Ammunition against Cisco firewall/appliance



  • Folks -

    We have been using pfsense at the library I work at for quite some time now and it works great. However, the management is toying with the idea of hiring a "consulting" company to help us do our jobs better, even though things have never ran better. Go figure.

    The company that they chose really likes to push Cisco and Microsoft wherever they can. I can't see any reason to change our firewall, but I know that the consultant will try to push their crap on us, as they sell it, too. Even worse, they would over time like to displace the local talent (me) with one of their guys contracted out, but that's a conversation for another day.

    If you folks have the time, can we start up a conversation on why pfsense beats cisco? I really think that our management is susseptable to fast-talking sales engineers. I would like to keep them from making a mistake.

    Thanks -

    Library Mark


  • Netgate Administrator



  • Off the top of my head, all I could come up with is cost of deployment mainly because this goes way beyond the firewall…

    If this is a public library, which receives public funding from the state and local funds, they could have more than just cost to be concerned with here.
    They could have to meet some "industry standards" in order to keep part or all of their funding, and an audit showed that the current system doesn't meet those standards.
    They could be looking to offset some of their internal costs, with payout to a company, which can be beneficial come tax time, and be a nice PR stunt (We support local businesses).
    They could be looking to update/upgrade equipment and such, and some IT consulting companies will help offset that cost over the life of the contract, rather than pay it all upfront.

    If it was a cold sell (the consultants called them to ask if they can come in and give them a proposal), then as an internal IT guy, you need to do some sales yourself. Get your hands on that proposal, and show them how you can beat it, better cost, better support, better hardware. Also realize that many cold sell proposals like this are considered yet never pan out. I would also prepare a resume and have it ready just in case, if they sign the contract, start looking before you are cut, because once unemployed it's harder to find work.

    With out reading the proposal vs what you have now, there is little to no way that any one can really comment that what you have is better than what they proposed.
    Cisco does makes some great, reliable hardware once you leave the SOHO crap on the shelf, and go for their professional line.
    Although I do agree that a competent internal IT person and the occasional call to professional support for PFSense could be a more cost friendly solution, they could be getting a very good deal from the firm they are looking into using because it is a public library, again for PR stuff.



  • Well, choice of router/firewall should (but often doesn't) depend on what the current and projected needs are. For most actual deployments the functionality (e.g. in terms of routing/nat-ing/firewalling/etc) of pfsense is directly comparable with a Cisco ASA.

    There are scenarios where pfSense would be preferred, e.g. if you want to run virtualised, or want to support OpenVPN, or need a captive portal, or need a multiWAN but without all the compexity and additional costs of BGP etc (it's a long list).

    There are scenarios where a Cisco router would be a better fit, e.g. if one needs features like DMVPN.

    In real life however, it usually boils down to cover-your-ass and "nobody got fired for buying xyz" … and concerns regarding support etc.



  • Hi Mark,

    the main problem with "external consultatants" is that they are regarded as "gurus" by the non-technical persons (including management) and sometimes even by members the technical staff. I mean, they wear suits and cost 10 times the money as a regular employee, so they must ge good, right?

    In a very few select cases, a consultant actually is worthy of the title "guru". However, these excellent consultants are usually only recognized by staff members with similar technical background. And since they dilute their presentations with unpleasant topics like "reality", "critical approaches", explanations of downsides of certain solutions and identificaton of risks, they are much less popular with management guys than the "sales person consultant", who can only an undiluted sales pitch.

    So even getting a second opinion from an other external consultant, who actually analyzes demands and solutions without the primary goal of filling his own pockets (which could be a friend of you whom you stuck into a suit) isn't a surefire way to address this problem. Whatever, you should point out the need for an independent consultant who doesn't make money by selling Cisco (either directly or by selling you "Cisco consulting" for the rest of his life).

    Yup, right, I am a consultant myself. I prefer pfSense over Cisco routers. But so far I've failed to convince any Cisco devotee that m0n0wall/pfSense is actually a better alternative! If new features were required, their solution was always to upgrade their Cisco hard-/software for a really obscene amount of money.

    Some points to remember:

    • Cheap solutions are regarded as "cheap". "Cisco must good, or why would people pay so much for it?"
    • "You can find Cisco consultants at every corner if something goes wrong, but noone has ever heard of pfSense."
    • "Cisco is the industry standard. There must be a reason why everyone uses it."

