Contributed by dwc on from the graphs schmaphs dept.
Nate writes:
Wondering how the free firewalls compare to proprietary firewall solutions? So were Chris Swartz and Randy Rosel of the O'Reilly Network, selecting the common Cisco PIX, Smoothwall and stock OpenBSD install firewall solutions, Chris and Randy have made a comparison of the three firewalls from the perspectives of the corporate entity, small business and home user.
Not suprisingly, OpenBSD is praised for it's features, while it's faulted for a lack of built-in GUI/graphing. Though the article does not select a definitive winner, it does mark OpenBSD as a solid firewall option, their "runner up," option. Oddly, it looks as though the pair selected the 3.8 release of OpenBSD, rather than 4.0 to test with.
(Comments are closed)
By Anonymous Coward (68.104.220.48) on
Why don't functionality and manageability by themselves determine how a product ranks? If my experience using and managing the product is good, then I give it high marks -- regardless of whether it has a GUI or pretty graphs.
A number of Pix admins I know refuse to use the Pix management GUI and stick to the CLI. Whether or not PDM was around wouldn't impact their assessment. And I know a number of firewall admins who consider the fact that Check Points can't be managed flexibly outside of the GUI a mark against the product.
I realize that it's a matter of personal preference, and that some people are GUI oriented. But that's not everyone. Some people, like me, rate the application higher if there isn't some flashy GUI to have to click through in order to manage something which is intrinsically simple.
PF rocks, plain and simple. I consider the fact that I can manage it using nothing more than my shell and a text editor over SSH more usable than other options.
Comments
By Sean (65.174.122.201) on
Because it evaluated the products from three perspectives, Enterprise, Small Business and Home user. In the Enterprise it's often not difficult to find someone who can find a text based interface manageable. In a small business or home situation however, the odds swing the other way making a lack of a GUI very unmanageable and foreign. As such when including areas where a UNIX admin is not usually found, a CLI is generally going to be counted as a failing.
As for graphs, no matter how good you are using a cli a graph presents basic information (if properly done) very quickly. A management interface that polls and graphs the results can be checked and understood quickly and left to run on a station where it can be seen by everyone who needs access to that information.
However, it is true this isn't that much of a failing of PF. PF's logging facilities have made it possible for many front ends to be written for it that will graph information in just about any way you need. So while OpenBSD and PF on it's own will not draw graphs for you, you can probably find an application that provides you with the information you want, whereas many canned logging and graphing features in some other firewall products may not be as flexible.
Comments
By Lars Hansson (203.65.245.7) lars@unet.net.ph on
No small or home business is going to buy Cisco PIX and as stated *NO ONE* uses Cisco's graphical UI's in production.
Comments
By Dan (80.178.63.111) on
>
> No small or home business is going to buy Cisco PIX and as stated *NO ONE* uses Cisco's graphical UI's in production.
>
>
This is not true.
I have many customers which are using the GUI - ASDM.
The latest release even got a normal log viewer, and support nested object with out binding them to interfaces.
*I* do not use GUI, as I do not configure the access-lists and debug them.
By ostiguy (24.218.143.153) on www.ostiguy.com
>
> No small or home business is going to buy Cisco PIX and as stated *NO ONE* uses Cisco's graphical UI's in production.
>
>
Crazy talk. Cisco's 10 user licensed PIX 501 is US$400. Their end user VPN client software is pretty nice, and thus the whole package is very reasonable, even with installation time. I have deploy over a half dozen on in my moonlighting adventures.
The PDM gui has gotten better. I haven't played with the 7.x version yet as I don't own a device that can run it.
By Anonymous Coward (82.40.182.26) on
The average home user (or even many small business users) want one thing: install and forget protection. The smarter ones might even realise that a firewall on the network gateway only protects them against certain types of attack and does nothing against e.g. opening untrusted email attachments. These users don't need graphs and marking down OpenBSD for "Just Working" is absurd. It's nearly as absurd as saying OpenBSD needs professional support. The networking and PF FAQ's are possibly some of the best written, clear and informative documents I've read.
Comments
By Anonymous Coward (66.9.128.66) on
Too bad the docs on making VPNs aren't as nice. I still haven't been able to make a "road warrior" setup work, there don't seem to be any reasonable docs on how this is done. Lots of mailing list posts though, none of which give very clear instructions.
