Extensibility is key

Extensibility and flexibility of the OFR has always been of interest to many of our customers and prospects. We firmly believe that being open source enables our solutions to be used on unique ways that are just not possible with closed source and proprietary solutions.

Recently, I was explaining to a friend of mine about the OFR and he immediately found a use for his environment. As it turns out, management at his company has the suspicion that some employees are using the company's Internet connection to surf some non-work related websites (insert your favorite vice here). To set the stage, his overall network is pretty modest with one Cisco 3800 router serving 3 LANs and a single fractional T3 connection. As a solution, he was examining buying an application layer switch at a cost of about $20K.

And then the flexibility of the OFR hit him.... "You mean I could use your product on a Dell box I already have and then write a script to automatically add to the firewall rules for the non-work related sites on the OFR itself? Or, I could use tcpdump on the OFR to automatically look for URLs in the traffic and build the firewall rules automatically?" I agreed that his concept would work and gave him a few words of caution about running tcpdump 24x7 :) Still, I can easily imagine running tcpdump on one core of a dual-core Intel box while the OFR ran simultaneously on the other core....

To be entirely fair, you could do something similar in a Cisco environment. My friend could setup Netflow export on his Cisco 3800 router and setup a Netflow collector such as cflowd on a Linux box. And on that Linux box he could run the same script he is developing to look at the traffic and build us the firewall rules. Then he could write another script to transfer the firewall rules with HTTP or TFTP to the Cisco 3800 and load the new firewall configuration. That seems a bit harder, far less flexible and probably more problematic than writing the script on the OFR itself.

Granted, writing scripts and tweaking code is not for the average network engineer. But, it's good to know that the extensibility and flexibility exists in the OFR. The closing thought from my friend was pretty simple, "I could never have done this directly on my Cisco 3800."

We'll see how his project turns out - a little time and some scripts could save him $20K and get us another customer!