How to convince my colleagues…
-
dont convince them …. convince the ones who have to fund your projects =)
-
pfSense has commercial support.
Open source is much more flexible then paid firewalls.
Fotigate was the only firewall applicance that i saw completely hacked and working as a general quarter for bad guys. It was in 2009.
I have some friends that have to use it on their jobs and all say that you need to keep away from updates.
They realy do not test it before releasing.Well, you asked for good points in pfsense.
My experience is:
Before pfsense I used to spent few hours per day on my comand line firewall.
After pfsense I have all great stuff working (nat, carp, balance, failover, rules, ips,VPN) with few working hours per week to mantain it and a full little XML backup file.And after all this, I can still build or use as many packages as I Need for a complete and custom firewall solution to fit company needs.
The list is endless.
-
How? Make it work. Make it do something they can't. Make it do something that they pay through the nose for, but cheap.
If you can carve out your little space on the network, you can start doing the above. Over time, they will catch on.
On the security front, when they pit closed products against open source code, you should probably just laugh, loudly, for a long time, and with tears. After you are done, you should probably be concerned that you have to work with these people. The record is pretty clear on this issue. Follow the security news (the SecurityNow podcast isn't a horribly place to start) and you'll have story after story to show them.
But don't let yourself become religious on the issue either. The fact is that Cisco does a pretty good job, offers a pretty decent product, and is a fairly "open" company. If you come off as "Open Source is the best no matter what", you won't convince anybody. Ground your opinions in reality and others will come around.
-
You should know what the hardware should realize at the end of the project. write down all features your company needs. than compare the products and than you can make a decision by the price.
support for pfsense is available like it is for cisco, too.
-
Thank you for your answers.
The fact is, I am prevented from deploying pfsense firewalls to customers mainly for the following reasons (keep in mind, they're not my opinions, but questions/concerns I'm facing):
1: Yes, commercial support is available. But it cost money (as it should when the product is free of charge). The cost of hardware makes a pfsense about the same price as a Cisco ASA 5505, and they're freely supported…
2: Even though there's commercial support available, there are concerns (in my company) on how long pfsense will be around. Commercial support may be closed without notice anytime.
3: Cisco is a company with long and massive experience. It's seems more likely they develop products with better security...
I hope it's OK to raise such topics here... I'm simply looking for the best arguments to use pfsense over Cisco or Fortigate. I know how exactly how good pfsense is, but they won't let me prove it...
-
1: I wasnt aware that Cisco provided any kind of free support. To even download a copy of an OS from their site, they REQUIRE an active maintenance contract, which are generally pretty expensive. Last time I calld cisco without a contract, they told me that a single incident would cost $500. Compare with pfSense, I had an issue with OpenVPN, and Jim (one of the guys who actually coded pfSense) was awesome about helping me with it, and it took about 1-2 hours (about $200).
Also, the Cisco support is "good" in theory. Last time I dealt with PAID support, the guy was fiddling around on the other end trying to look up how to tftp a recovery firmware onto the device. I ended up fixing the problem with basically no help from the cisco rep, after wasting 45 minutes watching him fiddle around.
2: Pfsense has a book out about it, and you can always use version 1.2.3 which has had ages to stabilize. If pfsense ever "ceases to exist" (which would simply mean "no updates next year"), you could move your firewall off to something else. Additionally, since you are not reliant on one vendor for the hardware, pfSense is more reliable in that sense– as long as you have the iso, if your hardware fails you can replace it on the cheap, install from CD, copy your config.xml over, and be up and running.
3: Im not sure what you mean by "better security". None of the pfSense guys are rolling anything custom, security-wise-- IPsec, OpenVPN, PPTP, AES, etc are all simply implemented in pfSense, not recreated from scratch. Most Linux / FreeBSD firewall OSes that you find will take existing, proven security features (like iptables) and integrate them, so if youre worried about security it may make more sense to question NIST (wrt AES) or the FreeBSD folks. I might be wrong here, but my understanding is that a good deal of the pfSense work is simply integration and web code, not rolling security solutions from scratch.
I would also remark that Cisco being a gigantic companies has negatives too, including things like "none of the Cisco Web GUIs will work without an ancient version of Java", or "everything you do requiring an expensive license", or "youre paying thousands of dollars for ancient CPUs with awful performance".
