Can you get real security without sacrificing speed and your wallet? when it comes to networking, the typical answer is no. Once you decide to host a web server yourself, network equipment manufactures start drooling, ready to take a large bite out of your wallets, knowing you have no choice but to fork out the cash.
The search for the ideal firewall began when we were looking to host our own web server from our own office. Having seen first hand how badly wrecked unprotected servers could be, we needed to know that it was absolutely safe from prying eyes. Firewalls are the first, and arguably the most important, line of defense from getting hacked. The trouble is, they tend to bog down the network with their complicated algorithms and intrusion detection systems.
So it comes back to the age old question of speed vs security. You can have both, of course, but at a price. High end firewall systems cost an arm and a leg. They’re understandably expensive, considering how much responsibility they bear.
I found myself dissatisfied with the answer. Some expensive equipment is truly worth it, but I began to suspect that high end firewall systems were priced to fit the budgets of large corporate IT departments. What’s there for the small business owner whom has to work around a budget? It seems the options are to stick to the consumer range of devices and keep your fingers crossed.
With off-the-shelf equipment being out of the question, it seemed like the only way was to build something ourselves. At the end of the day, firewalls are just computers, albeit ones that perform a very specific function.
We looked online and found pfSense. PF stands for packet filter, the rock solid software that BSD operating systems use to analyse network traffic. Built around an operating system so stable Apple decided to base theirs on it, we were pretty confident we had found what we were looking for.
This thing is blazing fast. Most people aren’t aware that routers have little processors inside them. Most of them barely half the speed of your modern smartphone. They do pretty alright, mainly because most internet connection speeds haven’t quite maxed them out yet. The average router handles 30mbps connections without much complaint, until you bog it down with a few VPN tunnels and you start to notice the strain. But throw a little desktop computing muscle behind your router/firewall and it absolutely flies. Even with its comparitively low powered Intel Atom processor, our pfSense box managed 300mbps while fully functioning with its intrusion detection and firewall rules. Throw in a few VPN tunnels and there’s no noticeable strain, even if the throughput numbers go down a little.
But speed is only a part of it. The interface is what really surprised me. After the initial software setup, I entered my login details into the web based graphical interface to find everything amazingly easy to understand. If I wanted to add extra functions to the device, I just instal an additional package and away we go. No reboots, no complaints. If I added a port-forward rule, a corresponding firewall rule will optionally be created and marked out as such. It was all so clear and easy to understand. Instead of staring at cryptic messages on the command line and wondering what each statement actually did, I had cross-referenced firewall rules which clearly marked out what each of them was for. One look and you’d understand what was going on, and at the end of the day, that’s what security is really about. Understanding. Not throwing expensive equipment at a problem and crossing your fingers. Not knowing what security measures you actually have in place is as good as leaving a back door open and hoping for others to be kind with you.
Instead of laboriously trying to interpret what each line of a configuration script meant, afraid of removing permissions for fear of breaking something, I could readily understand what rules were in effect and why they were there. If something wasn’t working right, the log files were simple to understand and had quick shortcuts to allow something it had previously blocked. Instead of obscurity and confusion, you feel like you’re in absolute control with the pfSense interface.
In terms of functionality, pfSense gives you everything you could possibly wish for which is truly refreshing considering most router manufacturers leave out key functions in their “small business” line of products, hoping you’ll pony up more for useful functions arbitrarily denied in their cheaper stuff. It comes with every type of VPN option imaginable, full featured intrusion detection, fancy graph charts of historical bandwidth usage and even a graphical breakdown of which hackers are sniffing about your network. It litters its interface with helpful little hints about what you might want to do, and what best practices are, rather than littering it with error messages complaining that you aren’t using Internet Explorer (yes, Cisco, that’s you).
With all this functionality served up to you in a well laid out web interface, there’s little to fault pfSense for, aside from the minor aesthetic issues with its default theme. Even that grows on you. pfSense is good. So good that you find yourself missing it. Especially when you next find yourself having to configure a router on the command line and get a headache from furrowing your brow. Its so good that it ruins its competition for you forever. Its so good that you find yourself writing haikus into the comments section of firewall rules because you feel so relaxed and in control that you can’t help but wax a little poetical.
Even with the added work of getting the right hardware and the little extra effort of installing the software yourself, the payoff is well worth it. pfSense can make you a router so good it’ll be hard for you to use anything else.
By Victor Huang