I ended up using OpenVPN, it was much easier.
Comments
By Anonymous Coward (74.115.21.120) on
>
I replaced an existing openvpn setup with openbsd's ipsec because it was so much easier. OpenVPN is a big, complex, ugly to configure pile of crap. Its *only* redeming quality is the fact that it has a client for windows that if you setup for people, they can typicall manage to use it.
By Kenny (68.83.79.93) escapenguin@gmail.com on
>
> Too bad the docs on making VPNs aren't as nice. I still haven't been able to make a "road warrior" setup work, there don't seem to be any reasonable docs on how this is done. Lots of mailing list posts though, none of which give very clear instructions.
>
> I ended up using OpenVPN, it was much easier.
>
There's a book written by people who used to contribute to this site (maybe they still do, not sure). It details setting the IPSEC stuff up. It might do you well to check it out.
http://www.awprofessional.com/bookstore/product.asp?isbn=0321193660&rl=1
By Anonymous Coward (58.163.155.171) on
That is bullshit!
By Anonymous Coward (24.84.108.103) on
> actually have it mean something to them (as opposed the average Joe
> Windows home user who is simply impressed by graphs in general) then
> they are smart enough to be able to generate that graph themselves.
An executive who sees a graph of average sustained bandwidth where the trend is rising sharply upwards might think: "Wow, we're going to get a huge bill at the end of the month. We should dig deeper and figure out which customer is causing the traffic." If you're saying that the only people who can make solid business decisions based on graphs are those who can generate them, then your experience must be sorely lacking.
By teemu (teemu) on
>
> Why don't functionality and manageability by themselves determine how a product ranks? If my experience using and managing the product is good, then I give it high marks -- regardless of whether it has a GUI or pretty graphs.
> A number of Pix admins I know refuse to use the Pix management GUI and stick to the CLI. Whether or not PDM was around wouldn't impact their assessment. And I know a number of firewall admins who consider the fact that Check Points can't be managed flexibly outside of the GUI a mark against the product.
word! pf syntax can be read and understood if you're capcable of reading and understanding simple english. one reason why checkpoint and others lack thiss sophisticated grammar, that's why they need gui's; ever tried to convert checkpoint .c files to something different, readable? welcome to hell if so.
>
> I realize that it's a matter of personal preference, and that some people are GUI oriented. But that's not everyone. Some people, like me, rate the application higher if there isn't some flashy GUI to have to click through in order to manage something which is intrinsically simple.
>
gui constrain me, comfort == shell/vi
> PF rocks, plain and simple. I consider the fact that I can manage it using nothing more than my shell and a text editor over SSH more usable than other options.
By Marc Espie (espie) on
Because there is more to the security business than just functionality.
In most organizations, you will also have to deal with non-informed management types, and most of them insist on getting meaningless graphics that show them that they are in charge (heck, I've even seen one tech-wannabe wanting to register a patent on some basic `manager security dashboard' idea).
In many setups, if you want to have better security, you're much better off if you can get upper management to stop breathing down your neck. Considering that these people have no technical background (or forgot their brains at the entrance when they turned management), you can expect some pretty meaningless AND time wasting requests from them.
Remember, every hour you spend painstakingly putting together a `risk assesment and this month's attack summary does not cost them ANYTHING, since it's not taken off their work time, and they will be quick to dismiss it, stating that `it's obvious to build, so it's taken five minutes of your time, right ?' (for stuff that usually takes half a day or a full day to produce.
Cisco understands this perfectly, and delivers manager-ready firewalls, which ALSO do the technical part reasonably well. It can be misconfigured, and it has holes, but the default configuration is moron-accessible, and you can build reasonable VPNs out of them with very little technical training.
OpenBSD doesn't compete in that market. It's not the project's goal. Any enterprising company CAN grab the OpenBSD base and produce some manager-ready tools out of them. In fact, quite a few companies do. Peered inside an `all-in-one' firewall recently ? Once you scrape the labels, you will find a Linux/FreeBSD/OpenBSD inside (if you're lucky, it will be OpenBSD).
For the time being, it looks like no free software project has this kind of product as a goal, they're all commercial...
Comments
By Joachim Schipper (Joachim) on
>
> Because there is more to the security business than just functionality.
>
> In most organizations, you will also have to deal with non-informed management types, and most of them insist on getting meaningless graphics (...)
