Ammunition against Cisco firewall/appliance
-
Hi Mark,
the main problem with "external consultatants" is that they are regarded as "gurus" by the non-technical persons (including management) and sometimes even by members the technical staff. I mean, they wear suits and cost 10 times the money as a regular employee, so they must ge good, right?
In a very few select cases, a consultant actually is worthy of the title "guru". However, these excellent consultants are usually only recognized by staff members with similar technical background. And since they dilute their presentations with unpleasant topics like "reality", "critical approaches", explanations of downsides of certain solutions and identificaton of risks, they are much less popular with management guys than the "sales person consultant", who can only an undiluted sales pitch.
So even getting a second opinion from an other external consultant, who actually analyzes demands and solutions without the primary goal of filling his own pockets (which could be a friend of you whom you stuck into a suit) isn't a surefire way to address this problem. Whatever, you should point out the need for an independent consultant who doesn't make money by selling Cisco (either directly or by selling you "Cisco consulting" for the rest of his life).
Yup, right, I am a consultant myself. I prefer pfSense over Cisco routers. But so far I've failed to convince any Cisco devotee that m0n0wall/pfSense is actually a better alternative! If new features were required, their solution was always to upgrade their Cisco hard-/software for a really obscene amount of money.
Some points to remember:
- Cheap solutions are regarded as "cheap". "Cisco must good, or why would people pay so much for it?"
- "You can find Cisco consultants at every corner if something goes wrong, but noone has ever heard of pfSense."
- "Cisco is the industry standard. There must be a reason why everyone uses it."
Yup, millions of flies can't be wrong.
http://en.wikipedia.org/wiki/Argumentum_ad_populumOkay, let me get get to your original question, "ammo against Cisco routers".
I feel that Cisco often makes administration unnecessarily complex and complicated. That is, of course, the technical pont of view. Froma marketing point of view, the added complexity and complications serve the purpose of making Cisco look like a "big solution".
pfSense, on the other hand, can administered by newbies. Not because pfSense is more feature-restricted (which it definitely isn't), but because the design goal was to provide a user interface which reduces or even eliminates the likeliness of human errors.
This also adds to the relibility of a pfSnese installtion. You're less likely to have to drive out to the site if something goes wrong, you might be able to talk a "dumb user" thought the troubleshooting process via phone. So far, I had two pfSense/m0n0wall incidents at customer sites which I was able to solve with a "dumb user" via the phone.
Okay, the first issue wasn't a pfSense issue in the strict sense, someone had unplugged a cable. Whatever: I was able to to guide the user though the diagnosis via phone.
The second issue was a lightning strike. Since the m0n0wall installation runs on standard hardware, I was able to guide the user, so he could replace the fried power supply (we found that an external harddisk enclosure had a suitable power supply, which we then used as a replacement).
I like these stories much more than the "When I arrived at the site, i found that I had forgotten/lost the special Cisco serial cable, so I was really ****ed" line.
-
Start looking for another job. It sounds like they do not listen to you as is now, nor will they be happy if you can make a case that using pfsense is superior alternative to using Cisco, instead they will be resentful that you made them look bad. Sometimes the writing is on the wall, and is just better to move on.
-
Luckily, "selling pfSense" has never been my job. But I've seen a few brilliant people try to convice their customer to use m0n0wall/pfSense instead of Cisco or even ISA Server (now known as "Microsoft Forefront Threat Management Gateway", what of piece of bull) - and fail. Even though the customer had significant, sometiems even business-crippling troubles with their existing Cisco/ISA installations.
The few instances where I deployed m0n0wall/pfSense were customers which trust me blindly. I make very little money with this kind of work, I do it mainly for fun. My "real" job is with applications, not appliances ;). And as I am no "system integration" or "network admin", I do not like to spend my time with overly complex, complicated or faulty infrastructures, I prefer the ones which simply and reliably work. I do not need to artificially increase the likelihood of problems while simultaneously making sure than only a "special expert" (me) can keep the system running, requiring my customer to pay me 8 hours a day just to be on-site to keep the business going.
And I am also no sales guy. If I had a sales job, I would definitely have to get another job ;)
- Klaus
-
http://dc541.4shared.com/img/kOsMiaus/s7/721px-Pfs-logo-vector_svg.png
Have the link above made into a decal sticker you can apply to your box. Paint the box up so it looks pretty and not like a desktop doing the job of a "real firewall". I say that sarcastically because you know the sales people- (I mean consultants) will use that bs line to your bosses.