    Yup, millions of flies can't be wrong.
    http://en.wikipedia.org/wiki/Argumentum_ad_populum

    Okay, let me get get to your original question, "ammo against Cisco routers".

    I feel that Cisco often makes administration unnecessarily complex and complicated. That is, of course, the technical pont of view. Froma marketing point of view, the added complexity and complications serve the purpose of making Cisco look like a "big solution".

    pfSense, on the other hand, can administered by newbies. Not because pfSense is more feature-restricted (which it definitely isn't), but because the design goal was to provide a user interface which reduces or even eliminates the likeliness of human errors.

    This also adds to the relibility of a pfSnese installtion. You're less likely to have to drive out to the site if something goes wrong, you might be able to talk a "dumb user" thought the troubleshooting process via phone. So far, I had two pfSense/m0n0wall incidents at customer sites which I was able to solve with a "dumb user" via the phone.

    Okay, the first issue wasn't a pfSense issue in the strict sense, someone had unplugged a cable. Whatever: I was able to to guide the user though the diagnosis via phone.

    The second issue was a lightning strike. Since the m0n0wall installation runs on standard hardware, I was able to guide the user, so he could replace the fried power supply (we found that an external harddisk enclosure had a suitable power supply, which we then used as a replacement).

    I like these stories much more than the "When I arrived at the site, i found that I had forgotten/lost the special Cisco serial cable, so I was really ****ed" line.



  • Start looking for another job. It sounds like they do not listen to you as is now, nor will they be happy if you can make a case that using pfsense is superior alternative to using Cisco, instead they will be resentful that you made them look bad. Sometimes the writing is on the wall, and is just better to move on.



  • Luckily, "selling pfSense" has never been my job. But I've seen a few brilliant people try to convice their customer to use m0n0wall/pfSense instead of Cisco or even ISA Server (now known as "Microsoft Forefront Threat Management Gateway", what of piece of bull) - and fail. Even though the customer had significant, sometiems even business-crippling troubles with their existing Cisco/ISA installations.

    The few instances where I deployed m0n0wall/pfSense were customers which trust me blindly. I make very little money with this kind of work, I do it mainly for fun. My "real" job is with applications, not appliances ;). And as I am no "system integration" or "network admin", I do not like to spend my time with overly complex, complicated or faulty infrastructures, I prefer the ones which simply and reliably work. I do not need to artificially increase the likelihood of problems while simultaneously making sure than only a "special expert" (me) can keep the system running, requiring my customer to pay me 8 hours a day just to be on-site to keep the business going.

    And I am also no sales guy. If I had a sales job, I would definitely have to get another job ;)

    • Klaus


  • http://dc541.4shared.com/img/kOsMiaus/s7/721px-Pfs-logo-vector_svg.png

    Have the link above made into a decal sticker you can apply to your box.  Paint the box up so it looks pretty and not like a desktop doing the job of a "real firewall". I say that sarcastically because you know the sales people- (I mean consultants) will use that bs line to your bosses.

    Your management sounds like someone who puts value in all the wrong places. You could stoop to their lower level and feed all those "wrong places" with irrelevant crap much like a sales person.

    Ive been reading all the "pfSense on Watchgard" posts I can lately as I have one here. One of the funniest posts Ive run into is one where one of the members here put an old drive into the firewall box and booted it into Windows 2000 that he forgot was on the drive. While that probably seems very logical to probably everyone who reads these forums, it probably would be unbelievable to a majority of Watchgard customers out there.  edit- found it. By stephenw10- http://forum.pfsense.org/index.php/topic,20095.msg223019/topicseen.html#msg223019

    Then there's this-   Friend of mine works for a larger contract I.T. company.  They sell Watchgard and Sonicwall yet he had me help set him up a pfSense box for his lab that handles a Comcast 50mbps connection.   Yeah…  ::)

    Good Luck!



  • @chpalmer:

    Have the link above made into a decal sticker you can apply to your box.  Paint the box up so it looks pretty and not like a desktop doing the job of a "real firewall".

    Yes, that's an important point. Many people have an irrational belief in "hardware firewalls". A desktop PC with two network cards, standing around in some corner with a "do not turn off!" sticker on it doesn't look like a clean solution, but more of a problem. The same hardware in a 19" rach-mount enclosure looks like an industrial-strength solution, made by professionals, for professionals.

    Make sure to have a sticker with some random serial numbers, hardware version, firmware data, bar codes, model number, serial number and service tags on the rear. This makes it more "authentic".

