PfSense or ASA-5520 for datacenter



  • OK - yet another hardware performance question. :D

    Our company's web site is just about to go live (3mos) and we need to decide upon a good firewall solution for our data center build-out.  To date, we have been using ASA-5505s for test/dev work but I fear these won't have enough power to accommodate our site when we go live.

    At this time, our network traffic pattern is unknown - we don't know how much traffic to expect per minute or per day (we are hosting a national real-estate web server farm).  The only thing the firewall will do is perform some static NAT translations (outside to DMZ) as well as "normal" firewall duties.  We may run some squid proxy stuff but definitely will NOT do any VPN or SSL offloads - strictly http traffic.

    That being said, I have been given a large enough budget to get a pair of ASA-5520s ($5K/ea).  However, I don't want to spend that kind of money if I can get a pair of pfSense boxes that will perform equally well for a fraction of the cost.

    I am almost convinced pfSense is the right solution but need some assurance.  I understand ASAs enough to configure them and lean on my Cisco security guy when necessary.  However, I have only played with pfSense in the lab, and I would probably crumble under pressure if something happened during production (not good when your reputation is on the line).

    If I use pfSense in the data center, I would install it on our typical server box - quad-core 2.6GHz Xeon, 4GB RAM, with 4 NICs.  According to the Cisco web site, the ASA-5520 can support 320,000 packets per second (64 byte) and 12,000 max firewall connection/second.  Is it reasonable to expect my standard server box will perform as well as the ASA-5520?

    Sorry for the lengthy post.  I want to save money but don't want to sacrifice reliability or manageability.

    -Ron



  • Without knowing your trafic needs, it's quite difficult to answer (in a serious way).

    The Cisco might be OK, the "standard server" too.
    But they also might be 3000% too big/expensive for your needs.

    IIRC, wire-speed filtering can be done on simple ALIX boards (that 100 Mbps).
    http://forum.pfsense.org/index.php/topic,6911.0.html

    ASA will certainly be better on the packets per second but standard web application is not that high on them (opposite to game servers for example).


  • Banned

    I run Pfsense 1.2.3.rc1 i a production environment on IBM Xseries 345 with dual Xeon 3GhZ and 4gb ram. They run on SCSI 73gb disk i RAID1. They were upgraded from Xseries 335's due to the lack of space for new nic's and that 345's dont need breakout cables.

    They run flawlessly and can easily handle 100mbit throughput/both ways with an average of 700 bytes per package equals 18700 PPS.  And they are no way near their limit regarding throughput. And you can buy them for around 100$ on Ebay….



  • You could always use some of the large amount you are saving on a support contract, so you are covered in case anything goes wrong.



  • Thanks for the replies.  In fact, I have opted to install a pfSense server in our deployment and purchased a support contract with the pfSense folks.  So far, so good.  No major issues or hiccups using pfSense, and we saved a ton of $$$ for this particular install.

    Many thanks to the pfSense team for making such a great (free) product!

    -Ron


Log in to reply