In this article, we will be comparing two security products – pfSense and the Cisco Adaptive Security Appliance (ASA), to help you in choosing the right firewall for your network. We will take each product individually, looking at their pros and cons, and also discuss what scenario(s) they can be used and recommended.
pfSense and the Cisco ASA can basically be classed as perimeter security devices. At the simplest form of it, a perimeter security device provides protection for trusted devices (internal devices) against untrusted devices (external devices such as those on the Internet).
Let me begin our discussion on pfSense with my personal experience about this product. I was called into a client site to help fix a particular nagging problem on their network – some network users lose Internet access randomly without any seeming reason. They told me they had an “edge device” and I figured they meant a router of sorts. I was taken to the server room and shown a “desktop computer” which they called the edge device. I didn’t understand – how could an organization be using a computer as an edge device? I was given documentation from the contractor that built the network stating that pfSense was installed on this computer. Discovering pfSense was my task for the next couple of days after that visit!
pfSense is an open source routing and firewall software that is based on the FreeBSD distribution. The base software supports a lot of features including:
- Static/default/dynamic routing
- Stateful firewall
- Network Address Translation (NAT)
- Virtual Private Networks (VPN)
- Dynamic Host Configuration Protocol (DHCP)
- Domain Name System (DNS)
- Load balancing and so on.
Also, pfSense supports many add-on packages that can be installed with a single click including:
- Snort (for Intrusion Detection and Prevention)
- FreeSWITCH (Voice over IP)
- Squid (Proxy)
- Darkstat (Network Traffic Monitor)
Because of all these supported features and packages, pfSense may be better classified as a Unified Threat Management (UTM) appliance.
Pros of pfSense
Looking at the feature list above, you can see that pfSense is a very impressive software. In fact, let’s start off our pros list with this fact:
- pfSense is very robust supporting a lot of features and packages as listed above. This means that you can have one device perform all the functions you need at the edge of your network. Of course you can also think of this as a disadvantage – single point of failure. However, pfSense supports High Availability meaning you can group several devices together.
- pfSense is free! This will probably be the biggest benefit. The pfSense software itself is free and you can download the software image off their website here. Of course you need to install the software on some piece of hardware (virtualization is also supported) so it’s not completely free. However, even looking at the recommended hardware requirements, you can get suitable hardware for less than $200.
- The fact that pfSense is a software that can be installed on any hardware makes is quite scalable. You can easily expand the resources on your hardware in the event that your network needs increase.
Cons of pfSense
Having discussed some of the advantages of pfSense, let’s now highlight some of the cons of this product.
- The fact that pfSense is open source can actually be a disadvantage. The same reason many people use Windows/Mac as opposed to Linux for desktop computers is the same reason people will go for closed source routers versus open source ones. It’s a perception thing. The same way I was surprised seeing an organization using “a desktop computer” as an edge device is the same way organizations may not feel comfortable using an open source software as their perimeter device. This does not mean pfSense is in any way inferior to dedicated appliances from closed-source competitors, but it might encounter some resistance in being trusted if compared to other well known vendors
- There is also the question of guaranteed support. If you are not using dedicated hardware provided by pfSense and something goes wrong, would pfSense be able to resolve your problem and not default to the “hardware problem” response? From personal experience, I’ve seen pfSense fail, getting stuck in a boot loop but because I wasn’t using their dedicated appliance, I could not be sure if it was a software bug or hardware issue – so better use good hardware as a starting point.
- Configuration of pfSense is done through a Graphical User Interface (GUI). Actually, the reasoning behind the name pfSense is “making PF make more sense”. PF stands for Packet Filter which is the BSD stateful firewall on which pfSense is based on. So the developers wanted to make pfSense deployment easier by providing a GUI. However, techy people generally don’t like GUI – it’s not complex enough. Why would you need to hire and pay me to come and click “Next”? Does any other person feel this way or just me?
So, would I recommend pfSense to a customer? The answer is that it depends. For a small business that is not willing/able to spend a fortune on a router/firewall, pfSense makes sense (pun intended!) and offers a lot of features in a one-stop-shop solution.
