I guess it depends on what you term "firewall".
If you are running a basic packet inspection firewall (ie, iptables) and all you care about is which port can get where and from which ip, but you don't want to do stateful inspection or any kind of guarantee that someone isn't just tunneling whatever they want on your http port, then current PC hardware with open source software should do you (assuming that you can push the 4 GB through the pc, hardware wise). And yes, the PIX falls into that category.
And yes, high end firewalls are often on the same type of hardware. What you pay for is the software.
An example. There are a lot of really good spam block packages out there for open source. They do a really good job of stopping spam. But they overload and become almost worthless for really large amounts of spam (say, 500,000 messages a day)(and please don't everyone flame me on this stat. I know it can vary greatly depending on how aggresive you want to block spam - I am attempting to compare apples to apples on what the commercial products will do). Step up to Ironport and their competitors. They can handle over 600,000 per hour. They still stop the spam, in many of the same ways that the open source ones do, and on very similar hardware.
There are many reasons people buy commercial products, and they are not all just for support or to use up a budget. Some of the commercial products are really good.
All I am trying to say is that on an enterprise or even carrier grade level, often the commercial product will blow the open source ones out of the water. It's how they make money.
Having said that, if you can get the free ones to do what you need, go for it. I run a lot of open source software, with some of it being hands down better than the commercial versions (dns, anyone?)
-Steve Michael L Torrie wrote:
On Fri, 2007-06-15 at 09:39 -0600, Steven Alligood wrote:"unlimited funds" and "1-4GB of traffic" being the key words here, I would strongly suggest a commercial product.You can do very well on the lower end traffic scale (a couple hundred MB/sec) with open source and PC hardware, but once you start throwing around some serious traffic, you will find that the commercial products just handle it better, often with very nice reporting tools.I am not saying that you cannot do it with non-commercial stuff, but you will have a lot more headaches dealing with that amount of traffic.Yeah I used to believe that too. Until opened up our so-called professional product. This was a medium-end Cisco PIX. Turned out it had a Celeron processor in it and 3 ordinary, 100 Mb/s on-board nics. And it's no different (except for a more powerful processor and gigabit nics) on the higher end PIX's. A PCI bus is a PCI bus. Very few firewalls are anything but ordinary pc hardware. Slap a couple of gigabit, 64-bit cards (or PCI express) in a beefy machine and you'll more than match the commercial solution. No really. While it is true a router with ASIC hardware to do fabric switching is a far cry from sticking a bunch of nics in a box, installing linux, and calling it a router, I have not found the same idea to be true in the realm of over-priced, so-called hardware firewalls. I built a linux firewall out of a dell 1U server that handily matched if not beat a $10,000 solution in terms of throughput.-Steve Daniel wrote:It sounds like pfSense is the way to go for the schools, given the responses. Thank you. Now let's say you had to secure about 1-4GBs of traffic and you had unlimited funds would you still go with pfSense or would you go with a commercial solution like Juniper, or Cisco? Does anyone have experience with a Juniper or any other commercial solution and pfSense? -Daniel On 6/15/07, Lars Rasmussen <[EMAIL PROTECTED]> wrote:Look no further than pfSense for your firewall. I've been using pfSense since the alpha releases - I previously used m0n0wall. Before m0n0wall I was using a floppy disk to boot a Linux based firewall. I've used pfSense at work and at home. pfSense will let you enforce QoS(even has a wizard for prioritization of VoIP & common applications/traffic types). pfSense allows for failover & multiple WAN connections, and has multiple VPN types as part of the standard feature set. You can add features(packages) if you so desire. One of my Windows buddies still marvels at how he doesn't even think about his pfSense box - it just sits in the closet and runs. I am currently using pfSense at home with Comcast & Vonage; it allows me to coexist with BitTorrent nicely, and the pfSense project seems to have more active development than any of the Linux-based firewall projects. It is straightforward to install pfSense yourself, but you could alternately buy an appliance that contains no moving parts & likely increase your uptimes to years. Here's what the console portion of the pfSense installation looks like: http://www.metacafe.com/watch/584867/install_pfsense_1_2beta1/ Configuration after this point is handled via the web interface. -- Lars /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. *//* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. *//* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. *//* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
smime.p7s
Description: S/MIME Cryptographic Signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
