Cool debate everyone. I will side with both sides. Crypto has really good points, so does Tom. How about what you use is decided by regulations, compliance, company policies, IT polices, and insurance requirements? If you need a UTM? Use Palo Alto or fortinet’s stuff? Are in the core side of things and just need vpn and powerful routing rules? Use pfsense. Problem solved. That will solve the debate to all things.
1 Like
No. I didn’t say that.
Snort’s paid subscription contains IPS rules that are developed by Cisco’s Talos security group, one of the largest security research operations on the planet. So, that’s actually really good, and is precisely the kind of security intelligence I keep talking about.
BUT:
Snort is just an IPS. It detects malicious or non-standard network activity. That’s a good thing, but as I mentioned earlier, network based attacks are really not a big factor anymore, at least not outside the context of large enterprise networks and datacenters - not something you typically find in small businesses.
So to go back to pfSense, if you use pfSense with the paid Snort subscription, you substantially upped your game, but you still only have an L4 firewall with an IPS.
An IPS will not detect malicious payload in encrypted traffic. Given that most internet traffic is encrypted, Snort is completely blind here. It does have the SSLPP engine, but that only looks at the metadata of an SSL/TLS session, e.g. which host communicate, URLs, the SSL handshake, etc. But it can’t look inside the actual payload.
In an ideal world, you want some kind of proxy / secure web gateway that decrypts SSL and scans the decrypted traffic based on good security intelligence. Most commercial firewalls can do this, or use separate proxies. In addition, deploy proper endpoint protection (not antivirus, use EDR/XDR with a behavioral analysis engine instead) and also make sure you properly secure your email traffic, e.g. use a secure email gateway that filters out phishing, spam and malicious attachments (again, requiring good security intelligence). This is what I would recommend as a solid security foundation for small businesses.
I would say your security requirements are predominantly decided by the threats you face, first and foremost. Everybody who uses the internet faces the same threats.
Do you buckle up in your car because of compliance and regulations, or do you buckle up to protect yourself from severe damage caused by an accident? 
The airbag broke my left orbit causing a rather large problem and a concussion, the seatbelt only made my chest sore for days. (true story)
Also, won’t all this man in the middle stuff end very soon as more browsers are programmed to detect when the certificate has been changed or the traffic passed through a proxy? The same thing that will eventually stop us from filtering sites with block lists or allowing with white lists? Yes this is getting out of my knowledge area which is why I’m asking. The closest I will probably even get to this level of firewall might be in a Cisco cert. course, maybe.
This is facinating and worthwhile debate
But getting to the heart of the original question
No pfsense won’t do what you need in this case
Untangle will as mentions because at the heart of a schools requirements is blocking there users from getting to unapproved content