Choosing an Enterprise Firewall

There was once a time when we used all maner of commercial and free firewall systems. Commercial appliances worked but major flaws prevented us from really embracing them. Once we discovered Open Source firewall solutions, we never turned back.

In the beginning when we used several commerical firewall products we noticed that they were quite expensive and carried restrictions on various components like VPN’s and functionality. They worked ok for small networks, but if you needed something that pushed large bandwidth you would have to upgrade to an even more expensive solution, that still may not meet all of our needs. This was dissapointing.

Later we discovered that we could make our own firewalls using Linux with IPChains and IPTables on commodity hardware. That solution worked well for a while, but we found ourselves working hard to write hundreds of lines of filtering code to secure our perimiter and internal networks. The process was error prone and tedious. We liked the end results of the process, but with so many lines of code, it was too easy to make a simple mistake and let the hell-hounds in. We found improvements later in the form of software “wrapper” programs like Shorewall (which we still use) but this solution also has its limitations in terms of ease-of-use.

We had also explored the great firewall code that the BSD world had provided and were duly impressed with their security levels and standards. But having to write many lines of code was equally tedious and error prone, which kept us from adopting it. Fortunately we discovered several wonderful projects that took the tedium out of the firewall coding: M0n0Wall and pfSense.

M0n0wall came first. It took the best of the BSD firewall code and created a nice web-based GUI that simplified firewalls to the point that almost anyone can manage. We still use M0n0wall in several corporate settings and it does its job perfectly. M0n0wall works perfectly for many types of networks and security needs and runs on commodity solid-state appliances. It’s security profile is excellent. It does lack a few of the super-elite features that some commercial offerings have, however its younger brother pfSense fills in that void.

pfSense is the new generation of open source firewalls and has an intuitive GUI interface, tight security profile, ample native features as well as many add-on packages that makes it an exclellent enterprise firewall system. When you add these facts to the ability to buy fast and reliable commodity security appliances, you get an outstanding security system for a fraction of the cost of commercial options.

You can read more about M0n0wall and pfSense on our website at