pfSense vs Cisco ASA: which firewall is better for your network?

In this article, we will be comparing two security products – pfSense and the Cisco Adaptive Security Appliance (ASA), to help you in choosing the right firewall for your network. We will take each product individually, looking at their pros and cons, and also discuss what scenario(s) they can be used and recommended.

pfSense and the Cisco ASA can basically be classed as perimeter security devices. At the simplest form of it, a perimeter security device provides protection for trusted devices (internal devices) against untrusted devices (external devices such as those on the Internet).

perimeter device/firewall

pfSense

Let me begin our discussion on pfSense with my personal experience about this product. I was called into a client site to help fix a particular nagging problem on their network – some network users lose Internet access randomly without any seeming reason. They told me they had an “edge device” and I figured they meant a router of sorts. I was taken to the server room and shown a “desktop computer” which they called the edge device. I didn’t understand – how could an organization be using a computer as an edge device? I was given documentation from the contractor that built the network stating that pfSense was installed on this computer. Discovering pfSense was my task for the next couple of days after that visit!

pfSense is an open source routing and firewall software that is based on the FreeBSD distribution. The base software supports a lot of features including:

Also, pfSense supports many add-on packages that can be installed with a single click including:

  • Snort (for Intrusion Detection and Prevention)
  • FreeSWITCH (Voice over IP)
  • Squid (Proxy)
  • Darkstat (Network Traffic Monitor)

Because of all these supported features and packages, pfSense may be better classified as a Unified Threat Management (UTM) appliance.

Pros of pfSense

Looking at the feature list above, you can see that pfSense is a very impressive software. In fact, let’s start off our pros list with this fact:

  1. pfSense is very robust supporting a lot of features and packages as listed above. This means that you can have one device perform all the functions you need at the edge of your network. Of course you can also think of this as a disadvantage – single point of failure. However, pfSense supports High Availability meaning you can group several devices together.
  2. pfSense is free! This will probably be the biggest benefit. The pfSense software itself is free and you can download the software image off their website here. Of course you need to install the software on some piece of hardware (virtualization is also supported) so it’s not completely free. However, even looking at the recommended hardware requirements, you can get suitable hardware for less than $200.
  3. The fact that pfSense is a software that can be installed on any hardware makes is quite scalable. You can easily expand the resources on your hardware in the event that your network needs increase.

Note: Netgate offers dedicated appliances such as SG-2440 and XG-1541 that run pfSense so this last advantage will not hold true in such dedicated hardware.

Cons of pfSense

Having discussed some of the advantages of pfSense, let’s now highlight some of the cons of this product.

  1. The fact that pfSense is open source can actually be a disadvantage. The same reason many people use Windows/Mac as opposed to Linux for desktop computers is the same reason people will go for closed source routers versus open source ones. It’s a perception thing. The same way I was surprised seeing an organization using “a desktop computer” as an edge device is the same way organizations may not feel comfortable using an open source software as their perimeter device. This does not mean pfSense is in any way inferior to dedicated appliances from closed-source competitors, but it might encounter some resistance in being trusted if compared to other well known vendors
  2. There is also the question of guaranteed support. If you are not using dedicated hardware provided by pfSense and something goes wrong, would pfSense be able to resolve your problem and not default to the “hardware problem” response? From personal experience, I’ve seen pfSense fail, getting stuck in a boot loop but because I wasn’t using their dedicated appliance, I could not be sure if it was a software bug or hardware issue – so better use good hardware as a starting point.
  3. Configuration of pfSense is done through a Graphical User Interface (GUI). Actually, the reasoning behind the name pfSense is “making PF make more sense”. PF stands for Packet Filter which is the BSD stateful firewall on which pfSense is based on. So the developers wanted to make pfSense deployment easier by providing a GUI. However, techy people generally don’t like GUI – it’s not complex enough. Why would you need to hire and pay me to come and click “Next”? Does any other person feel this way or just me?

