Firewall Recommendations

(Mike Hazelwood) #1

Anybody using PFSense appliance based systems? Looking at it versus Fortinet, ASA, UnTangle, Sonic Wall and wondering any pros/cons people have ran into with any of the above. If you have purchased recently and could post or message me what non-profit pricing would look like, it would be greatly appreciated. Thanks in advance for your responses.

(Isaac Johnson) #2

Depends on specifically which features you intend to use, are you looking for UTM stuff like intrusion detection, AV, spam filtering, protocol filters, yada yada yada all the bells and whistles, or are you mostly just looking to do a straight-up firewall? I rarely use PFSense outside of a lab or virtual environment, but PFSense can do most everything UTMs can, but having some level of Linux/Unix and associated opensource security projects experience helps quite a bit with it if you are going to move beyond just doing a basic firewall into that UTM category, you’ll also need to buy some subscriptions to do effective UTM stuff. Also be sure to pop into their forums for hardware specifics based on how many packets you need to push and what hardware you’ll need, especially if you ever plan to do 10G.

I know quite a few guys who were working with SonicWall and are transitioning away, most of them were managing dozens of them and found them cumbersome, not sure how that would reflect on a single one though, just that if you had to work with them a lot that they were proving to be a poor choice and technicians tend to hate them. Untangle firewalls are solid and I’ve used them for sensitive work in a country hostile to the faith that has extensive state-sponsored hacking programs, but again, it’s one where some Linux (specifically Ubuntu/Debian) is helpful so you know what’s actually going on in the modules. I’ve worked with Sophos within the last year, they are probably one of the easiest to manage and pretty solid.

All that being said, those UTMs are mostly helpful if you have on-site infrastructure (on-site mail server or something like that) and a LAN based security model. I’d actually move away from both of those if you have the means and managerial support to do so. Other means of layering the security stack can be far more effective for use cases where mobility and cloud are used extensively.

(Dave Mackey) #3

I’ve used Cisco ASA, UnTangle, and Ubiquiti Security Gateways.

Cisco ASA is beautiful for its high availability capabilities (e.g. you can run two in tandem) but the price point is significant and it takes a bit to work around the Cisco interface.

I haven’t used UnTangle in perhaps 5-6 years but remember it being quite good at the time…and the price point was nice (open source), though I remember pricing could add up quickly once one began adding on premium modules.

I’ve also been using Ubiquiti Security Gateways, which as far as price point are pretty low and provide failover between multiple WANs, though not an active/active or automatic failover solution between units.

I would probably go for an open source solution if price is a significant consideration unless I am deploying a Ubiquiti network in which case the USG provides some powerful integrations with the rest of the Ubiquiti equipment.

If price isn’t a huge concern, then Cisco ASA’s are certainly quite nice. :slight_smile: