco holds #1 position in Total Network Security category). While Cisco sells security products to customers of all sizes,
it still does not offer security products that can scale to very large customers without having to position stacks of boxes. In
the most recent Infonetics report, they specifically stated, “Juniper had a massive quarter in the high-end integrated
appliance business thanks to large service provider customers in the mobile space.”

In late 2010, Cisco introduced the ASA5585-X series in an attempt to directly compete with the Juniper SRX high-end
firewall product line. Cisco’s largest firewall can handle just 40 Gbps large packet whereas SRX can handle over triple that
performance. Any large Enterprise or Service Provider would have to stack at least three of Cisco’s largest chassis to
compete with a single Juniper SRX 5800.

In early 2011, Cisco commissioned an independent testing lab, Miercom, to perform a competitive bake-off. However, the
comparison is misleading. Miercom compared Cisco’s newest highest performing firewall to our mid-range offering, which
was three years old, and demonstrated that Cisco won in some but not all categories, declaring that a win for Cisco. In
this comparison, Cisco has a 10% higher throughput on plain firewall traffic (but Juniper has bigger boxes that can beat
that), can’t match Juniper’s VPN throughput, and each chassis offers services that the other does not (e.g., SSL on the
ASA vs. AppSecure on the SRX).

Bottom Line: Juniper is already three years ahead of Cisco in delivering the performance and scalability required
by large Enterprises and Service Providers. Cisco is still trying to play catch up, whereas Juniper plans to scale
our products even further with a product refresh.

Drive the Agenda

Cisco will try to win new customers based on its strong brand, legacy in networking, and large installed base of
referenceable customers, but Juniper has a stronger offering for high-end security due to our modular architecture,
consistent security services across the product line, and carrier-grade performance of up to 150 Gbps on a single chassis,
currently unmatched by Cisco. Also, SRX is a next-generation firewall based on AppSecure integration for advanced
application identification and classification, delivering greater visibility, enforcement, control, and protection over the
network. Cisco has started some efforts in this direction, but doesn’t provide consistent functionality across the ASA
product line.

Encourage customers to validate Juniper’s superior feature set, performance, and scalability in our vPOC or onsite at
Juniper Networks. Challenge Cisco’s integrated control and data plane-based architecture which results in degraded
performance when any content security service (including Layer 7 application inspection) is turned on or even when traffic
is beyond simple firewalling (includes IPS, etc.). Use the points below as guides for showcasing and leveraging Juniper’s
strengths and Cisco’s weaknesses.

JUNIPER NETWORKS CONFIDENTIAL—DO NOT DISTRIBUTE © Juniper Networks, Inc. 1

 Cisco vs. Juniper Networks Competitive Hot Sheet

Summarized Feature Comparison

Cisco Juniper

High Performance Firewall and IPSec VPN for Data

Center

Highly Scalable Networking

Advanced Routing

Next Generation Firewall (integrated application

security & IPS)

Unified Threat Management

Top 10 Winning Juniper Customer Value Propositions

• Integrated Security, Routing, and Switching Solution. Juniper has a unified OS for routing, switching, and
security (FW, VPN, and IPS). Cisco has limited route/switch capability, with multiple OS’s in single box for the
ASA 5500, ASA 5585-X and ASA SM offerings.
• Superior Design. Juniper’s modular architecture enables IT teams to configure SRX devices to expanding
company networking and security needs. Distributed data plane architecture leverages multiple processors to
distribute load, support scalability, and achieve higher performance. By contrast, ASA 5500 and 5585-X series
don’t have a distributed architecture, and, instead, integrate the control and data plane without using separate
components to ensure that the platform is protected.
• Device Management Available when Under Attack. Junos architecture, based on distributed control and data
planes helps ensure that SRX devices are always manageable and accessible even when under a DoS attack. By
contrast, lack of distributed control and data planes make the Cisco platform more vulnerable and less reliable in
the event of a DoS attack.
• Advanced Networking. Juniper offers carrier-grade networking performance and a robust feature set for routing,
multicast, NAT, VPN, QoS, and HA, and Branch SRX includes spanning tree, wireless backup, and many types
of WAN interfaces. Cisco has limited routing flexibility, no BGP support, no virtual router support and also the
Spanning Tree Protocol is not supported on the 5505 box.
• Market Leader with Proven High End Firewall. Juniper is a proven solution in Top 130 SPs and nearly all
Fortune 500 with 50.04% market share in high-end firewalls (3Q11 Infonetics Research). Cisco to date has not
been a leader in high-end firewall for at least the last 8 quarters (through 3Q2011).
• Application-aware Security. Cisco lacks a critical component of a next-gen firewall: application visibility and
control. Juniper AppSecure provides a deep understanding of application behaviors and weaknesses to prevent
application borne threats that are difficult to detect and stop.
• High-Performance Security. Juniper supports up to 150 Gbps FW throughput on its highest end box (SRX
5580), whereas Cisco can only achieve 40 Gbps on its highest end box (ASA 5585-X with SSP 60). More boxes
have to be installed in order to achieve similar performance as Juniper. Furthermore, Juniper is going to scale to