So, would I recommend pfSense to a customer? The answer is that it depends. For a small business that is not willing/able to spend a fortune on a router/firewall, pfSense makes sense (pun intended!) and offers a lot of features in a one-stop-shop solution.

I also reckon that some really technical people, if it was up to them, would be more open to use an open source software like pfSense. Notwithstanding my personal opinion, I know pfSense is being used on all kinds of networks, irrespective of the size.

Cisco ASA

The ASA is Cisco’s implementation of a firewall. Unlike pfSense, the Cisco ASA is mostly a dedicated firewall appliance although you have options for Intrusion Detection/Prevention System (IDS/IPS), URL filtering and malware protection. There are several models of the Cisco ASA depending on the size of the network and it also offers features like NAT, VPN and High Availability.

Pros of Cisco ASA

To mention a few of the things the Cisco ASA has going for it:

  1. The Cisco brand is strong in the network industry and there is a general brand loyalty to Cisco among many enterprise users (have you ever heard the joke “nobody gets fired for buying Cisco..”). If you are already using a Cisco router or switch (chances are that you are), then you may not want to look elsewhere when it’s time to buy a firewall – interoperability can be a pain sometimes.
  2. The fact that the Cisco ASA runs on dedicated hardware (virtualization is also available) means that it has good performance no matter the volume of traffic that needs to be processed (subject to model limits). This also means that not only will you get support for the ASA software, Cisco will also provide support for its hardware.
  3. One of the things Cisco got right was its certifications. By creating certification exams that can sometimes be very difficult to pass (read CCIE here), Cisco created a strong perception around their products, not to mention skilled engineers able to get their hands dirty. You will probably feel at peace knowing that you have a certified personnel handling your network security.

Cons of Cisco ASA

On the other hand, we can also mention some disadvantages of the Cisco ASA:

  1. Cost. Cisco is expensive, period. Not only is the hardware expensive (at least $400 for the smallest model), but you may end up drowning in unforeseen license costs. For example, if you are running (free) OpenVPN on pfSense and want to migrate to the Cisco ASA, you will probably need to pay for more AnyConnect licenses than is available by default. You want to add IPS? You pay for it. You want malware protection? More money. In fact, there are licenses to enable “security plus” features, things as basic as advanced encryption algorithms (DES vs. AES).
  2. As I mentioned before, the Cisco ASA is primarily a firewall. Adding “features” like IDS/IPS is not as easy as installing a package like we have with pfSense.
  3. Except you are using the Cisco Adaptive Security Virtual Appliance (ASAv), then you are stuck with the particular ASA model hardware that you have. If you need to scale, say your network requirements have increased, you will need to purchase another hardware. Again, money.

For someone who has spent a lot of time gaining knowledge in Cisco and its products, I would probably always recommend a Cisco product (not their access points though) to a customer as long as that customer can afford it.

I have been using the Cisco ASA since it was known as the PIX and I have hardly seen it fail. My personal sentiments aside, many organizations that I’ve worked with use the Cisco ASA as their perimeter device and because the Cisco ASA comes in many models, it can fit into any size of network.

Mutual Advantage

There is something that these two security products have in common – good support. One of the issues people had with pfSense in the past was lack of support. However, this seems to have changed as the company now offers professional support apart from the support available from its community of users. Cisco also has a vibrant and active support community as well as offering professional support through Cisco Technical Assistance Center (TAC).

Summary

This brings us to the end of this article where we have compared pfSense and the Cisco ASA. We highlighted some pros and cons of each security product and also discussed where they are best suited for.

We concluded that pfSense may be best suited for a home office or small business network, not looking to spend a lot on an edge device. The fact that you can get a lot of features (like DHCP, DNS, VPN, Firewall, etc.) in one free software is very mouth watering. However, because of trust issues with open source software, larger organizations may not feel comfortable running pfSense as their perimeter device.