    And here's some article which stresses the realibility of pfSense:
    http://www.techrepublic.com/blog/opensource/diy-pfsense-firewall-system-beats-others-for-features-reliability-and-security/1110
    Unfortunately, the author only compares pfSense to low-end model, like from "D-Link" or "Linksys by Cisco". It might however provide a few quotes if you need some to back up your arguments from other sources. Just make sure to omit words like "DIY"; these would be suicide.

    You also haven't elaborated about your requirements yet. How much bandwidth? Do you need traffic shaping, Layer7 filtering, OS fingerprinting? Strikeback? I guess you won't Strikeback capabilities. But if did, it would be nice, since only two routers boast this feature. One is the Bincontrol Sidewinder. Unfortunately, I've experienced an exceptional severe lack of reliability with Bincontrol products. The other one is pfSense. Scalable. Reliable. Excellent support. An extremely secure router OS platform (probably even the most secure).

    Just for kicks: there's no tutorial on how to do things like "Obtain a Stack Trace from ROM Monitor" for pfSense. I've never experienced a "hang" condition with pfSense. The only uptime limit comes from the need to reboot pfSense after a firmware update.
    http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a0080106fd7.shtml


  • Netgate Administrator

    @Klaws:

    there's no tutorial on how to do things like "Obtain a Stack Trace from ROM Monitor" for pfSense.

    http://doc.pfsense.org/index.php/Obtaining_Panic_Information_for_Developers

    Steve



  • Right.

    For me, the difference is that a pfSense kernel panic can be analyzed "the usual way" - I mean, it's just standard FreeBSD underneath. nothing proprietary, like in the Cisco case. While some sales persons might say that "Cisco is an industry standard", I perceive that Cisco actually tries to avaoid adherence to actual industry standards whereever possible.

    I am also lucky enough to never have had a kernel panic (or any other show-stopper) in a production sytem. I know kernel panics only from test installtions when I wanted to check if a certain hardware configuration is suitable for pfSense ("old junk boxes", which I like to have around as cold spares). "My" kernel panic were all caused by hardware issues. For production systems I use modern hardware which is designed for 24/7 operation. While the use of modern hardware increases the cost of a simple pfSense system by 150..250EUR, the improved energy efficiency and hardware reliability are well worth it.

    Also, these boxes do not look "like a desktop doing the job of a 'real firewall'." ;)



  • For the price of a mid-tier Cisco router I can buy two pfSense boxes–one for production and one as a warm spare.  Heck run them concurrently for hardware redundancy.

    That's a good "oh you can do that" moment for most decision makers.  For $800-$1,000 you can run two enterprise class routers in a load-balancing / fault tolerant / hardware redundant configuration.  It only takes about an hour to set up (with testing).  And if you get really, really crazy you can spend $1,200-$1,500 and keep a warm spare onsite if both devices get hit with severe hardware failures (water ballon fight in the data center).

    Price that SLA with Cisco. Go ahead, I dare ya'!



  • I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)

    I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
    I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
    Isn't that right ?

    The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
    Is it possible to firewall gigabit links with pfSense ?

    Thank you very much, I don't know what to think oO



  • You get more performance/speed per dollar when going with pfSense.

    Like the article says, every firewall is software based. There are layers of software languages. You can go to the top which is something similar to Java which reads almost like english. Or you can go to the very bottom which is machine code. If you were to say 1 is machine language and 10 being the high level, I would say pfsense sits around 4-5. A developer would be able to speak more accurately than I, but I would safely assume pfense is very close to the level modern firewalls operate at.

    @S(y)nack:

    I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)

    I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
    I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
    Isn't that right ?

    The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
    Is it possible to firewall gigabit links with pfSense ?

    Thank you very much, I don't know what to think oO



  • I understand this point, but I thought Cisco equipments worked at a hardware level. As if you modified the hardware layout when you entered commands. See what I mean ?
    Enter ACL –> modifies some "switches" in the chips.

    So what I was thinking was pfSense is analysing traffic in the 7th layer of the OSI model, and Cisco equipments in layer 3.



  • @S(y)nack:

    I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)

    I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
    I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
    Isn't that right ?

    The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
    Is it possible to firewall gigabit links with pfSense ?

    Thank you very much, I don't know what to think oO

    Actually no, Cisco boxes are Intel-based "hardware" running the IOS "software" and until quite recently with the ASA -X series, Cisco PIX/ASA boxes were relatively underpowered (imho).