> For the time being, it looks like no free software project has this kind of product as a goal, they're all commercial...
Wouldn't you consider something SmoothWall, IPCop, and m0n0wall, for instance, to be open source projects that try to be just such a firewall? Granted, they tend to be geared towards the home user rather than 'the enterprise' - but the difference isn't that big.
On another note, it's a bit strange the article doesn't mention the oodles of add-ons (ports) that can provide graphical reporting, at least. There is no real alternative to vi for building pf.conf, but I'm not sure that is that big of a drawback - visual reports are both useful for management and as a quick overview for the techies, but configuring a firewall is a very technical matter with or without GUI.
Joachim
Comments
By Marc Espie (espie) on
> Wouldn't you consider something SmoothWall, IPCop, and m0n0wall, for instance, to be open source projects that try to be just such a firewall? Granted, they tend to be geared towards the home user rather than 'the enterprise' - but the difference isn't that big.
They lack the polish. They won't give the graphs the management types expect.
> On another note, it's a bit strange the article doesn't mention the oodles of add-ons (ports) that can provide graphical reporting, at least. There is no real alternative to vi for building pf.conf, but I'm not sure that is that big of a drawback - visual reports are both useful for management and as a quick overview for the techies, but configuring a firewall is a very technical matter with or without GUI.
Again, because it's not out of the box. Those half-witted technical types who will build firewalls won't look beyond the basic OS.
Well, configuring a firewall is a technical matter, which is why most firewalls out there are misconfigured, you know...
The OReilly paper caters to people who needs those `tests'. Real knowledgeable people have known about pf for a while (it's not the best kept secret in the universe). Giving them a simple alternative to PiX if they lack the budget is cool. Looking at all the tools that can help with pf is outside the scope of the study (and again, lots of configuration, wow...)
Comments
By Lars Hansson (203.65.245.7) lars@unet..net.ph on
On the other hand you can, depending on your position, pretty much make those graphs up using some reasonable guesstimates. It's not like the management types would know the difference. :P
Btw, exactly what graphs is it that management types want? I haven't ever gotten any requests for any graphs from our firewalls and I do work for a pretty big multinational enterprise.
Comments
By Anonymous Coward (74.238.123.249) on
>
> On the other hand you can, depending on your position, pretty much make those graphs up using some reasonable guesstimates. It's not like the management types would know the difference. :P
> Btw, exactly what graphs is it that management types want? I haven't ever gotten any requests for any graphs from our firewalls and I do work for a pretty big multinational enterprise.
>
of come on, Lars! Don't you want to continue this fantasy conversation about mgmt. demanding graphs and wannabe techs and blah blah blah... ?
I mean, why don't we start demanding TPS reports??? Why can't OpenBSD generate TPS reports???
By Anonymous Coward (75.202.242.74) on
Comments
By Anonymous Coward (210.1.204.231) on
By Anonymous Coward (216.17.75.74) on
What?
access-list outside_acl remark some filtering rules here
access-list outside_acl ... permit and or deny some stuff
access-list inside_acl remark some filtering rules here
access-list inside_acl ... permit and or deny some stuff
...
access-group outside_acl in interface outside
access-group inside_acl in interface inside
voila, higher security to lower security filtering
By Anonymous Coward (212.202.20.246) on
They should have a look at openbsd.org/products.html and openbsd.org/support.html. You can get professional OpenBSD support and there are professional OpenBSD-based products including all the GUI/Support/Admin/... goo available. At least the GeNUA and .vantronix firewalls are running at big and critical sites as well as in small and medium companies.
Another fact is that OpenBSD firewalls are very successful in replacing existing installations like the Smoothwalls, Watchguards, or even PIXes of this world ;-).
By Anonymous Coward (24.37.236.100) on
Comments
By Joachim Schipper (Joachim) on
Presumably, because it offers reasonable protection for a very modest investment of time (learning) and money (can run on most any hardware).
Or was your question 'why do people use Smoothwall instead of (favourite firewall 'distribution' of choice)'?
Joachim
Comments
By Anonymous Coward (24.37.236.100) on
>
> Presumably, because it offers reasonable protection for a very modest investment of time (learning) and money (can run on most any hardware).
>
> Or was your question 'why do people use Smoothwall instead of (favourite firewall 'distribution' of choice)'?
