pfSense SG-2240 has reached End of Sale; consider alternatives like the SG-3100

[anxiousnix]

Documentation update request

Description

Netgate, makers of the SG-2240 we recommend in the SecureDrop documentation, has announced the end of sale of their SG-2240. They recommend the SG-3100 as an alternative.

From a glance at their product page, it appears to be cheaper and perfectly capable for a SecureDrop instance. Of course, testing will have to be done on hardware before it can be officially recommended.

If the SG-3100 isn't a viable alternative, then other options will have to be considered.

User Stories

As an administrator of a future SecureDrop installation, I would feel comfortable if the documentation recommended hardware that was still available for purchase, if I didn't prefer to use my own firewall of choice instead.

[b-meson]

Currently investigating the SG-3100. It only has a one OTP1 and I am investigating if we can use the old docs (commit ae438ca2e58f2684168e0356aa6e02ea257d97e5 removed the 3NIC documentation) and reuse those old docs. It should work but I will dig a bit more.

[conorsch]

the 3NIC documentation) and reuse those old docs

Hopefully. Based on the spec sheet, I suspect the problem with the 3100 is that there are only two logical ifaces and the rest are switched across one. @emkll suggested we could set up per-IP rules and then the switching wouldn't set us back (as the servers already have static IPs). That'll be more work configuration-wise, but definitely worth evaluating on hardware.

[kaganjd]

Any update on docs for the SG-3100?

[b-meson]

@kaganjd we are still testing it. Unfortunately, it only has one OTP port and the 2240 had two, which made setting up pfsense easier since you could put each server on its own OTP port. I will revisit after the 0.5.1 release

[ageis]

@conorsch @b-meson Related new issue opened: https://github.com/freedomofpress/securedrop/issues/2945

[anxiousnix]

Netgate has another firewall, the SG-4860. For a SecureDrop administrator's needs, it is functionally similar to the SG-2240. Cost wise, it is currently US$749, which is a tad bit more expensive than the SG-2240 used to be.

This isn't necessarily a problem with procurement in enterprise environments, like those in larger news organizations and NGOs. But it can present a small barrier for smaller more independent news desks, local news shops, or independent activist groups.

While we might want to recommend something like the SG-4860, we may still find it fruitful to have instructions for the SG-3100. This can be a backup firewall recommendation, which can mitigate the risk of all of our recommendations becoming discontinued somewhat.