PfSense Vs. Commercial Solutions
I've been tasked with replacing our current firewall, a Sonicwall NSA 240. We have about 40 users and will (in 2 months) have ~3 public facing servers. We'll have a 100mb leased line as of this Friday and we have an ADSL backup line we will configure to be used as failover.
Now I LOVE pfSense and have managed to do all I wish to do with at previous sites (much smaller companies) and at home and have never had anything go wrong or come back and bite me. Given my current site I am to sort I am asking what are the pros of going with a commercial solution over pfSense?
Cons of going with pfSense built by myself;
- If there is a hardware failure the responsibility falls on me to fix.
- The config will be down to me (but I could always purchase support time)
- Bugfix delay over commerical options (possibly?)
The only other problem would be getting fixes to any services that are discovered to be vulnerable to failure or vulnerable security wise. However if I only intend to use this to provide failover onto a backup ADSL connection and for general NAT and QoS there shouldn't be any services exposed to be able to exploit (coming from a security POV) so this should not be a problem, right?
Again all we require is firewall, NAT, failover and QoS.
We are likely to setup an FTP server too actually but the tutorials I found in the forums quickly made that setup much easier.
I'm very tempted to stick with pfSense because it's familiar too, however I have to justify my choice to the powers that be and would like to be as informed as possible.
Can anyone offer some reasoning I may have missed?
If you're only using the firewall as a firewall/multi-wan router, then you're right there wouldn't be much to worry about security-wise on the firewall device itself.
That said we are pretty fast about pushing out fixes for relevant security issues. Often there may be an issue in the underlying software that we need to patch/fix but in the case of things like the OS we are based on, FreeBSD, many of their advisories are not relevant to pfSense because we either don't include the components that are in the notice (happens a lot with BIND, which we don't use) or it isn't relevant to how pfSense is used. If something is relevant and critical, we'll push out a fix as soon as possible.
The hardware failure part can be worked around by setting up a CARP cluster, or keeping a hot/cold spare - any critical piece of equipment should at least have a spare on hand, but CARP would be best if possible, then it would be redundant so a single unit dying wouldn't take you down.
The config for your type of scenario should be fairly straightforward, though we'd be more than happy to assist with that via commercial support. The doc wiki/book may also be helpful for some things should others need to help maintain the firewall. If you use aliases and document the rules as you go, it should be easy for someone else to pick up on what you've done.
For commercial support subscribers we are quite fast with bug fixes in most cases (the ones that really end up being bugs and not misconfigurations :-), since we are not only the commercial support providers but also the primary developers. New features can be added/funded by commercial development as well but in some cases those can take a little longer depending on the complexity, current workload, etc. We often work with customers to apply fixes/patches directly to systems in these cases when needed, or if the fixes are more complex or can't be backported, a firmware update may be needed.
We tend to be fairly fast on the Open Source side as well, again depending on the severity, complexity, and workload of the developers.
You might also consider going with a pfSense unit sold by a company such as Netgate or Hacom - then you can also get a little more support for the hardware since they sell units preloaded with pfSense so you don't have to worry so much about compatibility or tracking down/sending back individual parts.
Consider this case:
You find some super obscure bug that applies to your specific situation. It's not critical but is really annoying you. Since pfSense is open source you always have the option of providing your own bug fix and submitting it. Try doing that with some large commercial vendor! :)
For most people making this decision it comes down to the need to be able pick up the phone and call in the cavalry (some commercial support option) when things really go wrong. Many open source projects cannot offer this sort of backup but pfSense can.
… For most people making this decision it comes down to the need to be able pick up the phone and call in the cavalry (some commercial support option) when things really go wrong. Many open source projects cannot offer this sort of backup but pfSense can.
To add to this, also do some research on any local consultancy groups that can support pfSense well, there are a lot and there may be some geographically near you. This can help to reduce management fears of them being "screwed" if you left the company.
Thanks for your replies guys, really helpful.
Jimp, I appreciate the company names and I appreciate the expansion into the security/update side of things, thanks.
As far as CARP goes I'm not sure how I could utilize and granted I have not built a CARP setup before. Our setup will go;
Fiber in –> What appears to be a media converter (Provided by ISP), ethernet out --> Cisco Router (Provided by ISP) single ethernet out --> Our current/replacement pfsense firewall. I can whack a diagram together tomorrow if that makes it clearer but because the Cisco router (which acts transparently as far as I can imagine; we have the public IP presented to the WAN interface on our current firewall and only need to NAT on that existing firewall and nothing above. I don't know how they set it up I'm just making educated guesses. I'll ask the person that comes out to program the cisco router. We're with BT by the way unless anyone knows) only has a single ethernet port coming out of it I don't know what I could do in terms of failover from there apart from having a warm spare (with an interface on both for pfsync if that's how it works? I'll look though the wiki/docs/forums/book) and physically change the cable over in the case of a firewall outage?
I do also like the idea of the support being provided by people who are also the developers. It would also be nice to put some decent contributions in and fund new features. On which note I'm glad to see there's processing for credit cards, as much as I love pfSense I couldn't help feeling the uninformed I may have to pitch my choice to may not value a solution that could only process paypal, so I'm chuffed!
Anyone got any UK based companies they could suggest? I'll be doing the usual Google reccy too. It is likely however that I'll reutilise some soon to be old servers and build the box myself, all the servers are the same model which will make any possible replacements my easier.