Ammunition against Cisco firewall/appliance
-
Yep, commodity hardware gets faster and faster. Equally the definition of 'very high bandwidth' gets higher and higher. ;)
This is way outside my experience but I would guess a 100Gbps router is using dedicated hardware.Also I missed the question earlier:
Is it possible to firewall gigabit links with pfSense?
Yes and these days you don't even need anything particularly exotic. A Celeron 530 will firewall/NAT >1Gbps.
For example: http://forum.pfsense.org/index.php/topic,45439.0.htmlSteve
-
Apparently new networking frameworks for Linux and FreeBSD are capable of saturating 10Gbps links without the need of special hardware:
Routing means that you'll twice the bandwidth. AFAIK, PCI-E 2.x with 32 lanes will max out at 16Gbps. Well, PCI-E is full-duplex, so 10Gbps in transmit and 10Gbps in receive direction will add up nicely to 20Gpbs. However, full full-duplex traffic on both NICs will be limited. Note that some datasheets specify the encoded (gross) PCI-E transfer rate, the usable rate is lower: http://www.intel.com/Assets/PDF/prodbrief/Intel_10_Gig_AFDA_Dual_Port_prodbrief.pdf
I suspect that PCI 3.0 NICs still qualify as "special hardware". Actually, I haven't yet heard of any…
Whatever. Very interesting discusison, at least for nerds like us ;), but let's not forget the distress of the original poster.
One argument for Cisco routers is that "most, if not all Fortune 500 companies use Cisco equipment". This marketing line makes the connection between succesful business and Cisco stuff. http://forums.whirlpool.net.au/archive/1974081
You can still raise the question if the use of Cisco routers was responsible for the success, or if it was just that the companies had earned enough money so they could spend it Cisco equipment…and on network administration staff. Yup, there are companies which cannot only afford to buy Cisco for every aspect of their networking and communication needs, they can also afford that more than 10% of their employees are just there to keep the IT infrastructure alive (that does NOT include programmers or application support…and no external consultants as well).
However, take extreme care when delivering such arguments. Many, if not most management persons suffer from strong delusions. The argument might backfire.
-
One argument for Cisco routers is that "most, if not all Fortune 500 companies use Cisco equipment". This marketing line makes the connection between succesful business and Cisco stuff. http://forums.whirlpool.net.au/archive/1974081
Apparently not all Fortune 500 companies use Cisco & MS Windows – according to this post by M:Tier Ltd, at least some Fortune 500 companies use ... OpenBSD, for practically everything: routers/firewalls, servers and even (thin) clients !
http://www.undeadly.org/cgi?action=article&sid=20110420080633
_As a company we are very dedicated to what we do because we are "forced" to use our operating system of choice and we want our customers to be as happy as we are at using it :-)
So our paid job is hacking on and deploying, maintaining, supporting… OpenBSD installations. We are also required to hack on things that can be merged back into OpenBSD itself and when it's not possible, then we change what we did so that it can be. Of course some developments are very specific to what we do and have no place in the project's CVS tree.
So, amongst other services, we set up and maintain several 100% OpenBSD-based infrastructures (going from the entry site firewall to the secretary's workstation) and this is what I'm going to talk about here.
As a side note, it is important to know that we are working exclusively for Fortune 500 companies (each operating in totally different and unrelated sectors).
What it means is that:
We are not setting up systems for small geek-friendly-only companies but for huge ones with a long IT history (some of them are present in >100 countries worldwide). While I cannot reveal any names, it is important to know that OpenBSD can fit in the Big Ones.
We have to comply to very large and complex technical and legal specifications.
While most people will see it as a useless effort, we think it is very interesting to make a non-mainstream operating system comply with the corporate rules.The Big Picture
We are currently managing over 600 users in several locations around the world (expecting a large increase before the end of the year).
All these locations are fully running under OpenBSD, that is:
-
the firewalls: PF, IPSEC, CARP…
-
the infrastructure servers: DNS, DHCP, TFTP, FTP, HTTP, NFS, LDAP, puppetmaster, Kerberos, proxy, print server…
-
the desktops (workstations and laptops): The GNOME Desktop and plethora of graphical applications._
-
-
Just a quick (and hopefully final) note on systems for 10Gb+. The problem is how commodity hardware is designed: interface->chipset (subsystem)->CPU, and then back out in some cases. Hardware designed for mad throughput is designed to hit the interface and handle a lot of the traffic with less and less going to the subsystem if one even exists. Hardware layers are fewer. Why? Latency. If it all has to flow up and down it'll get congested and create latency; hence the custom and absurdly priced hardware. It's an engineering marvel compared to commodity hardware (which is a marvel, but a different kind).
