Information Security with a twist

Recently I was looking to upgrade the appliance I use for Parallel42.ca.  I looked at numerous products, but kept coming back to Cisco, although the Juniper products looked very appealling, I had a price point in mind and Cisco was favourable.  I also was shying away from UTMs so even the ASA was not really fitting the bill.  I started looking at the Integrated services routers finally deciding on the 851.  The Cisco 851 is not your traditional router, it has a built-in 4 port 10/100 switch, a WAN interface and is more like a traditional firewall than a router.  That’s the good news.

Things got a bit ugly after I got it installed.  Although Cisco touts their easy to setup IOS Web tools – the SDM is so poorly written, it send bogus IOS commands to the router and results in unusable configs.  If you think that is frustrating, a trip to the Cisco support forums results in typical CCNA elitist comments like “any real professional uses the CLI”.  Get real – how about any real company can come up with a decent GUI tool that doesn’t practically brick it’s appliances.  I had the CLI open on a notebook, the SDM going from my desktop and a 3rd Web GUI open to try to get this thing passing packets.  Eventually I downloaded the Cisco Network Assistant to give that tool a chance to turn about the rapidly unfolding debacle.  While the CNA was more polished and obviously would be of great use in large Cisco deployments, it still did not get the job done.  I could not afford anymore downtime so I reconnected my old gear and started thinking about alternatives.

Enter PFSense – the BSD-based firewall distro closely related to the m0n0wall project.  Having used several host-based firewalls like Smoothwall and m0n0wall over the years, I figured I’d give PFSense a shot.  I threw together a PIII 550 with 256MB RAM and a pair of Intel NICs – and installed pfsense, which is actually a LiveCD that you can then install to disk or usb drive.  The most basic setup is done from a menu-driven CLI, but once the Interfaces are assigned and the LAN side has an IP, you can access the web UI.  Better yet – it’s a web UI that works!  From there I was able to config PPPoE and all the NAT settings I needed in minutes.  From there is was just a matter of moving a few cables and I was switched over with an absolute minimum of downtime.

The feature set of pfsense is rich, easily on par with commercial appliances.  IPSEC, 1:1 NAT, inbound and outbound load balancing, fail-over, good logging options, lots of built-in graphing and monitoring and an excellent UI.  It’s built on BSD 7.0 and costs you absolutely nothing.  The distro is under constant development and it’s current status as per Secunia is zero unpatched vulnerabilities.  The PFsense community is strong and development of utils and add-ons offers many options to the operator.  The nice thing about having such a reasonable solution – you can easily afford to build a backup to either run in failover mode or use to swap out should your pfsense hardware fail.

I will likely continue to use PFSense going forward as my main firewall.  I guess I will still play with the 851 I can use it to learn more IOS and become a 1337 Cisco zealot like those I so admire.