Your management sounds like someone who puts value in all the wrong places. You could stoop to their lower level and feed all those "wrong places" with irrelevant crap much like a sales person.
Ive been reading all the "pfSense on Watchgard" posts I can lately as I have one here. One of the funniest posts Ive run into is one where one of the members here put an old drive into the firewall box and booted it into Windows 2000 that he forgot was on the drive. While that probably seems very logical to probably everyone who reads these forums, it probably would be unbelievable to a majority of Watchgard customers out there. edit- found it. By stephenw10- http://forum.pfsense.org/index.php/topic,20095.msg223019/topicseen.html#msg223019
Then there's this- Friend of mine works for a larger contract I.T. company. They sell Watchgard and Sonicwall yet he had me help set him up a pfSense box for his lab that handles a Comcast 50mbps connection. Yeah… ::)
Good Luck!
-
Have the link above made into a decal sticker you can apply to your box. Paint the box up so it looks pretty and not like a desktop doing the job of a "real firewall".
Yes, that's an important point. Many people have an irrational belief in "hardware firewalls". A desktop PC with two network cards, standing around in some corner with a "do not turn off!" sticker on it doesn't look like a clean solution, but more of a problem. The same hardware in a 19" rach-mount enclosure looks like an industrial-strength solution, made by professionals, for professionals.
Make sure to have a sticker with some random serial numbers, hardware version, firmware data, bar codes, model number, serial number and service tags on the rear. This makes it more "authentic".
And here's some article which stresses the realibility of pfSense:
http://www.techrepublic.com/blog/opensource/diy-pfsense-firewall-system-beats-others-for-features-reliability-and-security/1110
Unfortunately, the author only compares pfSense to low-end model, like from "D-Link" or "Linksys by Cisco". It might however provide a few quotes if you need some to back up your arguments from other sources. Just make sure to omit words like "DIY"; these would be suicide.You also haven't elaborated about your requirements yet. How much bandwidth? Do you need traffic shaping, Layer7 filtering, OS fingerprinting? Strikeback? I guess you won't Strikeback capabilities. But if did, it would be nice, since only two routers boast this feature. One is the Bincontrol Sidewinder. Unfortunately, I've experienced an exceptional severe lack of reliability with Bincontrol products. The other one is pfSense. Scalable. Reliable. Excellent support. An extremely secure router OS platform (probably even the most secure).
Just for kicks: there's no tutorial on how to do things like "Obtain a Stack Trace from ROM Monitor" for pfSense. I've never experienced a "hang" condition with pfSense. The only uptime limit comes from the need to reboot pfSense after a firmware update.
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a0080106fd7.shtml -
there's no tutorial on how to do things like "Obtain a Stack Trace from ROM Monitor" for pfSense.
http://doc.pfsense.org/index.php/Obtaining_Panic_Information_for_Developers
Steve
-
Right.
For me, the difference is that a pfSense kernel panic can be analyzed "the usual way" - I mean, it's just standard FreeBSD underneath. nothing proprietary, like in the Cisco case. While some sales persons might say that "Cisco is an industry standard", I perceive that Cisco actually tries to avaoid adherence to actual industry standards whereever possible.
I am also lucky enough to never have had a kernel panic (or any other show-stopper) in a production sytem. I know kernel panics only from test installtions when I wanted to check if a certain hardware configuration is suitable for pfSense ("old junk boxes", which I like to have around as cold spares). "My" kernel panic were all caused by hardware issues. For production systems I use modern hardware which is designed for 24/7 operation. While the use of modern hardware increases the cost of a simple pfSense system by 150..250EUR, the improved energy efficiency and hardware reliability are well worth it.
Also, these boxes do not look "like a desktop doing the job of a 'real firewall'." ;)
-
For the price of a mid-tier Cisco router I can buy two pfSense boxes–one for production and one as a warm spare. Heck run them concurrently for hardware redundancy.
That's a good "oh you can do that" moment for most decision makers. For $800-$1,000 you can run two enterprise class routers in a load-balancing / fault tolerant / hardware redundant configuration. It only takes about an hour to set up (with testing). And if you get really, really crazy you can spend $1,200-$1,500 and keep a warm spare onsite if both devices get hit with severe hardware failures (water ballon fight in the data center).
Price that SLA with Cisco. Go ahead, I dare ya'!
-
I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)
I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
Isn't that right ?The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?Thank you very much, I don't know what to think oO
-
You get more performance/speed per dollar when going with pfSense.
