Monday, May 05, 2008

Firewall: pfSense exceeds my expectations

We recently upgraded our internet connection; going from a strained half-duplex DSL connection for our rapidly growing business, to a 10Mb full-duplex, SONET-based fiber optic connection. So the question naturally becomes – will the existing firewall support the new internet connection (unfortunately it won't), and what type of firewall should we get.

Like most of you, I’ve had the chance to work with a wide range of firewall products… everything from the typical SMB-fare… like Sonicwall and Snapgear, to products such as the Cisco PIX/ASA, Checkpoint appliances, and others (Microsoft ISA of course). What do I like? Well, it really depends on the situation. In general, I’m a fan of Cyberguard’s Snapgear line for the SMB-segment. In my current situation though, the need was for something that we could get up and running in short order, was very configurable, supported connection failover, had some good built-in graphing and logging… and that wasn’t very expensive. That last requirement is important – no need to burn through budget on overhead when we could be investing in something else that would drive revenue.

So, after looking at the usual suspects we added products from Fortigate, Astaro, and pfSense to the list. Having just been through the evaluation exercise, I really think Astaro has a slick product – but fully configured it’s expensive. pfSense on the other hand is an open-source project (based on FreeBSD) that more closely meets our needs. Specifically, it does everything our existing firewall does – except it does most of it better. It’s free. It has RRD-based graphing, which I’m a fan of (replacing the tapped NTOP-based monitoring solution I had in-place). It also has some nice features that we're already taking advantage of, including the captive portal, traffic shaping, and one-touch add-ons (like IDS - though we're not doing this on the firewall yet).

The initial deployment went off without incident, and I’m in the process of putting together a warm spare - which may end up being a backup for Active-Passive failover. I plan to post more of the learning’s that came out of working with pfSense in my test environment in the near future.

1 comment:

Francois said...

I too fund pfsense to be rather easy to initially setup. I tried IPCop and was turned off by their setup because I couldn't easily distinguish between my different NICs. IPCop would just list chipset and I'd have to guess which NIC that belong to.