[nycbug-talk] OpenBSD pf "bakeoff"

Jim B. jpb at jimby.name
Mon Jun 18 14:08:07 EDT 2012

* Josh Rivel <josh at rivels.org> [2012-06-15 09:48]:
> So after badgering my manager nonstop about how great OpenBSD with pf
> is, he's letting me do a "bakeoff" of two identical boxes - one will
> be running OpenBSD 5.1 w/pf, and the other a popular commercial
> firewall software.
> I probably will not be starting this project until first week in July,
> but wanted to get some tips (feel free to contact me off list if you
> don't think it's appropriate) of any custom tuning or deployment tips
> and tricks for enterprise wide OpenBSD/pf deployments, management of
> the policies, etc.
> I really want OpenBSD to win :)
> Thanks in advance.
> Josh

My $0.02 - 

Congrats that you've got your manager to consider a bakeoff. However,
keep in mind that there are other elements to consider for him/her to
authorize pf in the enterprise.

A feature set comparison will allow your manager to determine what
things are covered / not covered by pf.  For instance, pf does not
(to my knowledge) perform various forms of "deep packet inspection"
(DPI), also known as "Layer 7" inspection.  Spend some time researching
the feature set of your current firewall and compare how pf does/does not
handle each feature.  Ask yourself how the things that are not covered
by pf will get handled.

Another consideration is support.  pf, just like any other product
will need support.  In fact, some companiies prohibit kit from being
deployed unless there is a support contract.  Look to identify what
organization will support pf and try to determine what a support
contract will include and how much it will cost.  Support contracts
usually specify Service Level Agreements (SLA) definitions and timeframes
so be sure to identify all SLA requirement from your company and if
your support organization can meet all of them.

Training is another issue that will undoubtedly arise.  Sure, you
are the local pf guru right now.  That's fine.  But try to look at
this from your managers perspective.  He/she needs to ensure that pf
knowledge and training is available from the support organization.
How much will training cost?  Is training available on-site, or remote?
How many people will need such training?  All these are important
considerations for  your manager's budget.

In summary, try to think more from a business perspective.  pf
will succeed on technical merits (in most cases).  Your job is to
ensure that both the technical *and business elements* are covered,
not just the technical.

Good luck!

Jim B.

More information about the talk mailing list