Another conversation point was political viability. It's easy to justify purchasing a Cisco network, but when you start coloring outside the lines, executives can get nervous. It's the same hurdle that open-source software has had to jump for years, though the widespread use of open-source projects has certainly lowered the bar. There may be no better answer to these issues than a side-by-side comparison of features and price. Many misgivings can be erased when the right numbers are presented.
VPN use is a case in point. Open-source routers can serve as extremely cheap VPN concentrators. Although they arguably do not offer the ease of configuration found in some commercial products, they do speak L2TP, IPSEC, and PPTP. Several open-source VPN clients including OpenVPN are available for Windows, Mac, and Linux to support the end-user side. Given the horsepower available on commodity servers, it’s possible to build and run a very high-performance VPN concentrator without the high cost. Terminating LAN-to-LAN VPNs on open-source routers is significantly simpler due to the fact that client software isn’t needed.
Who you gonna call
A case may be made against open-source routing by pointing out that when using non-commercial solutions, there is no support other than mailing lists and online forums. That is, there’s no support contracts, no hardware support – nothing. Even with commercial support via companies such as Vyatta, there still may be no hardware support if you’re using your own hardware for the routers. Looked at another way, though, you are escaping hardware-associated support costs. And by using commodity hardware, there’s no real need for four-hour or next-day hardware support, because replacement hardware is widely available, unlike proprietary hardware from even mainstream vendors such as Cisco and Juniper. If your router is a Dell PowerEdge, then all you need to completely rebuild the router is a regular computer of roughly the same horsepower, the configuration file, and the installation CD. The router might be more work to maintain, but it’s also much cheaper, and rebuilds and repairs can be done significantly faster than through traditional commercial support options.
Walling your garden
Although Linux- and FreeBSD-based routers generally include a kernel-level stateful firewall, these are not always the best option for straight firewalling. For dedicated firewalling, other open-source projects such as IPCop and SmoothWall can come in extremely handy. IPCop, for instance, mates a well designed and implemented Web UI and a plug-in architecture that offer everything from real-time throughput graphs to automated updates, VPN termination, full logging, DHCP and DNS servers, and complete control over access lists. The footprint of this customized Linux distribution is so small that you can install it on a Compact Flash card, and the hardware requirements to run even a high-throughput firewall are surprisingly modest. As an example, an IPCop firewall booting from a 256MB CF card and running on a Dell GX110 (667Mhz Pentium III with 128MB RAM) has been the main firewall for my lab for nearly five years. In all that time, it’s performed flawlessly – exactly what you would want from a firewall.