Hardware Versus Software Firewalls
Subject:   OpenBSD vs Cisco PIX vs Junniper vs FW-1 vs Others.
Date:   2007-02-28 21:20:52
From:   JYL
I find the paper interesting for a simple reason: It demonstrate that the like of Linksys and D-Link firewalls have help demystify this protection function. Otherwise, this new found knowledge also introduce an inaccurate understanding of the requirements for "Medium and Large Corporate Network". The analogy is similar to a "Home User" that have installed MS Windows XP once, at home, and have a hard time to understand that the corporate IT services will ask for two months of planning and testing before starting an "Upgrade Program" for a mere 1000 PC. Obviously, the IT specialists will insist that the complexity of both type of installation is not the same but, some people will always think that the IT specialist is trying to find a way to justify it paid.

At this time, most medium (1K to 2K workstation) to large corporate network use a two layers firewalls approach, often with some high availability function. In the world of large corporate security, Cisco PIX (and Junniper Netscreen and FW-1) are the equivalent of Microsoft Windows: you generally find them somewhere on the Network.

Contrarily to popular believed, security specialists are not an uniform breed. Some, so call security specialists are mere “Network security operator” that can't do little outside of a CLICK and DRAG Interface. They generally know one thing and operate it.

In this cases, the security design is often outsourced to either:

  • A Telco or others network specialists: In these cases, you often see a NOKIA FW-1 or CISCO PIX. (Good marketing to Network specialist, Good name, good reputation, good course and a fair amount of trained individual.).

  • or a Security Specialists: Then you see more variety: Obviously, the Cisco PIX and Nokia FW-1 are still potential challenger but Juniper Netscreen and many others such as OpenBSD and Linux might also be found.

When a corporation have more needs, it usually have a Network Specialist and a Security specialist. These networks generally have a two layers firewall with distinct DMZ area, VPN, Internal EMAIL servers with world class SPAM and Computer Virus filtering, Internet WEB servers, etc... Then, you see more variety in the corporate firewall landscape: Of course, you still see a lot of Cisco PIX, NOKIA FW-1 and Junipper Netscreen but you also see OpenBSD, Linux and many others devices that you seldom see in a smaller networks. Generally, what you found in there is related to “Standard”, “Ease of Support”, “High uptime capability”, specific function requirement, separation of duty, etc...

In these large corporate world, especially when high security is required, the Cisco PIX alone is often lacking severely and must be augmented with others security features.

Saving money with OpenBSD compare to a Cisco PIX in a large corporate setup: Maybe, Maybe not. Large corporations with several thousand users rarely run critical firewall function on “cheap hardware”. You use powerful, new and dedicated “SERVER CLASS” hardwares. Consequently, the cost of the equipments is high for any scenario you select: Cisco PIX or OpenBSD. If you merely want to terminate a VPN tunnel in a branch office, a small Cisco PIX or a small Junniper Netscreen is often cheaper than a server class OpenBSD machine.