    Check
    http://en.wikipedia.org/wiki/Cisco_PIX#Specifications_of_latest_and_older_models
    http://en.wikipedia.org/wiki/Cisco_IOS

    Some boxes however had VPN acceleration hardware, which improved IPsec performance.



  • You're thinking of physical modifications to achieve switch/router functionality. In your mind, pfSense is an ignitor chip and cisco switches are distributors. One uses programming embedded on a chip to handle the spark plugs while one requires a revolving motor sync'd up with the cams to ignite the spark plugs. Even your motherboard is driven by CMOS which is by definition software. The only pure hardware is your processor that executes raw code as data/current flows over transistors that are 1 or 0.

    The chips inside the switches are simply there to process data based on the software. The physical size of a switch if purely hardware would be monstrous. Unless you stick a really high price tag on it using the newer 22nm architecture for transistors.

    @S(y)nack:

    I understand this point, but I thought Cisco equipments worked at a hardware level. As if you modified the hardware layout when you entered commands. See what I mean ?
    Enter ACL –> modifies some "switches" in the chips.

    So what I was thinking was pfSense is analysing traffic in the 7th layer of the OSI model, and Cisco equipments in layer 3.


  • Netgate Administrator

    When you get up to very high bandwidth equipment things begin to differ. The boundaries between hardware and software start to blur. You can't get commodity hardware that will push packets fast enough so you go over FPGAs and such.

    However, as pointed out, standard commercial firewalls are just computers running software.

    Steve



  • @S(y)nack:

    The "hardware firewall myth" is scaring me, since I've always thought pfSense would be much slower than a Cisco ASA.
    Is it possible to firewall gigabit links with pfSense ?

    You'll probably need an Intel Core i3 level CPU for that. My lowly Atom D2700 shows CPU peaks of 20% at 100Mbps (with Intel NICs), with traffic shaping (HFSC) enabled, running pfSense 2.0.2. So I guess that an Atom D2700 might perhaps do 0.5Gbit routing. Well - not too shabby for a fanless system!

    @heavy1metal:

    The chips inside the switches are simply there to process data based on the software.

    The Intel NICs do actually provide offloading, so some of the "TCP/IP work" is actually performed in hardware. pfSense supports offloading. In theory, the Intel NICs also support dynamic reduction of the interrupt rate under heavy load conditions in order to reduce CPU load. However, I do not know if the FreeBSD drivers do actually support this feature. However, pfSense can be configured to use device polling, which also limits the interrupt rate.

    @dhatz:

    Some boxes however had VPN acceleration hardware, which improved IPsec performance.

    Yup, and you can use them to speed up VPNs in pfSense as well: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

    However, it appears the the Atom D2700 can do IPSEC faster in software than Cryptodev in hardware…but I have no definite data there.



  • @stephenw10:

    When you get up to very high bandwidth equipment things begin to differ. The boundaries between hardware and software start to blur. You can't get commodity hardware that will push packets fast enough so you go over FPGAs and such.

    Apparently new networking frameworks for Linux and FreeBSD are capable of saturating 10Gbps links without the need of special hardware:

    netmap http://info.iet.unipi.it/~luigi/netmap/
    pf_ring http://www.ntop.org/products/pf_ring/hardware-packet-filtering/

    ipfw meets netmap
    A userspace version of ipfw and dummynet is now available, using netmap for packet I/O. On an i7-3400, this version is able to process over 6 million packets per second (Mpps) with simple rulesets, and over 2.2 Mpps through dummynet pipes, 5..10 times faster than the in-kernel equivalent.


  • Netgate Administrator

    Yep, commodity hardware gets faster and faster. Equally the definition of 'very high bandwidth' gets higher and higher.  ;)
    This is way outside my experience but I would guess a 100Gbps router is using dedicated hardware.

    Also I missed the question earlier:

    Is it possible to firewall gigabit links with pfSense?

    Yes and these days you don't even need anything particularly exotic. A Celeron 530 will firewall/NAT >1Gbps.
    For example: http://forum.pfsense.org/index.php/topic,45439.0.html

    Steve



  • @dhatz:

    Apparently new networking frameworks for Linux and FreeBSD are capable of saturating 10Gbps links without the need of special hardware:

    Routing means that you'll twice the bandwidth. AFAIK, PCI-E 2.x with 32 lanes will max out at 16Gbps. Well, PCI-E is full-duplex, so 10Gbps in transmit and 10Gbps in receive direction will add up nicely to 20Gpbs. However, full full-duplex traffic on both NICs will be limited. Note that some datasheets specify the encoded (gross) PCI-E transfer rate, the usable rate is lower: http://www.intel.com/Assets/PDF/prodbrief/Intel_10_Gig_AFDA_Dual_Port_prodbrief.pdf

    I suspect that PCI 3.0 NICs still qualify as "special hardware". Actually, I haven't yet heard of any…

    Whatever. Very interesting discusison, at least for nerds like us ;), but let's not forget the distress of the original poster.