On the other hand, the Cisco ASA with its different models is suitable for all sizes of networks. It also has the established brand name of Cisco going for it plus the added benefit of providing support not just for their software but also their hardware. The biggest disadvantage of the Cisco ASA is the cost; so if you are a small business, you may want to look for less expensive alternatives.

I hope you have found this article informative (and unbiased). If you have any question or doubt, please feel free to comment the article below, and we’ll make sure to answer as soon as possible!

Share this article.

Recommended
Noction Ad
Popular Articles

17 Responses

  1. The guy before me said it the best. Open source ftw. PFsense, especially if you can grab it loaded on original Netgate hardware, will go toe-to-toe with any OEM device. Sonicwall, Cisco, Fortigate you name it.

  2. PFSense is head, shoulders knees & toes better than Cisco. Seriously, being complicated so people can pay you more is NOT a selling feature but you list it as one????????????. PFSense with SNORT & PFBlockerNG with beefed up DND bl’s & IP bl’s… unstoppable. In fact, a 2 billion dollar IT provider I sat in a meeting with said they couldn’t do what PFSense does and you can configure it in 30 minutes. You have to buy “FirePower” and all this other garbage…ASA’s are pieces of crap compared to a PFSense especially since you can use a PC, Server, whatever…even add pcie crypto accelerator cards for more VPN throughput. The list goes on and on why PFSense is better. It makes Cisco look like DOS, a real POS! By the way the term “engineer” is crap, what makes a Cisco engineer is passing a test. Remember that 2 billion dollar IT company I was in a meeting with? They have a gaggle of engineers and they can’t get anything to work like it’s supposed to, China can at this moment attempt brute force on port 443 & 22 on their dumb ASA’s and they said it would be too complicated to block it with an ACL of approved IP’s or do geo IP blocking ????. I can do that in 10 minutes on a PFSense. Cisco’s are an embarrassing legacy… decommission them while you can. They work at Enterprise level by the way, they are not just for home & small business, that is a bogus opinion!

  3. Wow. I don’t know where to start. As a CCNP myself I’ve done plenty of Cisco Catalyst, Nexus, ASA, Firepower.

    I’ve also deep dived into pfsense.

    Here’s the first point that is absolute rubbish: “The fact that pfSense is open source can actually be a disadvantage. The same reason many people use Windows/Mac as opposed to Linux for desktop computers is the same reason people will go for closed source routers versus open source ones.”

    Google, Facebook, Amazon, to name a few. Any web server running Apache which is the vast majority of sites.

    1. I switched from mainly asa to pfsense last couple of years. Don’t getme wrong. Asa are rock solid but heavily overpriced.
      If you are already certified in Asa the learning curve for pfsense is very very easy.
      I can highly recommend it

  4. Nice article, but you need to talk about performance too.
    pfsense is a monster in performance vs an ASA that you have to shed tons of $$ to get equivalent performance.

    The Stateful inspection throughput on a custom pfsense box or embeded Netgate box is way faster than any Cisco ASA. And an IPSec VPN runnig at +1Gbps with AES active (325 Mbps without – vs 100Mbps for ASA 5506 with AES active) is a reality that would costs thousands of $$ at Cisco that you can have for a few $$.

    Also, being Open Source isn’t an handicap or a virus. It’s more of a strenght since you know what you are running and no one is going to snoop at you with undocumented commands. And not pfsense is also backed by Netgate and you can get commercial support & training.

  5. > I was called into a client site to help fix a particular nagging problem on their network – some network users lose Internet access randomly without any seeming reason.

    That opening was the reason I read your entire post.
    But you NEVER said what the solution was that you found to fix that problem.
    What was the cause and how was it resolved?

    1. Oh wow! You are absolutely right. Their edge device (the pfSense) was acting up in relation to DNS and also generally not performing optimally. We upgraded the pfSense software and changed the DNS addresses.

  6. At first, I was concerned this article would be biased, since the author had no previous experience with pfSense. Though, after reading, I think he came to a very good conclusion. The author put time into researching pfSense instead of downright denying the product.

