Ammunition against Cisco firewall/appliance
-
Folks -
We have been using pfsense at the library I work at for quite some time now and it works great. However, the management is toying with the idea of hiring a "consulting" company to help us do our jobs better, even though things have never ran better. Go figure.
The company that they chose really likes to push Cisco and Microsoft wherever they can. I can't see any reason to change our firewall, but I know that the consultant will try to push their crap on us, as they sell it, too. Even worse, they would over time like to displace the local talent (me) with one of their guys contracted out, but that's a conversation for another day.
If you folks have the time, can we start up a conversation on why pfsense beats cisco? I really think that our management is susseptable to fast-talking sales engineers. I would like to keep them from making a mistake.
Thanks -
Library Mark
-
Have you read this:
http://doc.pfsense.org/index.php/Comparison_to_Commercial_AlternativesSteve
-
Off the top of my head, all I could come up with is cost of deployment mainly because this goes way beyond the firewall…
If this is a public library, which receives public funding from the state and local funds, they could have more than just cost to be concerned with here.
They could have to meet some "industry standards" in order to keep part or all of their funding, and an audit showed that the current system doesn't meet those standards.
They could be looking to offset some of their internal costs, with payout to a company, which can be beneficial come tax time, and be a nice PR stunt (We support local businesses).
They could be looking to update/upgrade equipment and such, and some IT consulting companies will help offset that cost over the life of the contract, rather than pay it all upfront.If it was a cold sell (the consultants called them to ask if they can come in and give them a proposal), then as an internal IT guy, you need to do some sales yourself. Get your hands on that proposal, and show them how you can beat it, better cost, better support, better hardware. Also realize that many cold sell proposals like this are considered yet never pan out. I would also prepare a resume and have it ready just in case, if they sign the contract, start looking before you are cut, because once unemployed it's harder to find work.
With out reading the proposal vs what you have now, there is little to no way that any one can really comment that what you have is better than what they proposed.
Cisco does makes some great, reliable hardware once you leave the SOHO crap on the shelf, and go for their professional line.
Although I do agree that a competent internal IT person and the occasional call to professional support for PFSense could be a more cost friendly solution, they could be getting a very good deal from the firm they are looking into using because it is a public library, again for PR stuff. -
Well, choice of router/firewall should (but often doesn't) depend on what the current and projected needs are. For most actual deployments the functionality (e.g. in terms of routing/nat-ing/firewalling/etc) of pfsense is directly comparable with a Cisco ASA.
There are scenarios where pfSense would be preferred, e.g. if you want to run virtualised, or want to support OpenVPN, or need a captive portal, or need a multiWAN but without all the compexity and additional costs of BGP etc (it's a long list).
There are scenarios where a Cisco router would be a better fit, e.g. if one needs features like DMVPN.
In real life however, it usually boils down to cover-your-ass and "nobody got fired for buying xyz" … and concerns regarding support etc.
-
Hi Mark,
the main problem with "external consultatants" is that they are regarded as "gurus" by the non-technical persons (including management) and sometimes even by members the technical staff. I mean, they wear suits and cost 10 times the money as a regular employee, so they must ge good, right?
In a very few select cases, a consultant actually is worthy of the title "guru". However, these excellent consultants are usually only recognized by staff members with similar technical background. And since they dilute their presentations with unpleasant topics like "reality", "critical approaches", explanations of downsides of certain solutions and identificaton of risks, they are much less popular with management guys than the "sales person consultant", who can only an undiluted sales pitch.
So even getting a second opinion from an other external consultant, who actually analyzes demands and solutions without the primary goal of filling his own pockets (which could be a friend of you whom you stuck into a suit) isn't a surefire way to address this problem. Whatever, you should point out the need for an independent consultant who doesn't make money by selling Cisco (either directly or by selling you "Cisco consulting" for the rest of his life).
Yup, right, I am a consultant myself. I prefer pfSense over Cisco routers. But so far I've failed to convince any Cisco devotee that m0n0wall/pfSense is actually a better alternative! If new features were required, their solution was always to upgrade their Cisco hard-/software for a really obscene amount of money.
