IPFire versus Zywall – How to make a good choice

  • Mark Anderson
    Post count: 0
    #155 |

    In SIL Nigeria we have been using IPCop for some years, and we want to upgrade, either to IPFire or Zywall (as those are the two firewalls which our international IT office recommends).

    I know little or nothing about Zywall, as I have never used it. What we need basically is a firewall which can handle a peak of 50 concurrent users on a 2 Mb/s connection. Average is 20 or so users. We find the security of IPCop adequate, but often I have the feeling that it is not doing a good job of allocating bandwidth fairly among users. If you have experience with Zywall, please try to answer some of these questions, to help us (and hopefully others too) to make a good choice. One of the things I like about IPCop and IPFire is Update Accelerator. When it doesn’t work, our network slows down a lot after Patch Tuesday.
    Is there any way to configure Zywall to cache Microsoft updates?

    Does Zywall have any good way to prevent individual users from hogging bandwidth? I see that IPFire allows you to set a max download limit per host, but it doesn’t seem to be customisable – eg to throttle some users more than others.
    How does Zywall’s content filter compare to IPFire’s – ease of use, effectiveness, customisability?
    Is there any other useful “killer feature” of Zywall which IPFire does not have?


    Response from Hank Scott:

    Here are a few factors to consider regarding the Zywall.

    After seeing Paul Federwitz’s presentation at IT Connect about Windows 10, I wonder if in that environment having caching for Windows Updates will be as big of a deal, since Win10 workstations can share updates with each other on a LAN. Of course not all of the computers at a site will be updated to Win10 soon, but I just wonder if they were if that would reduce the issue of multiple computers individually pulling the updates from the web, even in a non-WSUS environment. I’m just thinking of one piece of the puzzle. As time goes on and more PCs are running Win10, the updates should be less of an issue.

    I do believe that Zywall is a more robust (more reliable, trouble-free, and higher performance solution) than IPFire or IPCop. The initial cost may be an issue, but I think that is actually a very small thing when one considers the time required to maintain any solution and the “Kingdom cost” including the funds our donors give to support missionaries. Compared to what most sites are paying annually for Internet access, the hardware cost is minuscule. For any site running a Zywall, I would strongly recommend getting a maintenance agreement so that you can apply firmware updates, and purchasing a second unit to keep on the shelf as a spare. Make a backup of the production unit’s configuration to quickly load onto the backup unit, should the production system fail. That would be the same for IPFire or IPCop, to keep a second computer around which you know will work properly and could easily be swapped out if the hardware fails.
    The management interface on a Zywall is totally different than IPFire or IPCop and there is a learning curve but you can do a lot with it. Having managed other firewall appliances, Zywall’s interface is just like that of a Juniper Netscreen and quite similar to a SonicWall. It took me no time to figure it out since it was so similar to those other appliances with menu options of the same title, etc. So it is totally different than what someone would be used to with IPCop, but it is standard with other professional firewall solutions. In a small office environment (<50 users) the configuration will be fairly straight forward, and good support is available from the Wycliffe Europe team and others in Wycliffe and SIL who use the Zywall.

    Content filtering is another factor. I'm not saying it is bad on the Zywall, but just different. I felt like I had a lot more options to tweak the filters in IPCop than with the Zywall's filtering solution. I could also unintentionally break the filtering in IPCop if I wasn't careful editing files! With the Zywall filter you can allow or block a computer or group of computers for specific sites, which is the most common need, but to me it doesn't seem as flexible as the wide range of things that DansGuardian could do. I just mention that in case you have some really fancy filtering set up in DansGuardian, beyond the normal defaults.
    Be aware that the filtering on the Zywall is cloud based, not local, meaning that for a new request (not already cached) the request from the workstation hits the Zywall, then the Zywall asks the cloud solution whether the website is allowed or not and gets the answer, then the Zywall blocks or allows the content through. There is a slight performance impact (or a big impact on a slow connection like a VSAT connection, but not as bad on lower latency connections). On IPCop this happens locally so the block/allow decision happens faster, although there is a CPU overhead impact as IPCop has to look up the site locally, in addition to all the other work that the IPCop computer is already doing. Once a website is cached on either IPCop or the Zywall, the block/allow process is all local so the impact is roughly equivalent.

    I'm sure there are more issues for and against either solution, but these are a few that I thought I'd mention. I'm basically FOR sites getting a Zywall appliance, because I think it will be a better solution as Internet access grows, but I believe that the people administering the appliance should be aware of the factors and what will be different than what they previously used. This is the device that I use at home for my family's Internet access (yes that is overkill but I can't test a Zywall in the office as it would conflict with our enterprise firewall.) I'm just stating that I have personal experience with this hardware and am quite happy with it, although I don't consider myself an expert!

You must be logged in to reply to this topic.