There exist firewalls from Juniper and Cisco that cost more than a house.
So I wonder: what does one get from a $10.000+ firewall compared to an 2U server with 4x 10Gbit network cards running e.g. OpenBSD/FreeBSD/Linux?
The hardware firewalls probably have a web interface.
But what else does one get for a $10.000 or $100.000 firewall???
It's just a matter of scale. The thousands-of-dollars firewalls have features & capacity allowing them to scale & be managed globally. A myriad of features that anyone not using them would have quite a bit of research to do before they (we) could appreciate their individual merits.
Your typical home router doesn't really need to be able to handle an officeful of devices or multiple ISP connections, so it's cheaper. Both in the number/type of interfaces, and the hardware capacity (RAM, etc). The office firewall also may need some QoS, and you might want it to be able to make a VPN connection to a remote office. You'll want slightly better logging for that small office than you'd need for the home firewall, as well.
Keep scaling that up until you need to handle a few hundred or thousand users/devices per site, connect to dozens/hundreds of other firewalls the company has globally, and manage it all with a small team in one location.
(I forgot to mention IOS updates, support contracts, hardware warranties - and there are probably a few dozen other considerations that I don't even know about...but you get the idea)
Typically, along with the hardware firewall you get a recurring yearly maintenance fee and the promise of a future date when "hardware support" won't be available anymore and you'll have to forklift the gear out and replace it (ala the Cisco PIX to ASA transition). You also get stuck with a relationship with a single vendor. Try and get software updates for your Cisco PIX 515E from some other Cisco Systems, for example.
You can probably tell that I'm fairly negative about purpose-built firewall hardware.
Free and open source (FOSS) operating systems power some well-known "hardware" firewall devices and aren't unproven technology by any stretch. You can buy software support agreements for FOSS from many different parties. You can purchase whatever hardware you want with whatever spares / service agreement you choose.
If you're really pushing a lot of bits around then, perhaps, a purpose-built hardware firewall device would be necessary. FOSS can cover you in a lot of situations, though, and give you tremendous flexibility, performance, and total cost of ownership.
You've had some good answers already talking about technical stuff and support. All important things.
Let me introduce another thing to consider: Your time to create, configure and support a "roll your own" hardware firewall internally is an investment for your employer. Like all things, the business has to decide if that investment is worth it.
What you/your manager need to consider is where your time is best spent. The question of whether or not "rolling your own" is worthwhile might change completely if you're a specialist network security person and/or your employer has specialist firewall requirements that aren't easy to setup in an off shelf product compared to someone who has lots of duties to consider besides network security and whose needs can easily be met by plugging in a network appliance.
Not just in this specific case but in general, there's been a few times I've purchased a solution "off the shelf" or hired in some consultancy for something I'm quite capable of doing myself because my employer would rather my time was spent elsewhere. This can be quite a common case, especially if you're facing a deadline and saving time is more important than saving money.
And don't discount the ability to "blame someone else" - when you've traced a major outage to a bug in the firewall at 3am in the morning it's very nice to be able to speak to the vendor and say "I don't care if its software or hardware, its your problem either way".
how will your homebrew firewall handle in-service hardware maintenance?
how will your homebrew firewall hold up when you get to 40+Gbps throughput?
how will your homebrew firewall segment permissions for administrators in different business units, such that they can only manage their own parts of the rule base?
how will you manage your rulebase when you have 15,000+ rules?
who is backing you up when it goes in the ditch?
how will it hold up to a common criteria audit.
by the way, $100k is not anywhere near "high end" for firewalls. another zero would get you there. and it's really a drop in the bucket for the resources that they protect
Clearly there is no one-size-fits-all answer to this question, so I'll describe what I've done and why.
To set the picture: We're a fairly small business with around 25 office staff and perhaps the same number on the production floor. Our primary business is as specialised printers who at one time enjoyed a monopoly but are now fighting an increasing amount of opposition from cheap imports, mostly from China. This means that while we would love Rolls Royce level service and hardware we generally have to settle for something more along Volkswagon levels.
