Open source firewalls and Enterprise

I’m new to pfsense and opnsense projects. I was introduced to them by a work colleague who said if I was looking forward to home projects start by getting rid of my asus router. Fast forward a year and I’m rocking pfsense at my home with additional deployments at friends houses managing various home lab projects for them as well as network monitoring w/ zabbix.

The point of this this post is that I do see viability for open source firewalls in a large enterprise particularly in the Fintech space where I am currently. From everyone’s experience, do we find that pfsense for example could find a home in a large enterprise that already has Juniper SRXs and Palos? Granted no one firewall is supreme but for a lot of our VPN concentrators I see no reason why we couldn’t get rid of an expensive SRX and put in place a pfsense. Barely a quarter of the price with support included.
The grand prize would be to replace Palo Alto’s. Is there a feature similar to App-ID?
I’m in a position to influence and change design so feedback is very important. Tell me pros vs cons of deploying a Netgate(or white box). Are there scalability concerns? I noticed a lack of APIs so I am concerned about the ability to automate.

2 Likes

When you need a stateful firewall with some ability for more in depth firewall rules, sure PFSense is great. Any place you need just a router, its great. But for a company that needs to pass PCI and SOX at a Fortune 500 level, no way will something that doesn’t have everything Palo et. al. offer suffice.

Lots of banks use PFSense, you can tell from what’s in their job postings. But in front of the actual servers, and often between them as well, is going to be a “Next-Gen Firewall” or “Unified Threat Management” firewall.

The issue isn’t the technology - Suricata can do all the detailed inspections you want, and application detection is just applying L7 heuristics. The issue is creating the security and application policy feeds, even if you want to set up a project to make it open source you’d still have to fund it. Any free feeds you can get are either volunteer run, or a sample taste from a for-profit, closed-source company.

The issue with pfsense as a ngfw competitor is that while you can bolt on suricata for IPS and nTopNG for application detection and traffic flow analysis, they don’t feed into each other. You can’t use the application detection in any security/routing/qos policies, for example.

4 Likes

Makes sense completely. That’s the perspective I was missing. There’s a reason Palos can charge $$$.

Speaking of feeds, I think, in my humble opinion, one of the things that NetGate could do is take ownership of popular apps like Pfblocker (pay the creator)and somehow mix in paid subscriptions in there. All In one place with the option to pay to play for enterprise service.
So that’s one of the pitfalls I see as well where useful tools are volunteer run. Enterprises expect up to date content.

I appreciate your feedback. It’s all about where to place the pfsense. At the edge? Probably not. VPN concentrator or Remote office? Probably yes.

1 Like

As far as “remote office”, depends on the scale of the business and whether you want to do local internet breakout (traffic from the remote branches to the internet leaves out their local connection) or full tunnel to a central office or datacenter. Most of what I’m seeing is companies moving to local internet breakout, and having firewalls like WatchGuard, Fortinet, or Sonicwall at every remote office. This lets them have a consistent NGFW/UTM policy set on all traffic, without the downsides of tunneling everything to a central location. With the move from traditional phone systems (and nowadays a Cisco phone system is “traditional”) to fully cloud based VOIP like Five9 and Teams Telephony, local internet breakout becomes even more important.

1 Like

So if I’m understanding you correctly then, it’s most likely better to run a NGFW/UTM device in most areas around the network in which case there isn’t a place for white box firewalls today. Granted for corner cases maybe but if you already got a PA everywhere why deploy a pfsense.
So am I correct that it’s a good place to install it at a small/mid environment? Hmmm. Even then now that I’m writing this depending on the business area they operate in they may need to be compliant in some way in which case you still have to look at the big names.

1 Like

If a business is publicly traded they will likely need to run something with more security functionality than PFSense and other stateful firewall systems at every WAN edge. But it doesn’t need to be a big name, Untangle would be a good example of an entry level enterprise product. But some industries will have additional requirements, such as inspecting outbound traffic for PII and trade secrets.

1 Like

Pfsense is great, but for enterprise use it has the following problems

  • No central management
  • Not a UTM replacement as of yet. App-ID sucks on pfsense and there is no way to management it properly via regular rules.

Other than that, a lot of companies use pfsense in their core infrastructure for advanced routing, vpn, etc. As long as the need does not hit any limitations were expensive hardware with asic acceleration is needed.

Hi David,
What App-ID-like features are there on pfsense now? Im new to the platform so if there’s a package or setting I missed (most likely) please let me know.
Checking out the roadmap I don’t see application filtering or something like that as a feature but again I may have missed any headline on this.

The only app-id is to install the nTopNG package, which will analyze the traffic and show you the results in its own webpage. It is purely a reporting tool.

Snort (extra package) has some basic App-ID detection. But what you can do with the detection has some limitations. You should be able to configure some allow/block things based on IPs, etc. However, you won’t be able to automatically allow Facebook to a specific user logging into a certain machine. You will need to statically configure rules.

https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html#application-id-detection-with-openapp-id

That happened to me 25+ years ago with SME. Anyone remember that one?

Would be very interested in Tom’s perspective on this. Is pfSense ready for enterprise WAN edge ?

I hope so…lol It has been used for years at many datacenters, colos, and by some very large companies. We have done consulting with many enterprises companies using it. We can’t disclose client names, but Netgate has a few customer stories on their site Customer Stories

Coming back to this. Again being a total beginner with pfsense, doesn’t Squid Proxy do something similar-ish in terms of applying rules to sites?

Squid Proxy is a headache to manage as many sites do not like man in the middle.

I think pfSense is great if you are leveraging it for edge connectivity such as connecting sites via IPSec. I wouldn’t depend on it for layer 7 inspection of traffic though so make sure you run a good firewall behind it.

Nothing against what you said I just find it funny you have to put a pretty good firewall in front of another firewall. Might as well put the second firewall on the edge then.

No offense taken. We are all here to have a discussion and learn.

Most large enterprises will use edge routers for IPSec and BGP which I think the pfSense is a good solution. But when it comes to L7 inspection, it is much less desirable.

Many network designs follow a hub and spoke setup so each site will tunnel traffic back through a centralized firewall which is why I would recommend a paid solution. This will allow you to minimize your costs and still have solid security.

1 Like

Most of the enterprises I worked at and currently work at are set up similarly. VPN device on the WAN and another device running BGP.
So me being very new to the open source firewall world I am very interested in the pfsense software and really trying to find a place for it within my infrastructure. Maybe replace some SRXs(or any device with Ike gateways). I guess I was hoping it could be a replacement for more of my expensive units and their L7 feature-set that a company needs to pay half their profits to.
I’m reaching the conclusion which is to treat it as an inexpensive vpn concentrator that can route at 10Gbps. Not bad but I guess deep down I was hoping for that killer feature like “we can do dpi for free and it’s awesome”.

1 Like