On Fri, 2007-06-15 at 12:00 -0600, Steven Alligood wrote: > I guess it depends on what you term "firewall".
I'm currently defining it as a Layer 3 firewall, which seems to be exactly what the original poster was talking about. pfSense appears to be a very good piece of software for implementing a Layer 3 firewall on a piece of hardware. > > If you are running a basic packet inspection firewall (ie, iptables) and > all you care about is which port can get where and from which ip, but > you don't want to do stateful inspection or any kind of guarantee that > someone isn't just tunneling whatever they want on your http port, then > current PC hardware with open source software should do you (assuming > that you can push the 4 GB through the pc, hardware wise). And yes, the > PIX falls into that category. Typically commercial "hardware" packet filters run up to $10,000. When we went to replace our NetScreen, we found the basic model that would handle sub-100 Mb/s would run us about $10,000. We settled on a Cisco Pix for about $5000-$6000, mainly for political reasons (see my comments on this below). A Linux firewall in fact worked far better than the PIX. I have yet to see evidence that a Layer 7 firewall is that effective. >From my limited experience I have found it's better to implement solutions at the application level itself. For example, an out-going proxy server, rather than a layer 7 firewall. Now that Layer 7 firewalls are more popular and known, people tend to fall into a false sense of security and forget that firewalls were never intended to protect oneself from flaws in the very applications (HTTP for one) that you are trying to serve. As far as countering http tunneling goes, a transparent proxy (or blocking port 80 entirely and requiring the use of a corporate proxy) is a far better way of dealing with things. BYU has a Layer 7 firewall and it causes no end to difficulties and you can bet they've bought the most expensive system Cisco makes. > > And yes, high end firewalls are often on the same type of hardware. > What you pay for is the software. Which is not worth it, as far as I'm concerned. IOS is really good, but let's be honest. IOS in the PIX is not worth the $6000 it costs. > > An example. There are a lot of really good spam block packages out > there for open source. They do a really good job of stopping spam. But > they overload and become almost worthless for really large amounts of > spam (say, 500,000 messages a day)(and please don't everyone flame me on > this stat. I know it can vary greatly depending on how aggresive you > want to block spam - I am attempting to compare apples to apples on what > the commercial products will do). Step up to Ironport and their > competitors. They can handle over 600,000 per hour. They still stop > the spam, in many of the same ways that the open source ones do, and on > very similar hardware. I've seen expensive commercial products choke just as easily as an open source solution. I've also seen commercial products blast through amazing amounts of traffic. However, for this specific example, I think what you say really drives the point home. If I can implement a cheap linux-based solution that can handle 100,000 a day for a fraction of the price of the Ironport, I can scale that solution up to Ironport levels at still less cost than the Ironport. It's PHB thinking (the culture) that drives Ironports sales. The perception of the value of service (perception is reality so one should do whatever one perceives brings the most value). > > There are many reasons people buy commercial products, and they are not > all just for support or to use up a budget. Some of the commercial > products are really good. > > All I am trying to say is that on an enterprise or even carrier grade > level, often the commercial product will blow the open source ones out > of the water. It's how they make money. I disagree to a certain point. Commercial products make money primary based on a culture. They also make money based on spec sheets that are designed to impress PHB's. In short it's about marketing. I've rarely seen any enterprise decision based on merit. You can't get fired for buying IBM, Sun, and Cisco. Sure products should and often do compete on their own merits. But in vast majority of the enterprises, it's all about culture, brand, etc. It's not about merit, features, or components, really. (Witness the wild success of Microsoft's products.) > > Having said that, if you can get the free ones to do what you need, go > for it. I run a lot of open source software, with some of it being > hands down better than the commercial versions (dns, anyone?) > > -Steve > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