    I like the commandline as much as the next admin, but anything that can provide the customer a ton of great services (that they NEED) at a great price point while saving me time and energy goes to the top of my list. Purchasing a full unit from NetGate, you get tested hardware, HA (if you choose that model), Gold membership right out of the box. No additional licenses needed (well, maybe a tiny license for some of the open source IDS stuff). Oh, and I can get all of that setup pretty quickly. Site-to-site VPN?…No problem. Block an entire country’s IP range?…On it.

    Configuring HA for pfSense, not the simplest thing to do, but their support team will help you along the way. Configuring Cisco ASA for HA? Not only have already doubled or tripled your investment compared to pfSense, but interchasis HA configuration isn’t exactly a walk in the park. Oh, and you still want all those other nifty options like SPI, IDS, etc.? Hope you have deep pockets.

    Cisco is proven tech and is great as long as you can afford it. I mean that as in the cost of the appliance(s), licensing fees for additional services, support contract fees (mandatory for updates), and dedicated support personnel.

  7. I’ve got an ASA 5510 and a PFSense box in my lab, and the one thing that scares the crap out of me is that you need an active service contract with Cisco for patches, including for known vulnerabilities! I’d only be able to recommend them to someone willing to keep spending money on them for years to come.
    I appreciate that companies are expected to maintain these, but there’s a lot of these units floating around second hand, or in legacy setups because people trust the Cisco name.

    I have mixed feelings about PFSense.
    I like PFSense because you can build an awesome 10Gb UTM/VPN concentrator appliance for about $600 that’s mostly easy to use.
    While we can all panic about the woes of FOSS, as soon as a patch is available for PFSense I can click a button in the UI and it gets applied without any service agreements.
    The GUI-only configuration system is frustrating as you point out, so manual validation of the configuration, even for self-learning’s sake, is nigh impossible, unlike just about any other solution.

    To be quite honest, I prefer Juniper/VyOS flat out when they’re an option.

    Cisco itself is still somewhat alien to me, but I love AnyConnect more than any VPN I’ve ever used, and I was lucky enough to find an ASA with a decent license to play with, as well as an SSM. On these grounds alone I’d agree with your conclusion. Getting this has made remote work significantly easier, and I’ve even gotten a few for my workplace with similar results.

  8. I have used both and I would go with fpSense unless the customer stipulates Cisco. pfSense it is so easy to setup / rebuild and can even be virtualised on Hyper-V / VMWare. I found pfSense to be stable and upgrading is also easy. Performance is excellent even using a low end pc. Try and stay away from Realtek network adaptors however.

  9. Thank you for a great article

    I have the idea of combining the two products – using Cisco ASA as edge device with the build-in functionality and without buying any additional licenses and services, using Pfsense as the “internal firewall”, hereby getting access to all the free extra services like:
    Snort (for Intrusion Detection and Prevention)/FreeSWITCH (Voice over IP)/ Squid (Proxy)/Darkstat (Network Traffic Monitor)….

    Does it make sense???

  10. Currently working on a project where I need to recommend a firewall for a cloud provider, it is difficult to ignore the open source community, at least not on the basis of feature and performance. pfsense, yvos, and the rest have really matured and cannot be ignored expecially as they now offer commercial support.
    pfsense and opSense are my recommended solution for what I am trying to achieve.
    ASA wasn’t an option not because it’s not a good fit but because there is a viable alternative that will get the work done at next to nothing cost wise, if I need support I can pay for that.
    And yes I have seen high end commercial firewall freeze.

    Oshin

    1. Me too. And I’ve seen Cisco just outright decline to fix known issues in current software because that particular bug is not high-enough priority to make it into their dev queue. There’s no substitute for an open-source community when it comes to digging into a bug and providing a quick solution. There’s also no better way to vet security-critical software than to put hundreds or thousands of online reviewers on the task..

Leave a Reply

Your email address will not be published. Required fields are marked *

More Articles