Like the article says, every firewall is software based. There are layers of software languages. You can go to the top which is something similar to Java which reads almost like english. Or you can go to the very bottom which is machine code. If you were to say 1 is machine language and 10 being the high level, I would say pfsense sits around 4-5. A developer would be able to speak more accurately than I, but I would safely assume pfense is very close to the level modern firewalls operate at.
@S(y)nack:
I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)
I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
Isn't that right ?The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?Thank you very much, I don't know what to think oO
-
I understand this point, but I thought Cisco equipments worked at a hardware level. As if you modified the hardware layout when you entered commands. See what I mean ?
Enter ACL –> modifies some "switches" in the chips.So what I was thinking was pfSense is analysing traffic in the 7th layer of the OSI model, and Cisco equipments in layer 3.
-
@S(y)nack:
I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)
I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
Isn't that right ?The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?Thank you very much, I don't know what to think oO
Actually no, Cisco boxes are Intel-based "hardware" running the IOS "software" and until quite recently with the ASA -X series, Cisco PIX/ASA boxes were relatively underpowered (imho).
Check
http://en.wikipedia.org/wiki/Cisco_PIX#Specifications_of_latest_and_older_models
http://en.wikipedia.org/wiki/Cisco_IOSSome boxes however had VPN acceleration hardware, which improved IPsec performance.
-
You're thinking of physical modifications to achieve switch/router functionality. In your mind, pfSense is an ignitor chip and cisco switches are distributors. One uses programming embedded on a chip to handle the spark plugs while one requires a revolving motor sync'd up with the cams to ignite the spark plugs. Even your motherboard is driven by CMOS which is by definition software. The only pure hardware is your processor that executes raw code as data/current flows over transistors that are 1 or 0.
The chips inside the switches are simply there to process data based on the software. The physical size of a switch if purely hardware would be monstrous. Unless you stick a really high price tag on it using the newer 22nm architecture for transistors.
@S(y)nack:
I understand this point, but I thought Cisco equipments worked at a hardware level. As if you modified the hardware layout when you entered commands. See what I mean ?
Enter ACL –> modifies some "switches" in the chips.So what I was thinking was pfSense is analysing traffic in the 7th layer of the OSI model, and Cisco equipments in layer 3.
-
When you get up to very high bandwidth equipment things begin to differ. The boundaries between hardware and software start to blur. You can't get commodity hardware that will push packets fast enough so you go over FPGAs and such.
However, as pointed out, standard commercial firewalls are just computers running software.
Steve
-
@S(y)nack:
The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
Is it possible to firewall gigabit links with pfSense ?You'll probably need an Intel Core i3 level CPU for that. My lowly Atom D2700 shows CPU peaks of 20% at 100Mbps (with Intel NICs), with traffic shaping (HFSC) enabled, running pfSense 2.0.2. So I guess that an Atom D2700 might perhaps do 0.5Gbit routing. Well - not too shabby for a fanless system!
@heavy1metal:
The chips inside the switches are simply there to process data based on the software.
The Intel NICs do actually provide offloading, so some of the "TCP/IP work" is actually performed in hardware. pfSense supports offloading. In theory, the Intel NICs also support dynamic reduction of the interrupt rate under heavy load conditions in order to reduce CPU load. However, I do not know if the FreeBSD drivers do actually support this feature. However, pfSense can be configured to use device polling, which also limits the interrupt rate.
Some boxes however had VPN acceleration hardware, which improved IPsec performance.
Yup, and you can use them to speed up VPNs in pfSense as well: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported
However, it appears the the Atom D2700 can do IPSEC faster in software than Cryptodev in hardware…but I have no definite data there.
-
When you get up to very high bandwidth equipment things begin to differ. The boundaries between hardware and software start to blur. You can't get commodity hardware that will push packets fast enough so you go over FPGAs and such.
Apparently new networking frameworks for Linux and FreeBSD are capable of saturating 10Gbps links without the need of special hardware:
netmap http://info.iet.unipi.it/~luigi/netmap/
pf_ring http://www.ntop.org/products/pf_ring/hardware-packet-filtering/ipfw meets netmap
A userspace version of ipfw and dummynet is now available, using netmap for packet I/O. On an i7-3400, this version is able to process over 6 million packets per second (Mpps) with simple rulesets, and over 2.2 Mpps through dummynet pipes, 5..10 times faster than the in-kernel equivalent. -
Yep, commodity hardware gets faster and faster. Equally the definition of 'very high bandwidth' gets higher and higher. ;)
This is way outside my experience but I would guess a 100Gbps router is using dedicated hardware.Also I missed the question earlier:
Is it possible to firewall gigabit links with pfSense?