    One argument for Cisco routers is that "most, if not all Fortune 500 companies use Cisco equipment". This marketing line makes the connection between succesful business and Cisco stuff. http://forums.whirlpool.net.au/archive/1974081

    You can still raise the question if the use of Cisco routers was responsible for the success, or if it was just that the companies had earned enough money so they could spend it Cisco equipment…and on network administration staff. Yup, there are companies which cannot only afford to buy Cisco for every aspect of their networking and communication needs, they can also afford that more than 10% of their employees are just there to keep the IT infrastructure alive (that does NOT include programmers or application support…and no external consultants as well).

    However, take extreme care when delivering such arguments. Many, if not most management persons suffer from strong delusions. The argument might backfire.



  • @Klaws:

    One argument for Cisco routers is that "most, if not all Fortune 500 companies use Cisco equipment". This marketing line makes the connection between succesful business and Cisco stuff. http://forums.whirlpool.net.au/archive/1974081

    Apparently not all Fortune 500 companies use Cisco & MS Windows – according to this post by M:Tier Ltd, at least some Fortune 500 companies use ... OpenBSD, for practically everything: routers/firewalls, servers and even (thin) clients !

    http://www.undeadly.org/cgi?action=article&sid=20110420080633

    _As a company we are very dedicated to what we do because we are "forced" to use our operating system of choice and we want our customers to be as happy as we are at using it :-)

    So our paid job is hacking on and deploying, maintaining, supporting… OpenBSD installations. We are also required to hack on things that can be merged back into OpenBSD itself and when it's not possible, then we change what we did so that it can be. Of course some developments are very specific to what we do and have no place in the project's CVS tree.

    So, amongst other services, we set up and maintain several 100% OpenBSD-based infrastructures (going from the entry site firewall to the secretary's workstation) and this is what I'm going to talk about here.

    As a side note, it is important to know that we are working exclusively for Fortune 500 companies (each operating in totally different and unrelated sectors).

    What it means is that:

    We are not setting up systems for small geek-friendly-only companies but for huge ones with a long IT history (some of them are present in >100 countries worldwide). While I cannot reveal any names, it is important to know that OpenBSD can fit in the Big Ones.
    We have to comply to very large and complex technical and legal specifications.
    While most people will see it as a useless effort, we think it is very interesting to make a non-mainstream operating system comply with the corporate rules.

    The Big Picture

    We are currently managing over 600 users in several locations around the world (expecting a large increase before the end of the year).

    All these locations are fully running under OpenBSD, that is:

    • the firewalls: PF, IPSEC, CARP…

    • the infrastructure servers: DNS, DHCP, TFTP, FTP, HTTP, NFS, LDAP, puppetmaster, Kerberos, proxy, print server…

    • the desktops (workstations and laptops): The GNOME Desktop and plethora of graphical applications._



  • Just a quick (and hopefully final) note on systems for 10Gb+.  The problem is how commodity hardware is designed:  interface->chipset (subsystem)->CPU, and then back out in some cases.  Hardware designed for mad throughput is designed to hit the interface and handle a lot of the traffic with less and less going to the subsystem if one even exists.  Hardware layers are fewer.  Why?  Latency.  If it all has to flow up and down it'll get congested and create latency; hence the custom and absurdly priced hardware.  It's an engineering marvel compared to commodity hardware (which is a marvel, but a different kind).



  • @dhatz:

    Apparently not all Fortune 500 companies use Cisco & MS Windows – according to this post by M:Tier Ltd, at least some Fortune 500 companies use ... OpenBSD, for practically everything: routers/firewalls, servers and even (thin) clients !

