Firewall Recommendations


(Mike Hazelwood) #1

Anybody using PFSense appliance based systems? Looking at it versus Fortinet, ASA, UnTangle, Sonic Wall and wondering any pros/cons people have ran into with any of the above. If you have purchased recently and could post or message me what non-profit pricing would look like, it would be greatly appreciated. Thanks in advance for your responses.


(Isaac Johnson) #2

Depends on specifically which features you intend to use, are you looking for UTM stuff like intrusion detection, AV, spam filtering, protocol filters, yada yada yada all the bells and whistles, or are you mostly just looking to do a straight-up firewall? I rarely use PFSense outside of a lab or virtual environment, but PFSense can do most everything UTMs can, but having some level of Linux/Unix and associated opensource security projects experience helps quite a bit with it if you are going to move beyond just doing a basic firewall into that UTM category, you’ll also need to buy some subscriptions to do effective UTM stuff. Also be sure to pop into their forums for hardware specifics based on how many packets you need to push and what hardware you’ll need, especially if you ever plan to do 10G.

I know quite a few guys who were working with SonicWall and are transitioning away, most of them were managing dozens of them and found them cumbersome, not sure how that would reflect on a single one though, just that if you had to work with them a lot that they were proving to be a poor choice and technicians tend to hate them. Untangle firewalls are solid and I’ve used them for sensitive work in a country hostile to the faith that has extensive state-sponsored hacking programs, but again, it’s one where some Linux (specifically Ubuntu/Debian) is helpful so you know what’s actually going on in the modules. I’ve worked with Sophos within the last year, they are probably one of the easiest to manage and pretty solid.

All that being said, those UTMs are mostly helpful if you have on-site infrastructure (on-site mail server or something like that) and a LAN based security model. I’d actually move away from both of those if you have the means and managerial support to do so. Other means of layering the security stack can be far more effective for use cases where mobility and cloud are used extensively.


(Dave Mackey) #3

I’ve used Cisco ASA, UnTangle, and Ubiquiti Security Gateways.

Cisco ASA is beautiful for its high availability capabilities (e.g. you can run two in tandem) but the price point is significant and it takes a bit to work around the Cisco interface.

I haven’t used UnTangle in perhaps 5-6 years but remember it being quite good at the time…and the price point was nice (open source), though I remember pricing could add up quickly once one began adding on premium modules.

I’ve also been using Ubiquiti Security Gateways, which as far as price point are pretty low and provide failover between multiple WANs, though not an active/active or automatic failover solution between units.

I would probably go for an open source solution if price is a significant consideration unless I am deploying a Ubiquiti network in which case the USG provides some powerful integrations with the rest of the Ubiquiti equipment.

If price isn’t a huge concern, then Cisco ASA’s are certainly quite nice. :slight_smile:


(Alex Conner) #4

If you are looking for the best available protection, that’s going to come from a UTM. The market leaders in those areas are the likes of Sonicwall, Fortinet, Palo Alto, Sophos, etc. Yes, you can build out some form of UTM using off-the-shelf equipment and software but you’re still going to be paying for your time, the hardware and the data feeds (the free/open source data feeds aren’t as complete as the ones you have to pay for).

On top of that, vendors like Fortinet and Palo Alto have built hardware acceleration into their products to provide cost-effective protection at very high bandwidths. Contrast what a FG-100E can filter vs. what an equivalent Whitebox running Squid, SquidClamAV, Snort, Application ID, and the various processes to update those daemons. Also, keep in mind that you’re the one who’s in charge of configuring and supporting all of that.

At the MSP I used to work at, we used PFSense appliances for basic firewalls when I started and as our customers needed UTM features, QoS and Internet speeds kept increasing the cost of the PFSense hardware didn’t make sense when trying to cover the whole realm of needs. And if you start off with just the hardware and no UTM services, you can just turn them on later if you need them.