Some points to remember:
- Cheap solutions are regarded as "cheap". "Cisco must good, or why would people pay so much for it?"
- "You can find Cisco consultants at every corner if something goes wrong, but noone has ever heard of pfSense."
- "Cisco is the industry standard. There must be a reason why everyone uses it."
Yup, millions of flies can't be wrong.
http://en.wikipedia.org/wiki/Argumentum_ad_populumOkay, let me get get to your original question, "ammo against Cisco routers".
I feel that Cisco often makes administration unnecessarily complex and complicated. That is, of course, the technical pont of view. Froma marketing point of view, the added complexity and complications serve the purpose of making Cisco look like a "big solution".
pfSense, on the other hand, can administered by newbies. Not because pfSense is more feature-restricted (which it definitely isn't), but because the design goal was to provide a user interface which reduces or even eliminates the likeliness of human errors.
This also adds to the relibility of a pfSnese installtion. You're less likely to have to drive out to the site if something goes wrong, you might be able to talk a "dumb user" thought the troubleshooting process via phone. So far, I had two pfSense/m0n0wall incidents at customer sites which I was able to solve with a "dumb user" via the phone.
Okay, the first issue wasn't a pfSense issue in the strict sense, someone had unplugged a cable. Whatever: I was able to to guide the user though the diagnosis via phone.
The second issue was a lightning strike. Since the m0n0wall installation runs on standard hardware, I was able to guide the user, so he could replace the fried power supply (we found that an external harddisk enclosure had a suitable power supply, which we then used as a replacement).
I like these stories much more than the "When I arrived at the site, i found that I had forgotten/lost the special Cisco serial cable, so I was really ****ed" line.
-
Start looking for another job. It sounds like they do not listen to you as is now, nor will they be happy if you can make a case that using pfsense is superior alternative to using Cisco, instead they will be resentful that you made them look bad. Sometimes the writing is on the wall, and is just better to move on.
-
Luckily, "selling pfSense" has never been my job. But I've seen a few brilliant people try to convice their customer to use m0n0wall/pfSense instead of Cisco or even ISA Server (now known as "Microsoft Forefront Threat Management Gateway", what of piece of bull) - and fail. Even though the customer had significant, sometiems even business-crippling troubles with their existing Cisco/ISA installations.
The few instances where I deployed m0n0wall/pfSense were customers which trust me blindly. I make very little money with this kind of work, I do it mainly for fun. My "real" job is with applications, not appliances ;). And as I am no "system integration" or "network admin", I do not like to spend my time with overly complex, complicated or faulty infrastructures, I prefer the ones which simply and reliably work. I do not need to artificially increase the likelihood of problems while simultaneously making sure than only a "special expert" (me) can keep the system running, requiring my customer to pay me 8 hours a day just to be on-site to keep the business going.
And I am also no sales guy. If I had a sales job, I would definitely have to get another job ;)
- Klaus
-
http://dc541.4shared.com/img/kOsMiaus/s7/721px-Pfs-logo-vector_svg.png
Have the link above made into a decal sticker you can apply to your box. Paint the box up so it looks pretty and not like a desktop doing the job of a "real firewall". I say that sarcastically because you know the sales people- (I mean consultants) will use that bs line to your bosses.
Your management sounds like someone who puts value in all the wrong places. You could stoop to their lower level and feed all those "wrong places" with irrelevant crap much like a sales person.
Ive been reading all the "pfSense on Watchgard" posts I can lately as I have one here. One of the funniest posts Ive run into is one where one of the members here put an old drive into the firewall box and booted it into Windows 2000 that he forgot was on the drive. While that probably seems very logical to probably everyone who reads these forums, it probably would be unbelievable to a majority of Watchgard customers out there. edit- found it. By stephenw10- http://forum.pfsense.org/index.php/topic,20095.msg223019/topicseen.html#msg223019
Then there's this- Friend of mine works for a larger contract I.T. company. They sell Watchgard and Sonicwall yet he had me help set him up a pfSense box for his lab that handles a Comcast 50mbps connection. Yeah… ::)
Good Luck!