I also reckon that some really technical people, if it was up to them, would be more open to use an open source software like pfSense. Notwithstanding my personal opinion, I know pfSense is being used on all kinds of networks, irrespective of the size.
The ASA is Cisco’s implementation of a firewall. Unlike pfSense, the Cisco ASA is mostly a dedicated firewall appliance although you have options for Intrusion Detection/Prevention System (IDS/IPS), URL filtering and malware protection. There are several models of the Cisco ASA depending on the size of the network and it also offers features like NAT, VPN and High Availability.
Pros of Cisco ASA
To mention a few of the things the Cisco ASA has going for it:
- The Cisco brand is strong in the network industry and there is a general brand loyalty to Cisco among many enterprise users (have you ever heard the joke “nobody gets fired for buying Cisco..”). If you are already using a Cisco router or switch (chances are that you are), then you may not want to look elsewhere when it’s time to buy a firewall – interoperability can be a pain sometimes.
- The fact that the Cisco ASA runs on dedicated hardware (virtualization is also available) means that it has good performance no matter the volume of traffic that needs to be processed (subject to model limits). This also means that not only will you get support for the ASA software, Cisco will also provide support for its hardware.
- One of the things Cisco got right was its certifications. By creating certification exams that can sometimes be very difficult to pass (read CCIE here), Cisco created a strong perception around their products, not to mention skilled engineers able to get their hands dirty. You will probably feel at peace knowing that you have a certified personnel handling your network security.
Cons of Cisco ASA
On the other hand, we can also mention some disadvantages of the Cisco ASA:
- Cost. Cisco is expensive, period. Not only is the hardware expensive (at least $400 for the smallest model), but you may end up drowning in unforeseen license costs. For example, if you are running (free) OpenVPN on pfSense and want to migrate to the Cisco ASA, you will probably need to pay for more AnyConnect licenses than is available by default. You want to add IPS? You pay for it. You want malware protection? More money. In fact, there are licenses to enable “security plus” features, things as basic as advanced encryption algorithms (DES vs. AES).
- As I mentioned before, the Cisco ASA is primarily a firewall. Adding “features” like IDS/IPS is not as easy as installing a package like we have with pfSense.
- Except you are using the Cisco Adaptive Security Virtual Appliance (ASAv), then you are stuck with the particular ASA model hardware that you have. If you need to scale, say your network requirements have increased, you will need to purchase another hardware. Again, money.
For someone who has spent a lot of time gaining knowledge in Cisco and its products, I would probably always recommend a Cisco product (not their access points though) to a customer as long as that customer can afford it.
I have been using the Cisco ASA since it was known as the PIX and I have hardly seen it fail. My personal sentiments aside, many organizations that I’ve worked with use the Cisco ASA as their perimeter device and because the Cisco ASA comes in many models, it can fit into any size of network.
There is something that these two security products have in common – good support. One of the issues people had with pfSense in the past was lack of support. However, this seems to have changed as the company now offers professional support apart from the support available from its community of users. Cisco also has a vibrant and active support community as well as offering professional support through Cisco Technical Assistance Center (TAC).
This brings us to the end of this article where we have compared pfSense and the Cisco ASA. We highlighted some pros and cons of each security product and also discussed where they are best suited for.
We concluded that pfSense may be best suited for a home office or small business network, not looking to spend a lot on an edge device. The fact that you can get a lot of features (like DHCP, DNS, VPN, Firewall, etc.) in one free software is very mouth watering. However, because of trust issues with open source software, larger organizations may not feel comfortable running pfSense as their perimeter device.
On the other hand, the Cisco ASA with its different models is suitable for all sizes of networks. It also has the established brand name of Cisco going for it plus the added benefit of providing support not just for their software but also their hardware. The biggest disadvantage of the Cisco ASA is the cost; so if you are a small business, you may want to look for less expensive alternatives.
I hope you have found this article informative (and unbiased). If you have any question or doubt, please feel free to comment the article below, and we’ll make sure to answer as soon as possible!