Compare for example a Cisco VPN box costing $1000 to a pfsense box costing $1000-- i guarentee you the pfSense box will have oodles more performance and features, while the Cisco box will be locked to like 20-50 VPN clients maximum (requiring licenses), and will be very limited on its VPN speed. I had to do such a comparison last year with SonicWall (lol), where to get the 100mbits VPN traffic I needed was going to require $2k+ sonicwalls. Instead I built 2 boxes using AMD Phenom processors for $500 a piece, and their CPU barely budges with that traffic.
There are places for Cisco, to be sure, but if there are people around who are willing to learn and support something new, pfSense makes a TON of sense.
PS-- regarding security, I seem to recall major security bugs (rebinding attacks) that worked on Cisco gear (linksys routers, but Cisco nonetheless). Brand isnt everything when it comes to a rock solid firewall.
-
I agree 100% with limecat.
Long life to pfSense. 8)
-
2: If Perimeter closed tomorrow Pfsense would still live on. The source code is out there, it is difficult to take it with them. These gardeners have grown this great beautiful tree and made a park which surrounds it. Everyone in the park would like to see the tree keep growing. Eventually people will step into those old gardening boots and the tree will continue growing.
-
1: Yes, commercial support is available. But it cost money (as it should when the product is free of charge). The cost of hardware makes a pfsense about the same price as a Cisco ASA 5505, and they're freely supported…
Not freely supported, you have to keep renewing your Smartnet. Comparisons at the low end are less easily justifiable on cost alone if you have a single box, a 5505 is still a bit more expensive than a comparable performance box with pfSense, but not by enough that the cost difference with adding support is the same. Multiply that by several boxes and then it's cheaper. Get into any higher end ASA and it's immediately cheaper even with a single box and support.
2: Even though there's commercial support available, there are concerns (in my company) on how long pfsense will be around. Commercial support may be closed without notice anytime.
We've been around for over 7 years and the company side has been in business for 5 years. Ohloh has good analysis of the project.
https://www.ohloh.net/p/pfSense
"Mature, well-established codebaseThe first lines of source code were added to pfSense in 2004. This is a relatively long time for an open source project to stay active, and can be a very good sign.
A long source control history like this one shows that the project has enough merit to hold contributors's interest for a long time. It might indicate a mature and relatively bug-free code base, and can be a sign of an organized, dedicated development team."
"Very large, active development team
This is one of the largest open-source teams in the world, and is in the top 2% of all project teams on Ohloh."
On the business side, we're definitely not going anywhere. 8 people rely on the project to make a living. We've been profitable from day one (thanks to thousands of hours of sweat equity), and have no investors unlike our other commercially-backed open source competitors who have to see significant returns to make up their large (8 figures USD) investment (which makes their business survival far riskier). We've built a sustainable business without strings attached (as we're entirely community funded, the community drives where we go), and grown considerably every year and continue to do so.
Obviously we're not going to just close the doors on a fast growing business that's been profitable from day one, much less leave all our colleagues (and friends) we've worked with for years who do great work stuck finding a new job.
3: Cisco is a company with long and massive experience. It's seems more likely they develop products with better security…
History proves the opposite is true from the start of this project through today. Go check their security advisories vs. the number of security advisories we've had in the 7 years the project has existed. We win by a long shot, Cisco has more ASA security advisories each year than we've had in 7 years. And it's not from a lack of looking - the project has been reviewed in numerous professional audits for PCI and other purposes, including some very impressive security testing labs that I can't disclose unfortunately.
Some people will never be convinced that they shouldn't go with <big name="" vendor="">, the "nobody ever got fired for buying <big name="" vendor="">" type of mentality is difficult to impossible to overcome in some companies. Generally in our marketing we focus on those who have already accepted open source solutions, as people who are already using open source are generally an easy convert to using more open source. Those stuck in the commercial software mentality generally aren't the type we bother pursuing because of that challenge, and the fact there are plenty of opportunities amongst those who have accepted open source. That and we don't have a massive marketing budget, we get the best bang for the buck targeting open source users.</big></big>
-
Thank you all (especially cmb), I will try to present my opinions on pfsense (separating it from the "pros and cons of open source in general") for my company, nice and gently without becoming a "fanboy", or a fanatic :)