-
Have the link above made into a decal sticker you can apply to your box. Paint the box up so it looks pretty and not like a desktop doing the job of a "real firewall".
Yes, that's an important point. Many people have an irrational belief in "hardware firewalls". A desktop PC with two network cards, standing around in some corner with a "do not turn off!" sticker on it doesn't look like a clean solution, but more of a problem. The same hardware in a 19" rach-mount enclosure looks like an industrial-strength solution, made by professionals, for professionals.
Make sure to have a sticker with some random serial numbers, hardware version, firmware data, bar codes, model number, serial number and service tags on the rear. This makes it more "authentic".
And here's some article which stresses the realibility of pfSense:
http://www.techrepublic.com/blog/opensource/diy-pfsense-firewall-system-beats-others-for-features-reliability-and-security/1110
Unfortunately, the author only compares pfSense to low-end model, like from "D-Link" or "Linksys by Cisco". It might however provide a few quotes if you need some to back up your arguments from other sources. Just make sure to omit words like "DIY"; these would be suicide.You also haven't elaborated about your requirements yet. How much bandwidth? Do you need traffic shaping, Layer7 filtering, OS fingerprinting? Strikeback? I guess you won't Strikeback capabilities. But if did, it would be nice, since only two routers boast this feature. One is the Bincontrol Sidewinder. Unfortunately, I've experienced an exceptional severe lack of reliability with Bincontrol products. The other one is pfSense. Scalable. Reliable. Excellent support. An extremely secure router OS platform (probably even the most secure).
Just for kicks: there's no tutorial on how to do things like "Obtain a Stack Trace from ROM Monitor" for pfSense. I've never experienced a "hang" condition with pfSense. The only uptime limit comes from the need to reboot pfSense after a firmware update.
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a0080106fd7.shtml -
there's no tutorial on how to do things like "Obtain a Stack Trace from ROM Monitor" for pfSense.
http://doc.pfsense.org/index.php/Obtaining_Panic_Information_for_Developers
Steve
-
Right.
For me, the difference is that a pfSense kernel panic can be analyzed "the usual way" - I mean, it's just standard FreeBSD underneath. nothing proprietary, like in the Cisco case. While some sales persons might say that "Cisco is an industry standard", I perceive that Cisco actually tries to avaoid adherence to actual industry standards whereever possible.
I am also lucky enough to never have had a kernel panic (or any other show-stopper) in a production sytem. I know kernel panics only from test installtions when I wanted to check if a certain hardware configuration is suitable for pfSense ("old junk boxes", which I like to have around as cold spares). "My" kernel panic were all caused by hardware issues. For production systems I use modern hardware which is designed for 24/7 operation. While the use of modern hardware increases the cost of a simple pfSense system by 150..250EUR, the improved energy efficiency and hardware reliability are well worth it.
Also, these boxes do not look "like a desktop doing the job of a 'real firewall'." ;)
-
For the price of a mid-tier Cisco router I can buy two pfSense boxes–one for production and one as a warm spare. Heck run them concurrently for hardware redundancy.
That's a good "oh you can do that" moment for most decision makers. For $800-$1,000 you can run two enterprise class routers in a load-balancing / fault tolerant / hardware redundant configuration. It only takes about an hour to set up (with testing). And if you get really, really crazy you can spend $1,200-$1,500 and keep a warm spare onsite if both devices get hit with severe hardware failures (water ballon fight in the data center).
Price that SLA with Cisco. Go ahead, I dare ya'!
-
I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)
I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
Isn't that right ?The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?Thank you very much, I don't know what to think oO
-
You get more performance/speed per dollar when going with pfSense.
Like the article says, every firewall is software based. There are layers of software languages. You can go to the top which is something similar to Java which reads almost like english. Or you can go to the very bottom which is machine code. If you were to say 1 is machine language and 10 being the high level, I would say pfsense sits around 4-5. A developer would be able to speak more accurately than I, but I would safely assume pfense is very close to the level modern firewalls operate at.
