IPFire as a respected platform...

General questions.
Post Reply
tx.hermit
Posts: 25
Joined: May 26th, 2018, 6:12 pm

IPFire as a respected platform...

Post by tx.hermit » July 3rd, 2018, 3:55 pm

This morning, my boss drug me into a meeting with the owner of an "IT Support" company that we used to use. As is par for the course, that company is an absolute disaster made of varying peoples with varying "skill-sets." When I started at this company, I found we had a 500mb line that was plugged into a $40 Linksys flashed with DD-WRT which only had 100mb ports. Also, that "firewall" had about 20 ports forwarded straight to an unsecured Windows Server install, including a port 80 forward to the default install page of IIS.

I instantly trashed that router and setup a core i5 Dell Optiplex (8gb, dual intel pro 1000 nics) as the new router running IPFire. The network has never run better. We have about 20 systems permanently on the network with about that many again "mobile" devices (phones, ipads, etc..).

Back to that meeting, as soon as the Support Company Owner found out I have been discovering the mess his techs have created on our network and that I had replaced their "firewall/router" setup, he instantly started trashing my setup. I asked if he had any experience with IPFire (or linux in general) and he said no. But, he kept harping on the "it's not standards based" and it is not proper for an office environment and that we need a "standards based firewall." Then promptly said he would work up some quotes for various top shelf items from Cisco, Sonicwall, etc... "That way," he said, "if you ever leave the company, someone else will be able to support that device, because as of right now, no one could come in and work on what you have setup." Apparently, in his mind, anyone can just walk in, and with little experience, support high-end networking equipment from someone like Cisco.

Sorry for the long post, but my question is this, is there somewhere I can find useful documentation (maybe with pretty pictures) that I can use to backup my choice? Has anyone done in depth comparison testing on running an Linux based firewall vs. a Cisco? I have been searching all morning, but not coming up with much. Any suggestions would be greatly appreciated.

zargano
Posts: 192
Joined: December 29th, 2017, 7:50 pm
Location: Nordlicht im Ländle

Re: IPFire as a respected platform...

Post by zargano » July 3rd, 2018, 7:35 pm

Hi there,

it sounds a bit, that you seem to have brought the owner of that "IT support company" (external guy) into a situation, where he felt to have lost his face. No wonder, because you have some hard facts (e.g. unappropriate DD-WRT router), that his work was a mess.

So you should figure out now, whom do you need to convince: your boss, or the external guy?

If it is (hopefully!) your boss, talk with him separately. If it is the external guy (because your boss believes all rubbish that guy is talking, and your boss does not believe you), you will have a hard time.

You may try to point to https://wiki.ipfire.org/ in order to show some IPFire documentation. However: the tons of information available for Cisco or whatever other commercial solution are available. However that won't demonstrate that the Ciscos etc are easier to manage. Ask the guy why he has chosen the setup with the DD-WRT router (and not Cisco). Ask why he has configured the firewall as you have found it. (Whether it is for a Cisco or IPFire: if you have incompetent administrator, the firewall won't be fit for its foreseen job.)

In contrast to Cisco etc, IPFire and Linux are open source. Ask the guy what he thinks of open source: does he believe in Steve Ballmer https://www.theregister.co.uk/2001/06/0 ... _a_cancer/ or in Satya Nadella https://www.cnbc.com/2018/04/16/microso ... vices.html ? (Ballmer is history, Nadella rulez Microsoft.) Try to tackle the guy where he is weak.

Towards your boss, try to use language a boss will understand. Provide him with information, how little time you (being an IPFire newbie) needed to setup IPFire. Provide him with information about your personal documentation, e.g. on the configuration. (The documentation should provide evidence that any IT expert could seamlessly take over your IPFire. Upfront let someone else you trust crosscheck that your documentation is reasonable.) Demonstrate what the price of the IPFire hardware was. Put bits and pieces all together and try to provide numbers on Total Cost of ownership (newbie training, hardware, initial setup and configuration, regular maintenance, ...) Then try estimate something e.g. for a commercial Cisco firewall.

In essence, you should define the rules of the "game" you are playing, don't leave it to the external guy.

tx.hermit
Posts: 25
Joined: May 26th, 2018, 6:12 pm

Re: IPFire as a respected platform...

Post by tx.hermit » July 3rd, 2018, 9:22 pm

Thanks for the follow up. The situation is basically as you describe.

I brought up this topic on Spiceworks, and was instantly (in a polite manner) dumped on for not embracing the big hardware companies.

As of right now, I am getting 536.38mb to the desktop. That is through the IPFire box and 3 switches. And, we are only contracting for 500mb, so no complaints on the connection. As I have been cleaning things up here, our network is running significantly better. I was getting 43mb to my desktop.

I am not opposed to buying a respected piece of commercial hardware (Ubiquiti Networks Edgerouter Pro, seems like decent gear for the price), but buying a low end piece of gear from Cisco is not going to out perform the box currently in place. If I had the budget for mid to high end gear, then that would be a different story.

His argument about future support people having trouble really upsets me. He has never looked at anything similar to IPFire (and seemed offended when I asked if he had), and in all reality, once running, it is no more difficult to manage on a day-to-day than a high-end consumer router. On the other hand, an inexperienced person coming in and trying to bumble through the settings on a Cisco would quickly create a nightmare.

neolithic
Posts: 5
Joined: April 11th, 2018, 11:19 pm

Re: IPFire as a respected platform...