-
Apparently not all Fortune 500 companies use Cisco & MS Windows – according to this post by M:Tier Ltd, at least some Fortune 500 companies use ... OpenBSD, for practically everything: routers/firewalls, servers and even (thin) clients !
Of course, if a company uses Cisco, it doesn't automatically mean that they use Cisco only. I've been on a site of one of the top Fortune 500 companies, and saw two disconnected Cisco routers, replaced with a cheap piece of plastic for home use.
pfSense is based on FreeBSD (but uses pf from OpenBSD, of course). FreeBSD is said to be the most realiable OS on the Internet:
http://news.netcraft.com/archives/2011/07/08/most-reliable-hosting-company-sites-in-june-2011.html -
Just stumbled across an article "FreeBSD – der unbekannte Riese" ("FreeBSD - the unknown giant"), which mentions that "FreeBSD ist heute noch ebenso gesund wie früher und ist genau dort zu finden, wo man auch Linux vermuten würde: als preiswertes, sicheres und stabiles System auf Commodity-Hardware oder verborgen in Netzwerkgeräten von Cisco, Juniper, Force10 und NetApp.".
In English: "Today, FreeBSD is still as healthy as it was in the past and it can be found exactly, where you'd also expect Linux: as a cost-effective, secure and stable system on commodity hardware or hidden in network devices from Cisco, Juniper, Force10 and NetApp.".
Source: http://www.heise.de/open/artikel/FreeBSD-der-unbekannte-Riese-935746.html
Other sources confirm that Cisco IOS is "based on BSD".
So much for "hardware firewalls" :)
-
@S(y)nack:
I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)
I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
Isn't that right ?No. ASAs run on x86 hardware. You get vastly more scalability for the buck with pfSense than with an ASA. You can reach the same performance specifications as everything but the most expensive ASA 5585 (which costs in the neighborhood of $250K USD give or take a few new cars worth of price depending on what licenses you buy too).
The place where we really win vs. virtually every commercial firewall is amount of money to handle large numbers of states (1-2+ million). You're spending tens of thousands USD minimum for what you can do for the cost of 2 GB RAM with pfSense (2 million states). This is a big deal in colocation datacenters, where we have a very significant presence. We've replaced countless Cisco PIX and ASAs in production because they couldn't scale adequately to handle the customer's traffic. Achieved the same functionality and performance as a much higher end Cisco, and saved tens of thousands and at times hundreds of thousands vs. Cisco. Also our HA functionality is a big attraction to that market, as the savings are twice as much when you need two boxes.
Lots of very serious networks, where downtime costs significant money, trust pfSense and derived products.
As to what's best for any one particular network, that will vary. It depends on your specific requirements. Maybe there's a feature only Cisco has that you need in your network. Or maybe you need one of the many functions we have that Cisco doesn't, it very much goes both ways. You can replace Cisco there with any commercial vendor or competitive professional-grade open source solution, this will hold true regardless of which products you're evaluating.
So if they're recommending switching to Cisco, tell us what their arguments are as to why. We can probably prove each one wrong. Or maybe they're right in some aspect, I'm fine to admit if that's the case.
-
People like to just throw money at Cisco and it seems Cisco are quite happy to take it. ::)
http://arstechnica.com/tech-policy/2013/02/why-a-one-room-west-virginia-library-runs-a-20000-cisco-router/Steve
-
That's the best argument so far. Point out the article to the management and ask them if they want to receive their own newspaper story as well ;)
The article also confirms that Cisco routers support many potentially useful features, which, should you actually want to use them, require a costly upgrade first.
-
Folks -
I am just now looking over all the posts and I thank you all for the valuable information. It's not likely that I will lose my job over this, as we have been shrinking though attrition for years now and all it takes is for two people to call in sick to make it hard to staff the library desks, so I am needed if for no other reason than to provide a warm body to answer patron questions like "where's the books on butterflies?" and such. If the library wants to pay me to sit and answer dumb questions, then hey - it's their dime. Customer service is important, too.
The ease of which pfsense is installed and managed should be a great selling point to my supervisor when she realizes that she won't be able to make a cisco configuration change by pointing and clicking a mouse on a web page, but rather has to call up the firm that installed the Ci$co firewall to do it, then charge us for the change.
Since the starting of this topic, the director of the library has seen the report on the state of our network that the consultants have concocted. He has (correctly) come to the realization that it's a sales tool first and foremost, and that we, my boss and I, get to decide what proposals we feel will work for our organization, not the consultants. That's a relief.
We are doing battle with another outside firm right now over a web tool they wrote for us that is failing miserably, so it might leave management with a bad taste in it's mouth for contractors.
Again - thanks to all who contributed to this conversation. It will be useful to me.
LibraryMark