    Of course, if a company uses Cisco, it doesn't automatically mean that they use Cisco only. I've been on a site of one of the top Fortune 500 companies, and saw two disconnected Cisco routers, replaced with a cheap piece of plastic for home use.

    pfSense is based on FreeBSD (but uses pf from OpenBSD, of course). FreeBSD is said to be the most realiable OS on the Internet:
    http://news.netcraft.com/archives/2011/07/08/most-reliable-hosting-company-sites-in-june-2011.html



  • Just stumbled across an article "FreeBSD – der unbekannte Riese" ("FreeBSD - the unknown giant"), which mentions that "FreeBSD ist heute noch ebenso gesund wie früher und ist genau dort zu finden, wo man auch Linux vermuten würde: als preiswertes, sicheres und stabiles System auf Commodity-Hardware oder verborgen in Netzwerkgeräten von Cisco, Juniper, Force10 und NetApp.".

    In English: "Today, FreeBSD is still as healthy as it was in the past and it can be found exactly, where you'd also expect Linux: as a cost-effective, secure and stable system on commodity hardware or hidden in network devices from Cisco, Juniper, Force10 and NetApp.".

    Source: http://www.heise.de/open/artikel/FreeBSD-der-unbekannte-Riese-935746.html

    Other sources confirm that Cisco IOS is "based on BSD".

    So much for "hardware firewalls" :)



  • @S(y)nack:

    I would like to ask a question about the "hardware firewall myth" (http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives)

    I've always thought that Cisco equipement was programming hardware directly from the rules you entered.
    I mean, i thought the configuration was "translated" to electronics so the firewall could handle firewall rules at link speed, without having to call software.
    Isn't that right ?

    No. ASAs run on x86 hardware. You get vastly more scalability for the buck with pfSense than with an ASA. You can reach the same performance specifications as everything but the most expensive ASA 5585 (which costs in the neighborhood of $250K USD give or take a few new cars worth of price depending on what licenses you buy too).

    The place where we really win vs. virtually every commercial firewall is amount of money to handle large numbers of states (1-2+ million). You're spending tens of thousands USD minimum for what you can do for the cost of 2 GB RAM with pfSense (2 million states). This is a big deal in colocation datacenters, where we have a very significant presence. We've replaced countless Cisco PIX and ASAs in production because they couldn't scale adequately to handle the customer's traffic. Achieved the same functionality and performance as a much higher end Cisco, and saved tens of thousands and at times hundreds of thousands vs. Cisco. Also our HA functionality is a big attraction to that market, as the savings are twice as much when you need two boxes.

    Lots of very serious networks, where downtime costs significant money, trust pfSense and derived products.

    As to what's best for any one particular network, that will vary. It depends on your specific requirements. Maybe there's a feature only Cisco has that you need in your network. Or maybe you need one of the many functions we have that Cisco doesn't, it very much goes both ways. You can replace Cisco there with any commercial vendor or competitive professional-grade open source solution, this will hold true regardless of which products you're evaluating.

    So if they're recommending switching to Cisco, tell us what their arguments are as to why. We can probably prove each one wrong. Or maybe they're right in some aspect, I'm fine to admit if that's the case.


  • Netgate Administrator

    People like to just throw money at Cisco and it seems Cisco are quite happy to take it.  ::)
    http://arstechnica.com/tech-policy/2013/02/why-a-one-room-west-virginia-library-runs-a-20000-cisco-router/

    Steve



  • That's the best argument so far. Point out the article to the management and ask them if they want to receive their own newspaper story as well ;)

    The article also confirms that Cisco routers support many potentially useful features, which, should you actually want to use them, require a costly upgrade first.



  • Folks -

    I am just now looking over all the posts and I thank you all for the valuable information. It's not likely that I will lose my job over this, as we have been shrinking though attrition for years now and all it takes is for two people to call in sick to make it hard to staff the library desks, so I am needed if for no other reason than to provide a warm body to answer patron questions like "where's the books on butterflies?" and such. If the library wants to pay me to sit and answer dumb questions, then hey - it's their dime. Customer service is important, too.

    The ease of which pfsense is installed and managed should be a great selling point to my supervisor when she realizes that she won't be able to make a cisco configuration change by pointing and clicking a mouse on a web page, but rather has to call up the firm that installed the Ci$co firewall to do it, then charge us for the change.

    Since the starting of this topic, the director of the library has seen the report on the state of our network that the consultants have concocted. He has (correctly) come to the realization that it's a sales tool first and foremost, and that we, my boss and I, get to decide what proposals we feel will work for our organization, not the consultants. That's a relief.

    We are doing battle with another outside firm right now over a web tool they wrote for us that is failing miserably, so it might leave management with a bad taste in it's mouth for contractors.

    Again - thanks to all who contributed to this conversation. It will be useful to me.

    LibraryMark


Log in to reply