@S(y)nack:
I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)
I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
Isn't that right ?The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?Thank you very much, I don't know what to think oO
-
I understand this point, but I thought Cisco equipments worked at a hardware level. As if you modified the hardware layout when you entered commands. See what I mean ?
Enter ACL –> modifies some "switches" in the chips.So what I was thinking was pfSense is analysing traffic in the 7th layer of the OSI model, and Cisco equipments in layer 3.
-
@S(y)nack:
I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)
I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
Isn't that right ?The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?Thank you very much, I don't know what to think oO
Actually no, Cisco boxes are Intel-based "hardware" running the IOS "software" and until quite recently with the ASA -X series, Cisco PIX/ASA boxes were relatively underpowered (imho).
Check
http://en.wikipedia.org/wiki/Cisco_PIX#Specifications_of_latest_and_older_models
http://en.wikipedia.org/wiki/Cisco_IOSSome boxes however had VPN acceleration hardware, which improved IPsec performance.
-
You're thinking of physical modifications to achieve switch/router functionality. In your mind, pfSense is an ignitor chip and cisco switches are distributors. One uses programming embedded on a chip to handle the spark plugs while one requires a revolving motor sync'd up with the cams to ignite the spark plugs. Even your motherboard is driven by CMOS which is by definition software. The only pure hardware is your processor that executes raw code as data/current flows over transistors that are 1 or 0.
The chips inside the switches are simply there to process data based on the software. The physical size of a switch if purely hardware would be monstrous. Unless you stick a really high price tag on it using the newer 22nm architecture for transistors.
@S(y)nack:
I understand this point, but I thought Cisco equipments worked at a hardware level. As if you modified the hardware layout when you entered commands. See what I mean ?
Enter ACL –> modifies some "switches" in the chips.So what I was thinking was pfSense is analysing traffic in the 7th layer of the OSI model, and Cisco equipments in layer 3.
-
When you get up to very high bandwidth equipment things begin to differ. The boundaries between hardware and software start to blur. You can't get commodity hardware that will push packets fast enough so you go over FPGAs and such.
However, as pointed out, standard commercial firewalls are just computers running software.
Steve
-
@S(y)nack:
The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?You'll probably need an Intel Core i3 level CPU for that. My lowly Atom D2700 shows CPU peaks of 20% at 100Mbps (with Intel NICs), with traffic shaping (HFSC) enabled, running pfSense 2.0.2. So I guess that an Atom D2700 might perhaps do 0.5Gbit routing. Well - not too shabby for a fanless system!
@heavy1metal:
The chips inside the switches are simply there to process data based on the software.
The Intel NICs do actually provide offloading, so some of the "TCP/IP work" is actually performed in hardware. pfSense supports offloading. In theory, the Intel NICs also support dynamic reduction of the interrupt rate under heavy load conditions in order to reduce CPU load. However, I do not know if the FreeBSD drivers do actually support this feature. However, pfSense can be configured to use device polling, which also limits the interrupt rate.
Some boxes however had VPN acceleration hardware, which improved IPsec performance.
Yup, and you can use them to speed up VPNs in pfSense as well: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported
However, it appears the the Atom D2700 can do IPSEC faster in software than Cryptodev in hardware…but I have no definite data there.
-
When you get up to very high bandwidth equipment things begin to differ. The boundaries between hardware and software start to blur. You can't get commodity hardware that will push packets fast enough so you go over FPGAs and such.
Apparently new networking frameworks for Linux and FreeBSD are capable of saturating 10Gbps links without the need of special hardware:
netmap http://info.iet.unipi.it/~luigi/netmap/
pf_ring http://www.ntop.org/products/pf_ring/hardware-packet-filtering/ipfw meets netmap
A userspace version of ipfw and dummynet is now available, using netmap for packet I/O. On an i7-3400, this version is able to process over 6 million packets per second (Mpps) with simple rulesets, and over 2.2 Mpps through dummynet pipes, 5..10 times faster than the in-kernel equivalent.