Yes and these days you don't even need anything particularly exotic. A Celeron 530 will firewall/NAT >1Gbps.
For example: http://forum.pfsense.org/index.php/topic,45439.0.htmlSteve
-
Apparently new networking frameworks for Linux and FreeBSD are capable of saturating 10Gbps links without the need of special hardware:
Routing means that you'll twice the bandwidth. AFAIK, PCI-E 2.x with 32 lanes will max out at 16Gbps. Well, PCI-E is full-duplex, so 10Gbps in transmit and 10Gbps in receive direction will add up nicely to 20Gpbs. However, full full-duplex traffic on both NICs will be limited. Note that some datasheets specify the encoded (gross) PCI-E transfer rate, the usable rate is lower: http://www.intel.com/Assets/PDF/prodbrief/Intel_10_Gig_AFDA_Dual_Port_prodbrief.pdf
I suspect that PCI 3.0 NICs still qualify as "special hardware". Actually, I haven't yet heard of any…
Whatever. Very interesting discusison, at least for nerds like us ;), but let's not forget the distress of the original poster.
One argument for Cisco routers is that "most, if not all Fortune 500 companies use Cisco equipment". This marketing line makes the connection between succesful business and Cisco stuff. http://forums.whirlpool.net.au/archive/1974081
You can still raise the question if the use of Cisco routers was responsible for the success, or if it was just that the companies had earned enough money so they could spend it Cisco equipment…and on network administration staff. Yup, there are companies which cannot only afford to buy Cisco for every aspect of their networking and communication needs, they can also afford that more than 10% of their employees are just there to keep the IT infrastructure alive (that does NOT include programmers or application support…and no external consultants as well).
However, take extreme care when delivering such arguments. Many, if not most management persons suffer from strong delusions. The argument might backfire.
-
One argument for Cisco routers is that "most, if not all Fortune 500 companies use Cisco equipment". This marketing line makes the connection between succesful business and Cisco stuff. http://forums.whirlpool.net.au/archive/1974081
Apparently not all Fortune 500 companies use Cisco & MS Windows – according to this post by M:Tier Ltd, at least some Fortune 500 companies use ... OpenBSD, for practically everything: routers/firewalls, servers and even (thin) clients !
http://www.undeadly.org/cgi?action=article&sid=20110420080633
_As a company we are very dedicated to what we do because we are "forced" to use our operating system of choice and we want our customers to be as happy as we are at using it :-)
So our paid job is hacking on and deploying, maintaining, supporting… OpenBSD installations. We are also required to hack on things that can be merged back into OpenBSD itself and when it's not possible, then we change what we did so that it can be. Of course some developments are very specific to what we do and have no place in the project's CVS tree.
So, amongst other services, we set up and maintain several 100% OpenBSD-based infrastructures (going from the entry site firewall to the secretary's workstation) and this is what I'm going to talk about here.
As a side note, it is important to know that we are working exclusively for Fortune 500 companies (each operating in totally different and unrelated sectors).
What it means is that:
We are not setting up systems for small geek-friendly-only companies but for huge ones with a long IT history (some of them are present in >100 countries worldwide). While I cannot reveal any names, it is important to know that OpenBSD can fit in the Big Ones.
We have to comply to very large and complex technical and legal specifications.
While most people will see it as a useless effort, we think it is very interesting to make a non-mainstream operating system comply with the corporate rules.The Big Picture
We are currently managing over 600 users in several locations around the world (expecting a large increase before the end of the year).
All these locations are fully running under OpenBSD, that is:
-
the firewalls: PF, IPSEC, CARP…
-
the infrastructure servers: DNS, DHCP, TFTP, FTP, HTTP, NFS, LDAP, puppetmaster, Kerberos, proxy, print server…
-
the desktops (workstations and laptops): The GNOME Desktop and plethora of graphical applications._
-
-
Just a quick (and hopefully final) note on systems for 10Gb+. The problem is how commodity hardware is designed: interface->chipset (subsystem)->CPU, and then back out in some cases. Hardware designed for mad throughput is designed to hit the interface and handle a lot of the traffic with less and less going to the subsystem if one even exists. Hardware layers are fewer. Why? Latency. If it all has to flow up and down it'll get congested and create latency; hence the custom and absurdly priced hardware. It's an engineering marvel compared to commodity hardware (which is a marvel, but a different kind).