Historically we've had a router that both connected us to the upstream network and was the "main" router for some of our subnets. It also was our edge firewall. Over time it's been migrated to vyos, a seemingly dead fork of vyatta before it went closed source. So obviously, due to lack of security updates and the like, we need to migrate to something new.
We'd like to stay FLOSS, though maybe with commercial support or available consultants for back up. The reason is mostly financial - we're also looking to add more internal firewalls between subnets, and would like consistency on the firewall side. We don't really have a budget for this (of course)...
So we tried using pfsense, and failed pretty bad, mostly due to it not supporting outgoing rules, and the assumptions built into it that you have an "inside" and "outside" network as it's primarily a firewall. But we have 4 interfaces, of which 3 are "inside" in which there (currently) should be no rules applied, and 1 "Outside" which needed 2 way rules, i.e. block most coming in, but also block some going out from any of the 3 inside networks. This proved tricky to implement due to manual duplication of rules and the like. It didn't seem a good way to try and keep them in sync either over time.
Anyway, this background got me to thinking - "Is it actually a good idea to combine the firewall and router here?". The local pros are 1 FLOSS "transparent" firewalls don't work well (don't know if this is true currently)
2 "Extra" hardware and configuration
3 We've always done it combined (and I'm generally familiar with it combined, albeit with the more home linksys style combinations, which again pfsense seems to be targeting also)
But really - this means your appliance or software combination or whatever has to both be a router and a firewall and the UI has to understand both and your configs are even more complicated (maybe)... I'm sure that pfSense would have been fine if it was ONE connection with WAN on one side and LAN on the other.
I'm thinking about comparing Untangle and Shorewall next, but I wonder if they'll have the same issues around the UI, and I don't want to consider straight iptables or pf, even though they both support outgoing and incoming rules.
So - before I go further down a potential "garden path" - is it reasonable to combine the functions? Do "transparent" floss firewalls work well? Am I missing a smart option (that isn't Fortinet cost, i.e. close to $0)? Am I being silly to try and keep firewalls consistent (I have options for edge firewalls that are "rented" from upstream, but could not use those internally, and host firewalls will generally be different anyway a la Windows firewall)...
No comments:
Post a Comment