In our situation the cost of something like Cisco or similar just couldn't be justified, especially as I have no experience with it (I'm a one-man IT "department"). Also, the expensive commercial units offer no true benefit to us.
After looking at what the company had and what they needed I chose to use an old PC and install Smoothwall Express, partly because I had been using that product for a number of years and was already confident and comfortable with it. This does of course mean there is no external support for the firewall, which carries a degree of risk, but it's a risk the company is comfortable with. I'll just add that as a firewall Smoothwall is as good as I've seen for our kind of scale but it may not necessarily be the best choice for a much larger organisation.
That solution works for us. It may or may not work for you. Only you can make that decision.
If you have a XXXisco-branded firewall with 95% packet drop ratio, you may sue someone; if you have same drop ratio on your box (that isn't rare, under a good old simple ICMP flood too), well, you're about to get off the ship to see that your salary is about to be put into new firewall.
Arguably, part of this comes down to the same argument about "Roll your own" vs. using an appliance
All equipment fails eventually. If you built the system and it fails, it's your problem. If you buy a system from the vendor, and it fails, it's their problem.
With good support, you have trained people ready to back you up. Companies like Cisco, Juniper, NetApp, etc. are successful because they provide quality products backed with quality support. When they fail (and sometimes they do), their business is harmed.
High end equipment can come with a good support contract. If the firewall crashes at 3AM on the Saturday after New Years Eve, I can get a Vendor technician on the phone in 5 minutes. A technician can be on site in 2 hours and swap out the failed component for me. If the router supports a large business where downtime can cause expensive losses, then it might be worth it to get a high end router. $10,000 or $100,000 doesn't seem that expensive when it's supporting a $20-million or $200-million business, where downtime can cost the company thousands of dollars per hour.
In many cases these high end routers are too expensive or are unnecessary, or you can't get a high end router due to budgetary or political reasons. Sometimes, a custom pizza box or a Soekris box is more appropriate.
To some extent there is the "It just works" argument. No worrying about hardware quirks and little fuss over software bugs.
I use a pair of PIXes at work in a hot-standby configuration and they have never failed. Plug in, enter the necessary rules and leave them to it. A lot of the hassles and effort involved in managing a roll-your-own box is completely covered. We do have some OpenBSD boxes lying around that do use pf for some filtering, and I've spent easily 10x as much on time maintaining the boxes and firewalls as I have the PIXes. We've also found on occasion that we hit hard limits in OpenBSD for traffic.
It's also worth pointing out that a PIX is a lot more than, say, iptables. PIXes also include some elements commonly seen in Intrusion Detection Systems (IDS), along with other bits. Firewall hardware is also generally much more specialised for the purpose of processing packets at high speed, rather than the more generalised nature of a bog standard server.
That said there are other vendors equally worthwhile as Cisco, and you can recreate it all yourself. You just have to weigh up whether or not your time and any possible hassles are worth it.
For firewalls I'd rather the sanity of knowing I've got a solid and reliable device.
After many years, it still an interesting question. Let's divide it in two sub-questions:
why to buy a proprietary firewall rather than use an opensource one (based on Linux, FreeBSD, RouterOS, etc)? It all depends on your needs:
if buying a proprietary firewall, why buying an high-end firewall rather than a lower-performance product? It all boils down to performance and features requirements:
Personal experience: weighing all the above factors, I often (but not always) decide to use proprietary firewalls with even a basic hardware replacement service or at least providing the end-use with a spare part. When budget is really tight and no advanced features are required, I use opensource (Mikrotik) products.
Here's a perspective with slightly different hardware, but the concept still applies. We were running several modem servers on a network with a somewhat cheap 8 port 10/100 "switch" tying it all together. One day, the the switch started to freeze up, and we had to power cycle it. We did that several times, until it actually burned out. That modem traffic was very chatty, and the thing just couldn't handle the heat.
We bought a used cisco 2924 switch, and it all worked so much more smoothly... collisions went way down. Turns out the old switch was a 10Mbit hub switched to a 100Mbit hub. Subtle difference, but that explains the cost difference.
