pfSense: open source firewall

As everyone now knows, securing a network is important.  Companies of every size and consumers alike have options for doing so, but for a long time securing a network was only an option for those that had significant resources to invest in such things.  As technologies have progressed decent security settings have become a standard set of features for every router and computer, but for small businesses this can seem like the limit of their budget.  Setting up robust firewalls or using monitoring services still requires a significant investment, and so most small businesses rely on the built-in firewalls and password options that come with their devices.  There are open source solutions like pfSense and commercial solutions like the ones offered by Sonic Wall and Zyxel.  So, which one should you choose?

First, it’s important to understand what open source really means.  In a standard business model companies make software and hardware, which costs money, with the end goal of making more money than they spent, i.e. profit.  That profit can end up in any number of places, but one that is important to the continued success of any company is to maintain the product through customer service, technical support, and maintenance and development.  This is the benefit of commercial solutions.  However, companies must protect their intellectual property, and so are not always willing to let others see some or all of the source code behind their software.  This can lead to slow development of features and patches, and with only so many developers working on a product detection of bugs and security flaws can be lacking.  Open source software is freely distributed, usually donations are accepted to help maintain the project, and anyone that wants to volunteer to work on something for that project can.  The benefits to open source are the reverse of commercial solutions, with faster updates and patching at the expense of little or no unified tech support.  There are usually message boards devoted to a project like an open source firewall, but this is not direct and dedicated tech support.

pfSense sports a robust feature set and can be configured simultaneously for DNS, DHCP, Routing, Firewall, VPN, High Availability, Load Balancing, Traffic Shaping, Captive Portal, UTM server, Intrusion Detection, Intrusion Prevention, Proxy server, and Web Content Filtering.  This means that anyone can have large network security only for the cost of the hardware it runs on.  Second, the hardware requirements are quite low.  A pfSense server can be created from one of the old computers a small business usually has sitting in the closet.  A few low-cost upgrades might be in order such as RAM or dedicated network cards, but otherwise that old computer is ready to go as-is.  Being open source router pfSense might seem like a great option but for the lack of tech support, but Netgate has closed the gap with their pfSense Gold package.  For $99 a year you can have tech support, access to ongoing resources and training videos, an actual manual, and a backup service for your pfSense instance(s).  That’s not a bad deal at all, and is well worth it for novices and experts alike.

Digging into the nuts and bolts, the configuration options are extensive.  The open source firewall options on pfSense can be configured for granular access control, and the VPN offers IPSEC or L2TP security and will even integrate with Windows Active Directory.  The intrusion detection and prevention offers standards like IP blacklisting and Snort-based packet analysis, and there is an emerging threats database that can be enabled.  The only drawback to the IDS/IPS is that these are free addon packages, but if you want the most current updates on-the-fly you will have to subscribe and pay for them.  The list of addon packages for pfSense is lengthy as well.  Catagories include security, network management, monitoring, services, system, routing, and miscellaneous.  Most of these are self-explanatory but services refers to adding functions that are not necessarily for networking, such as data backups or cron scheduling.  Miscellaneous packages are just that, and out of this category the Notes and Sarg packages are the most notable.

Since Netgate’s acquisition of the pfSense project, they have also started designing and selling their own hardware appliances with pfSense integrated on-chip.  Instead of buying a computer and having to deal with hardware maintenance and upgrades, you can buy whichever model suits your company’s needs and still get all of the features pfSense offers.  Also, included with the purchase of any model is a 1 year membership to pfSense Gold.  With prices starting at $150 for a passthrough box, this is a great option if you are implementing a new network or segment.  Some may find the lack of control over the hardware to be a drawback, while others will find these appliances to be a cheaper and easier way to implement routing and security.

On the commercial side of firewalls (pun intended), Sonicwall, Zyxel, and Cisco all offer reasonably prices solutions for small businesses.  The Cisco ASA line has long been a standard for VPN and firewall routing, and the others offer much the same in terms of features.  You get the same basic features in any of these products:  firewall, VPN, routing (in some), and usually some basic logging functions.  The main issue is that while these products do a pretty good job of securing a network (if configured properly), they don’t usually offer the extensive configuration options or robust logging without spending a lot of money.  Prices for what a small business would need will range from $150-$500, which isn’t too bad.  Still, the Netgate products are just a better sell of price vs. features, and from a tech perspective having the more robust intrusion prevention and detection that pfSense offers is a must.  Most small businesses shouldn’t and won’t spend what it takes to get that from a commercial solution.

Having an open source option that has also been reasonably commercialized puts network security squarely in the hands of everyone.  Now there’s no reason that any small business should ever be able to use high costs or a lack of available options to excuse a lack of security.  And, if you still feel that open source firewall isn’t the way to go there are reasonably priced commercial solutions that will get the job done too.