>
> Joachim
A bit of both, some what of a sarcastic rhetorical question... :-)
Of course there's also m0n0wall, PFSense, etc. easy to use and has a nice web interface for those who prefer that.
By Renaud Allard (85.201.63.39) renaud @ llorien.org on
I just noted they said that OpenBSD was the best one if you don't need fancy useless stuff like graphs or GUIs.
Comments
By Anonymous Coward (74.238.123.249) on
> I just noted they said that OpenBSD was the best one if you don't need fancy useless stuff like graphs or GUIs.
>
I agree... Comparing 3 firewalls with the depth they covered is like comparing 3 cars... 1 minivan, 1 corvette, and 1 motorcycle... which one is the best for every person out there? How is that possibly a question anyone asks themselves, let alone needs an entire article to find the answer to?
I think a more precise comparison (say, more firewalls, or just one topic about the three like VPN tunneling or transparent bridging capabilities) would go a long way to improving the value of the article... and they probably had the knowledge to write about such things.
By Daniel Ouellet (66.63.10.94) daniel@presscom.net on
Not sure that I like the article so much or that it does represent all of it, but regardless, none are usually very well done. In any case the article does talk about easy of use, GUI, etc. I just got a smile when I look down the article to the list of references!
Cisco list is pretty long, even SmoothWall if you actually go to the site and look at the list there, many PDF to download and none that small either.
Compare that to the FAQ 4 pointed out for the OS itself and then the PF section. I don't know about you but to me, just that show the differences. So, if one really care to look, they will see witch one is the simplest one to use GUI or not!.
So, let the brainless point and click get hack and the serious one do it right and simply with full control.
Most people really concern about this security should be able to figure it out if they are serious about it.
The reference alone show you the way!
Comments
By Anonymous Coward (82.40.182.26) on
Pity for the rest of us that the brainless who point, click and get hacked are the very same who unwittingly generate the tsunami of spam and targetted DDoS attacks that is the daily routine on the internet.
By Anonymous Coward (24.18.237.29) on
what hardware is required for >20kpps?
Comments
By Igor Sobrado (sobrado) on
>
> what hardware is required for >20kpps?
It depends on the complexity of the ruleset, its optimization level (even if pf automatically optimizes rulesets a good ruleset design helps yet) and, of course, the mean number of rules required to process each packet. I think that you will need to do some testing yourself.
If in doubt, buy the best hardware (computer and NICs) you can afford.
By Anonymous Coward (199.202.164.35) on
Like for a Cisco PIX, 20 KPPS might be easy or hard to do. If you want to replace a PIX 515E, likely any Pentium 1.5 Ghz or better will do the job fine. What is CPU intensive on a firewall like PF or a PIX is not really transferring packet but the number of STATE (new connection) that must be created every second (how many time per second the ruleset must be interpretted and how long this ruleset is on average).
At 20 KPPS (real and sustain), one of the determining factor is the quality of the Ethernet Card. Cheap 15$ card of the 10/100 Mbits/s variety can cause problems, especially with cheap (50$ switches). Otherwise, I have good experience with many Intel and broadcom chipset.
XEON 2Ghz -- IPSEC + PF at 6KPPS (40 Mbits), Less than 40% CPU Cycle. Now, I believe that IPSEC cause much of the CPU consomption. This server is also doing others task,
XEON 2 Ghz -- More than 1000 PF Rules. The base load of this system is 1KPPS generated by over 1000 Workstation (when nobody is at work). Basically, the system is idle at this load <1% or 2% CPU. This system experience subtain peak of over 35 Kpps. It CPU Cycle consomption is generally less than 20% in steady state. Rules are not optimized for performance, frequently modified or added wihtout any consideration for performance. This server also run ALTQ queuing, SQUID, SMTP, Routing BGPD and RIPD and some more.
I have Pentium II 450 Mhz that sustain over 20KPPS in specific scenario (4 100 Mbits/S interface). However, there is cases where you will see the CPU peak at 100%. I am not even sure that this is related to PF.
Sorry, I have no experience of OpenBSD machine without ruleset. Even my Pentium 133 at home have a ruleset of over 200 PF rules. Even this machine experience peak in excess of 2KPPS.
> I would love to try openbsd but can users give their examples of usage in regards to packets per second and system utilization? with and without ruleset.
>
> what hardware is required for >20kpps?
By wanking coward (89.59.168.139) on