Alternatives to Cisco ASA 5520's for firewall

A long time ago we used a couple of commodity servers and fbuilder to manage our firewall needs. We were in danger of losing our Net Admin and since he was the only one of us capable of managing (adequately) the firewall, we were "sold" a Cisco ASA 5520 as a replacement. We've subsequently bought another for fail-over. Our Net Admin decided to stay and he's lamenting the fact that he can't do his job well with only 4 legs (we lose one on each for the fail-over connection).

He's asked me to find him an alternative but we just got through spending $100,000 to replace our phone system and our SAN.

Does anyone have any suggestions for a "runs on your own hardware" solution, either open-source, supported open-source (we went Switchvox by Digicom for our phone system for example) or other solutions that won't run us $20,000+ ($10,000 per box basically for the ASA's).

Yes, my Net Admin should be the one asking the questions but he's forum shy

TIA

Wait, you want to replace 5520s with some homebrew shit?

And, what do you mean "4 legs"?

Find a new network admin?

Otherwise, you're going to have to post some very specific information about how the ASA limits you, else no one can help you choose a firewall.

The ASA-5520 is a pretty big beast of a firewall. Supports up to 150 VLANs and 450Mbps throughput. Even with using 1 of your GigE ports, it still had 3 remaining. How is 3 Gbps of connectivity not enough for a 450Mbps firewall?

For reference, my largest customer has 6000 PCs with a 60Mbps pipe, they use at most 10,000 concurrent connections, which is 1/28th of the capacity of that 5520.

Vito_Corleone said:

And, what do you mean "4 legs"?

Click to expand...

The 5520 has 4 GigE ports, that's what he's talking about.

Also, FYI, you can add another 4 gigE ports via a module, again, shouldn't be needed unless the rest of the network is screwed up.

I'm confused by the OP. So....you have a pair of ASA 5520's and don't like them? And want something else?

Keep the ASA's. Get some training instead of spending money to replace them.

jjeff1 said:

The 5520 has 4 GigE ports, that's what he's talking about

Click to expand...

Right, my question is why the hell it matters. That's what switches are for.

Vito_Corleone said:

Right, my question is why the hell it matters. That's what switches are for.

Click to expand...

Maybe they don't know about trunking?

This sounds like the network guy has some homebrew stuff at his house and thinks it's great, then got the company to buy into the same deal. Now he's confronted with the complexity of a real enterprise level product and can't cope.

It's not quite free, but Vyatta firewalls are worth checking out as replacements.

Vito_Corleone said:

Wait, you want to replace 5520s with some homebrew shit?

Click to expand...

Was thinking the same thing.

If you need more ports you have a few options.
1. Additional Ports module
2. Switch.

I'm confused, whats wrong with the 5520s?

shiznit said:

I'm confused, whats wrong with the 5520s?

Click to expand...

I concur. I'm all for free/OpenSource, but the 5520s are nice and already can do an adequate if not exceptional job Just grab managed switches if you need more ports.

Annoyance

jjeff1 said:

Maybe they don't know about trunking?

This sounds like the network guy has some homebrew stuff at his house and thinks it's great, then got the company to buy into the same deal. Now he's confronted with the complexity of a real enterprise level product and can't cope.

Click to expand...

Hell, you don't even need to trunk, you'd just be limited to 4 virtual interfaces on the firewall. You could break that out into a 48 port (or chassis switch) per interface and still never run out.

HoppyChris said:

Vyatta firewalls are worth checking out as replacements.

Click to expand...

No, they really aren't.

Vito_Corleone said:

No, they really aren't.

Click to expand...

Our ISP tried Vyatta for our new 10Gig circuit and it failed so bad. It couldn't even get to 3Gbps before dropping packets. And this was the certified 10Gb model.

If your net admin is whining about supporting the ASA's, get a new net admin. Those 5520's are great

I replaced a 5505 with pfsense not too long ago when it came time to expand the device license. I wouldnt exactly call it "home brew shit" either. Thats not really giving it any credit. Lets face it, its doing alot more than the 5505 did, easier. Its rock solid. I took Cisco courses in college and know my way around switches and routers faily well but the ASA is a different device entirely. I, myself, didnt feel comfortable supporting it. I'm not apart of the elitist Cisco group.

That being said.... I agree with Valnar, if it were a pair of 5520's though I probably would have petitioned the boss to send me to a course to learn the device. Those things are worth too much.

Coprporate Grade >= Homebrew/Open Source.

In the end, it's all about support. You have a question about how to do something on an ASA? Open a TAC call. They'll either walk you through doing it, find a way, or let you know yer backing up the wrong tree and siggest a different method. This means you have an entire world of people ready to support you at the other end of a phone. Cisco ASA, Juniper SRX, CheckPoint, whatever, they are all fully supported solutions.

With the PFSense, what happens when you find some odd ball bug due to a business-specific configuration? Who are you going to call? A web-forum, and put your project/fix on hold while your boss is breathing down your neck?

Seriously, I'm all for the Open Source solutions (I'm a PFSense junkie myself), but in a situation where downtime costs real $$$, your boss won't care. He wants uptime. Period, end of story.

Nate7311 said:

Coprporate Grade >= Homebrew/Open Source.

In the end, it's all about support. You have a question about how to do something on an ASA? Open a TAC call. They'll either walk you through doing it, find a way, or let you know yer backing up the wrong tree and siggest a different method. This means you have an entire world of people ready to support you at the other end of a phone. Cisco ASA, Juniper SRX, CheckPoint, whatever, they are all fully supported solutions.

