I need a rather broad solution covering DNS, proxying, firewalling, VPN (both site to site and LDAP integrated user access), DHCP, supporting multiple DMZ servers along with routing support. This will act as the centre point for a 40 person network. Clearly hardware wise this will have to be quite a strong system, with load balancing being a possibility, at minimum hardware failover.
For the network security class we got asked to take a look at two firewall solutions, so whilst comparing them I also tried to see how well they would fit into the above requirements.
The firewalls looked at were pfsense and Smoothwall Express 3.0.
Lets start with pfsense.
- It is an open source effort, based on FreeBSD. I have little experience with BSD, compared to quite solid knowledge of Red Hat which Smoothwall is based on top of.
- Its feature set is huge, and rather all encompassing.
- Full Firewalling functionality, including stateful inspection and fingerprinting.
- NAT support, which I may or may not implement at this level within the above mentioned project.
- pfsense does support hardware failover, however the backup server does nothing normally, and only kicks in in the case of failure on the main server. IT also requires another static public IP, which could be a problem depending on the ADSL package I end up going with.
- Load Balancing is supported, only equal however. The ADSL lines I will be going with for the project will be balanced using a Billion Biguard 30, so this is only really important for DMZ servers etc.
- VPN: This is probably going to be the deal breaker. pfsense supports site to site links, along with PPTP style links including RADIUS server support, exactly what I need.
- DHCP serving is present, along with some proxying abilities.
- As this is namely a firewall, its Firewall is quite full featured just like pfsense, including stateful inspection.
- NAT support is a bit of an unknown, and not explicitly mentioned, but this is probably not a huge deal as I will have the Biguard 30 handle this.
- Basic DHCP serving is supported, and due to its being based on RHEL, this shouldn't be that hard to expand apon.
- Proxy support is quite limited, but my proxy needs only include basic http proxying.
- Heres the big problem: VPN support is very limited in the free package. Site to Site is supported, but there is no included support for PPTP or RADIUS authentication.
- Multiple DMZ servers are also not supported, so another requirement is not met.
- No inbuilt hardware failover.
At this point, for both the network security class and the project needs, pfsense seems to be the winner.
3 comments:
Limiting yourself to the feature set in each of these products seems unwise. Each is merely an administrative interface on top of native OS facilities and commonly used daemons. Why not spend a few days hacking on OpenBSD and call it good? openbsd+pf+bind+squid should do the trick.
If you are determined to use a bundled solution, pfsense is probably the way to go. pf is _far_ more powerful than stock iptables (or maybe you like patching netfilter and rebuilding kernel?).
The only extra thing I would put in to the evaluation criteria is community support. If you're going to use a 'free' system and rely on community support to help you out when things go pear shaped then you really will need this. I've just gone through the process of implementing my own homebuilt firewall and chose Smoothwall over similar competitors for this very reason. There is nothing worse than encountering issues and getting appeals for help ignored on the forums - or worse still, unhelpful replies saying STF!!!! (search the forum) when you've spent the last 24hrs doing just that.
I've been using pfSense for about 6-months now on our production LAN (75ish users). I'd have to agree ian - pfSense is a really powerful solution, with an excellent community. Also - if you'd prefer to buy something that's supported, they also have commercial versions that have more or less been re-branded, but come with support. I've worked with both and am using pfSense 1.3-Alpha at home.
Post a Comment