Re: [pfSense Support] Justficiations for going with pfsense over Cisco Router or PIX, Sonicwall etc?

[livefreebsd]

Not to seem repetitive, but if you are making a real business case to your management (which I have been called upon to do several times as a network security consultant): 1. The initial capital cost of pfSense of off-the-shelf hardware is far lower for pfSense than commercial products. 2. Operational costs are lower due to reduced commplexity. 3. Minimal specialize training is required. If the support staff that managed the firewalls is the same as those who manage UNIX-based servers, there will be no cost of training. 4. I have found that it is most palatable to management and corporate culture when pfSense is recommended in support of a heterogeneous security platform environment generally at the perimeter. More complex business rules are applied using other firewall products/technologies internally. Myths: - Support is better if you are paying for it. If you articulate your problem with an open-source product in the right forums, the community with experience with the product including most developers will make a serious effort to help you. They are significantly invested in the products, as I am. - Threatening vendors like Cisco or Checkpoint to dump their product will make them come-around to giving you the level of support you require. I watched one of my clients spend $80K to install competitor products in view of Nokia & Checkpoint to get them to resolve a VRRP problem. Needless to say, the vendors were unimpressed. Suggestions: Make a business case using the above information and any other you can come up with. Then, propose a trial on a limited portion of the network with minimal risk to deploy pfSense on appropriate hardware. Be sure the be prepared for operations, monitoring, incident response and maintenance. Provide weekly reports on performance for the trial period.  Your management may prefer that you conduct some testing in a lab environment for interoperability and performance before deploying.  This is something that I have recently started doing for my clients. Interesting: I have been able to pass 400Mb (TCP @ 16KB packets) on a GigE interface on a 2.4Ghz P4 with 1GB RAM.  I believe that with a $6000 Dual Xeon, I will achieve 2 Gb/s but have not had time to get back in the lab. IPSEC tunnels from pfSense box to Nokia/Checkpoint NG work fine. Required 3 minutes on pfSense side and nearly 10 min in CheckPoint. Good Luck. Park On May 14, 2006, at 4:17 PM, Wesley K. Joyce wrote: What are the general business and technical cases to go with pfsense over turn key appliances like Cisco or Sonicwall etc?   Thanks