JUNIPER NETWORKS CONFIDENTIAL—DO NOT DISTRIBUTE © Juniper Networks, Inc. 2

 Cisco vs. Juniper Networks Competitive Hot Sheet

even higher performance through a forthcoming hardware refresh. Cisco is clearly lagging in performance for
high-end security.
• Consistent Security Services across Product Line. The Junos OS is common across SRX product line - FW,
VPN and IPS features available on all SRX products, unlike Cisco’s ASA products. ASA software has no real
integration between components and provides little consistency of services between the various available models.
• Investment Protection. Juniper offers reusable and expandable HW platforms, with multiple options to add
performance and reuse hardware (line cards, advanced HA capabilities, upgrade Junos OS). By contrast, Cisco
ASA 5500 & 5585-X series require customers who want to upgrade from a particular model (e.g. 5585-X with SSP
10) to purchase the next higher model rather than just add service processing cards to increase the performance
of the existing box, unlike Juniper. Also, none of the firewall or IPS modules can be upgraded to increase
throughput – they all have to be removed and a larger module purchased.
• Best Value. Juniper delivers the best value, combining modular platform offerings, performance, and a
comprehensive feature set, providing customer confidence in an overall networking and security solution. Cisco
lacks comprehensive protection against new threats (e.g., no application protection) and advanced routing
features required by Enterprises & Service Providers.

Cisco vs. Juniper Networks SWOT

Cisco Strengths
• Strong brand recognition and large customer installed
base of networking and network security products
• More intuitive management of FW, VPN and other
security services through ASDM (Web based mgmt.
interface)
Juniper Opportunities
• Common platform (OS) for security and networking
services (routing and switching)
• Next-gen firewall features including application
visibility and control (AppSecure) across SRX product
line (Branch SRX in 11.4)
• Integrated cloud security (vGW integration with SRX)
deliver best-of-breed security to the data center and
uniquely preserves and extends customers’ security
investment
• Better price-performance (SRX vs. ASA); Review
Price Analysis section for examples
• Modular architecture for easy performance upgrades
through additional NPCs/SPCs/ cards
Cisco Weaknesses
• Disparate OS’s across product line (e.g., separate
OS for FW and IPS)
• Non-distributed control and data plane
architecture
• Lacks advanced routing features and limited
routing protocol support
Threats to Juniper
• Customers with strict requirement of VPN client
support for High-end (Enterprise) deployments
• Customers with strict integrated SSL VPN
requirements/single box FW/SSL VPN solution
• Customers with strict DMVPN requirement
• Poor management

What Cisco Might Say About Juniper Networks

Cisco Says…
No VPN client support on High End SRX
Lacks easy VPN connection for hub-and-spoke VPN
connectivity (Cisco DMVPN with RRI) which is key for
customers with VoIP deployments and desired for
many other branch to branch communications
No support for multiple proxy ID’s
Juniper Response
We don’t support this feature, and there is no near-
term commitment (lower on priority list of features).
Zero-touch Hub (ability to add spokes into a hub-and-
spoke environment without making incremental config
changes to the hub) is planned for 2013.
Dynamic Spoke (ability to create ad-hoc spoke-to-
spoke connections) is not yet committed.
We may support this in future, but it’s not yet
committed.

JUNIPER NETWORKS CONFIDENTIAL—DO NOT DISTRIBUTE © Juniper Networks, Inc. 3

 Cisco vs. Juniper Networks Competitive Hot Sheet

Solution Components
Cisco's portfolio of products and services is focused on three market segments – Enterprise and Service Provider, Small
Business, and Home. In 1994, Cisco introduced the PIX (Private Internet eXchange) firewall. In 1998, the company
acquired the Wheel Group and integrated its intrusion detection & prevention technology into the PIX firewall and IOS
(Internetworking Operating System, the software used on most Cisco routers and current network switches). In May 2005,
Cisco introduced the Adaptive Security Appliance (ASA) line of network security devices, which succeeded and combined
functionality from three product lines:
• Cisco PIX, which provided firewall and network address translation (NAT) functions. Cisco announced end of
sale and end of life for this product line in 2008. Cisco will continue to support Cisco PIX Security Appliance
customers through July 27, 2013.
• Cisco IPS 4200 Series, which worked as intrusion prevention systems (IPS)
• Cisco VPN 3000 Series Concentrators, which provided virtual private networking (VPN)
The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same
software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux
kernel and PIX continuing to use the traditional Finesse/PIX OS combination.

De-positioning Catalyst 6500 ASA Service Module (ASA SM):

In early 2011, Cisco released the Catalyst 6500 ASA Services Module (SM), essentially a replacement for the FWSM
services module. It is important to note that the FWSM could only handle up to 4Gbps of FW throughput at best which
was just a fraction of what Juniper SRX firewalls could achieve, and even the newer ASA SM handles just up to 20 Gbps.
Four such modules can be installed in the Catalyst 6500 chassis, but they would behave as four independent firewalls
rather than a single firewall; traffic must be manually steered to a particular SM. Even then, the performance is lower than
that offered by SRX 5K series offerings. It will be interesting to see whether any future performance enhancements will
keep pace with Juniper’s offerings. Also, the ASA SM is a fixed module which only provides FW services (no VPN and no
IPS); the market is moving away from single-function service modules and toward high-capacity, multifunction security
chassis.

Pricing
Cisco network security appliances such as ASA 5500 series starts at approximately $300 for the smallest box (protection
for up to 10 users) and can be as high as $225,000 for the largest box (excluding costs for add-on hardware components,
UTM and/or IPS software subscription services, and support).

For a high level price comparison of Cisco and Juniper products, please refer to the Cisco Competitive Tech Guide
document.

For additional competitive information, please refer to the Cisco Competitive Advantage Portal.

JUNIPER NETWORKS CONFIDENTIAL—DO NOT DISTRIBUTE © Juniper Networks, Inc. 4