[Chugalug] OT: Favorite Enterprise Firewalls?

Jason Brown lists at masterforge.com
Wed Apr 17 20:42:47 UTC 2013


On 04/17/2013 10:42 AM, Dave Brockman wrote:
> On 4/17/2013 10:10 AM, Jason Brown wrote:
>> I have to plug pfSense. ("Enterprise" is a bullshit buzzword to me).
> While I agree with your sentiments.....
>
>> I have never understood the 24/7 parts replacement / repair requirement
>> that IT departments insist on. It is MUCH easier to just have hot
>> redundant hardware than to continually pay for that kind of support.
> There are failover options available on Cisco kit at least.  It's harder
> to buy that second $20k, $40k, $80k unit however.  And often "support"
> with firewalls is not actually support, but subscriptions to their
> Anti-virus signatures, Anti-SPAM signatures, IPS/IDS signatures, botnet
> traffic filter licenses, etc etc etc.  Did you see support in that list?
>   Me neither.
Yep, support is in that list, from the linked page: A support 
subscription provides you with 24x7x365 direct access to the pfSense 
team with guaranteed response time for all your firewall,.....
>
>> No matter how good your support contract, hardware WILL fail, expect it
>> and make failover seamless. It saves me a lot of headache. 4 Hours is
>> way more downtime than I am comfortable with. 4 minutes is way too long
>> for me.  4 seconds I can deal with.
> A much wiser man than myself once told me this:  "I can decrease your
> downtime directly proportional to the size of your wallet, it's up to
> you and your wallet to determine how much downtime you can actually afford."
This is ABSOLUTELY true! But in my opinion the approach to 
infrastructure design is much more important than the vendor / hardware. 
If you are going for more than "three nines" then every part of the 
infrastructure should be redundant. If that means that it costs less for 
one, you can buy two, or four.
>> For those people that want it, pfSense also provides the 24/7 support at
>> a reasonable price. I have not used it personally.
>> https://portal.pfsense.org/index.php/support-subscription
> pfsense (and BSD's IPSec stack) have shortcomings compared to other OS
> offerings.  Specifically, NAT before IPsec is not an option, so
> connecting overlapping subnets via pfsense is not possible.  There are
> also issues with UDP traffic (specifically Microsoft AD traffic from
> workstation to servers) across VPNs.  Not a big deal to make a registry
> change to one remote workstation.  Huge pain in the ass to make the same
> change to 100 remote workstations.
>
> You have to be aware of a products limitations as well as its
> capabilities.  And not all carpentry work requires a standard claw
> hammer.  Sometimes you need an utility knife too....
Agreed, sometimes there are shortcomings. I wasn't aware that connecting 
overlapping subnets was possible (reliably) with any product? Perhaps I 
am misunderstanding?
I've typically separated VPN services anyway, not leaving those up to 
the firewall at all (Unless it is site to site).
I'm particularly interested in the UDP AD traffic issue, I have not 
heard of that particular issue.
>
> Regards,
>
> dtb
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130417/23ac6f40/attachment.html>


More information about the Chugalug mailing list