[Chugalug] OT: Favorite Enterprise Firewalls?
dave at brockmans.com
Wed Apr 17 14:42:44 UTC 2013
On 4/17/2013 10:10 AM, Jason Brown wrote:
> I have to plug pfSense. ("Enterprise" is a bullshit buzzword to me).
While I agree with your sentiments.....
> I have never understood the 24/7 parts replacement / repair requirement
> that IT departments insist on. It is MUCH easier to just have hot
> redundant hardware than to continually pay for that kind of support.
There are failover options available on Cisco kit at least. It's harder
to buy that second $20k, $40k, $80k unit however. And often "support"
with firewalls is not actually support, but subscriptions to their
Anti-virus signatures, Anti-SPAM signatures, IPS/IDS signatures, botnet
traffic filter licenses, etc etc etc. Did you see support in that list?
> No matter how good your support contract, hardware WILL fail, expect it
> and make failover seamless. It saves me a lot of headache. 4 Hours is
> way more downtime than I am comfortable with. 4 minutes is way too long
> for me. 4 seconds I can deal with.
A much wiser man than myself once told me this: "I can decrease your
downtime directly proportional to the size of your wallet, it's up to
you and your wallet to determine how much downtime you can actually afford."
> For those people that want it, pfSense also provides the 24/7 support at
> a reasonable price. I have not used it personally.
pfsense (and BSD's IPSec stack) have shortcomings compared to other OS
offerings. Specifically, NAT before IPsec is not an option, so
connecting overlapping subnets via pfsense is not possible. There are
also issues with UDP traffic (specifically Microsoft AD traffic from
workstation to servers) across VPNs. Not a big deal to make a registry
change to one remote workstation. Huge pain in the ass to make the same
change to 100 remote workstations.
You have to be aware of a products limitations as well as its
capabilities. And not all carpentry work requires a standard claw
hammer. Sometimes you need an utility knife too....
More information about the Chugalug