Post by neolithic » July 3rd, 2018, 11:15 pm

I am so with you on this. I run a small network for a collective of small independent business owners, and I've got their network running on an ipfire box. It only has 8 gb of ram, and never even uses half of it, which is great. I ran Untangle on the same box and it would max out the ram after a couple of weeks. Not that I don't like Untangle, it's a good system, but it's not free. I've been using open source tools for years and am serious about the philosophy and the whole movement. I am self-employed but in the past have tried to get a job in the IT sector and been bummed out by the very attitudes you are talking about, and as far as I can tell, about 98% of the people concerned with, or working in IT are robots trained in proprietary software and equipment.

I say there's nothing wrong, in fact it's a great thing, in building a custom system and running open source stuff on it. Granted, I'm no expert in Cisco etc., but the truth is I don't want to be. I was trained as a support tech in the nineties and early 2000's on the Windows platform, but when I found Linux and open source in general, I felt like I had come home, and haven't regretted it. My only regret is that so many others are brainwashed to believe only in the corporate ways, which are all about making money, and usually at someone else's expense.

But I digress, can't help but get on my high-horse about this stuff. Really just wanted to say good on ya for championing the open source way and sticking to your guns. It's definitely not the easy path, and I wish you well going forward.

silverknight
Posts: 15
Joined: June 27th, 2010, 2:01 pm

Re: IPFire as a respected platform...

Post by silverknight » July 3rd, 2018, 11:44 pm

I would wait and see what the "IT Support" owner brings to the table first and calmly give some facts on the cost/value comparison of the feature set vs IPFire. No matter what they show up with there will be big yearly licensing costs for features IPFire has out of the box. Cisco firewall? Even a cheap ASA is going to be more expensive in hardware alone plus +$350/year to license the box. Don't license? The device becomes a dumb stateful firewall, might as well use the Linksys with DD-WRT. If they bring a Sonicwall those are easy to dismiss as they nickle and dime you for every single feature and user. VPN @ $50/user per year? No thanks. You can really drive argument home by showing costs over 5 years, donations to the IPFire crew are going to be much less than the licensing fees. Zargano also brought up a really good point of turning it back at him and if done correctly should completely destroy any argument IT support owner has.

User avatar
Deepcuts
Posts: 461
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: IPFire as a respected platform...

Post by Deepcuts » July 9th, 2018, 1:43 pm

There is a saying in my country, not very well translated in english but you will get the point: After the war, many heroes show up.
As in: many companies tend to spend as low as they can on IT. If it barely works, it is OK.
Only in rare and special occasions will some parts of the infrastructure will be upgraded to an optimal/professional grade.

I also work with these type of companies and of course from time to time, someone will point out that X or Y is not implemented or not up to their standards, without even thinking about the required investment or if the management just said "no money for this" in the past.

Juts food for thought.
Image
Image

User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: IPFire as a respected platform...

Post by Roberto Peña » July 9th, 2018, 4:23 pm

Hi tx.hermit.

I just tell you that I have some 23 machines installed in different Clients and since I put them, in some Client more than 3/4 years, they have not had any problem/incident.

Although certain features are missing from IPFire, I would not change it for anything.

You have to make a comparison of what IPFire has against the competition and then, make a 5-year study of the cost.

That Fortinet / SonicWall has a Sandbox. IPFire has a great IDS / IPS. It is not the same. Already, and?.
That Fortinet / SonicWall has an idontnow. IPFire has this one that supplies it.
...

Note that WatchGuard does not yet have (as far as I know) a GeoIP and they boast that such and such. IPFire has it a long time ago.

That IPFire is not a standard, I laugh, give your boss the admin and root keys and the forum link. You win. If that IT company has already messed you up once, who tells you it will not happen again?.

Good luck and tell Us something.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

tx.hermit
Posts: 25
Joined: May 26th, 2018, 6:12 pm

Re: IPFire as a respected platform...

Post by tx.hermit » September 26th, 2018, 1:26 pm

Just a quick update...

After dealing with this issue for a few months, I am now being left alone to happily run my IPFire box (i5 Opteplex, 8GB, Dual Intel Pro 1000). In the interval I had gotten us setup as Cisco partners because a lot of our customers are truly enamored with the Meraki line of products. We recently spent about $1000 on a Meraki MX appliance to replace our "non-standard" firewall/router setup. Don't get me wrong, I love Cisco (even the Meraki stuff) but you have to be willing to pay for the appropriate level of hardware. We did not.

Against my suggestion, we spent too little (that was $1000 with our 80% NFR discount) for our current setup. The brand new MX cut our throughput almost in half (It was "rated" for 450Mbps, it actually delivered about 300 on a good day with all the fancy security features turned off). Also, the true standardized reporting is not available, the dashboard is beautiful, but IPFire gives significantly more info (not to mention SNMP).

As of yesterday, I was told to "fix" everything. I unplugged the Meraki, plugged my IPFire box back in, everything was instantly back online, running smoothly (however, I see I missed a core update). It's like slipping into a comfortable pair of broken in shoes.

I then told my boss that after we RMA the MX, I will need a couple hundred dollars to buy a nice, dedicated box for our firewall. Didn't even blink an eye.

Guess I have a few converts in my office now...

zargano
Posts: 192
Joined: December 29th, 2017, 7:50 pm
Location: Nordlicht im Ländle

Re: IPFire as a respected platform...

Post by zargano » September 26th, 2018, 8:35 pm

8)

Post Reply