With the PFSense, what happens when you find some odd ball bug due to a business-specific configuration? Who are you going to call? A web-forum, and put your project/fix on hold while your boss is breathing down your neck?

Seriously, I'm all for the Open Source solutions (I'm a PFSense junkie myself), but in a situation where downtime costs real $$$, your boss won't care. He wants uptime. Period, end of story.

Click to expand...

Pfsense has paid support if you choose to go that way.

https://portal.pfsense.org/index.php/support-subscription

And its not like you MUST put something OpenSource on your spare pentium 3 box from the 1990's. I run our pfsense on "Corporate Grade" hardware. So we can stop calling it "Home Brew". Home Brew is that $.99 app you bought on your phone that farts, that some nerd kid made in his spare time in his parents basement.

However I can say honestly that what, small problems I've ever had with pfsense were solved quicker through the support forums, than problems I have to submit to most of our other vendors with paid support.

You're talking like there isnt a big helpful community out there for pfsense either.

My decision to move from the 5505 was a good one no doubt and has saved us money over support contracts, license upgrades and TIME spent troubleshooting even with the oh so inferior non paid internet support forum. License upgrades would have have raped us in the future with the service we're trying to roll out to our existing and future customers in the next year.

I've only had 2 run-ins with Cisco support. 2nd one is on going. My company does voice recordings for call centers/financial institutions. We record Cisco IP ALOT. First time one of our customers had to call we got someone we couldnt even understand. My current customer has a ticket in with them and after 4 days we're still waiting for just a phone call back.

I'm not trashing Cisco support or saying they're bad, but to think just because you have a paid support contract that there is always someone sitting at their desk staring at their phone waiting for your phone call and your problem is naive. Paid is NOT always better.

Easy tiger...

No one is trashing PFSense at all. Not by any means, nor is your decision to use it being questioned. Personally, I'm not a Cisco fan-boi either, but there's a reason they're still number 1.

Let's break it down. If you're in a situation where a pair of ASA 5520's aren't cutting it, would you want to support a PFSense implementation to replace it?

I agree with previous posters, the better solution would be training and/or outside consulting/support for the configuration.

LOL, sorry if that came off harsh. Wasnt my intention.

But when you say "cutting it" do you mean performance? Its slowing down? It would take some good hardware to make pfsense perform like a pair of 5520's. Not that its impossible or all that difficult for that matter. It scales so well.

But as the OP says (and I run into similar situations with our own customers) usually the onsite tech is a jack of all trades type of person. May not have the experience or education necessary to manage these devices. If someone wanted to replace them with pfsense for ease of use I could see why. Its not like you're missing out on any features, (theres actually a few things both platforms do that the other necessarily doesnt) and the performance is equal to the hardware you use.

The 5505 decision was a no brainer to me, but I did agree also if it were a 5520 I would have tried to get some education on it. The whole notion its "home brew" just kind of bugged me. It is open source, but certainly not home brew.

wow I wish I had a few 5520s here but I find the 5510 does us fine.

I do use pfSense for our staff cafe network with squid and squidblock but for the corp network its 5505 for branch, 1841s / HSRP for the gateway and 5510s at the edge.

While I am on the subject how did you guys find the ISO 8.2 to 8.3 transition?

jadams said:

LOL, sorry if that came off harsh. Wasnt my intention.

But when you say "cutting it" do you mean performance? Its slowing down? It would take some good hardware to make pfsense perform like a pair of 5520's. Not that its impossible or all that difficult for that matter. It scales so well.

But as the OP says (and I run into similar situations with our own customers) usually the onsite tech is a jack of all trades type of person. May not have the experience or education necessary to manage these devices. If someone wanted to replace them with pfsense for ease of use I could see why. Its not like you're missing out on any features, (theres actually a few things both platforms do that the other necessarily doesnt) and the performance is equal to the hardware you use.

The 5505 decision was a no brainer to me, but I did agree also if it were a 5520 I would have tried to get some education on it. The whole notion its "home brew" just kind of bugged me. It is open source, but certainly not home brew.

Click to expand...

The "not cutting it" remark referred to the OP's Net Admin complaint. They have to have some pretty stout requirements...

Agreed on all points, but in this scenario, the OP says they have a dedicated Net Admin. It's his job to worry about this. It's all about selecting the right tool for the job.

And the HomeBrew remark was not my intent. At one time it WAS home brew, just as IOS was, and neither qualify as that any more.

We were pretty hard on the OP, but I'd still like to hear what the issue with the ASA is.

jadams said:

I replaced a 5505 with pfsense not too long ago when it came time to expand the device license. I wouldnt exactly call it "home brew shit" either. Thats not really giving it any credit. Lets face it, its doing alot more than the 5505 did, easier. Its rock solid. I took Cisco courses in college and know my way around switches and routers faily well but the ASA is a different device entirely. I, myself, didnt feel comfortable supporting it. I'm not apart of the elitist Cisco group.

That being said.... I agree with Valnar, if it were a pair of 5520's though I probably would have petitioned the boss to send me to a course to learn the device. Those things are worth too much.

Click to expand...

my thoughts precisely....

Learn ASDM to configure the 5520's. It really isn't that hard and it'll definitely get you by for the day to day changes and what not.

Y'all coulda just said, "no, we have no other alternatives"...

Though I didn't originally think it necessary to defend our desire to _research_ whether there are alternatives, I'll explain.

First of all, our Net Admin is extremely qualified, certified and all that BS. He certainly knows what the 5520's are capable of but has tried to avoid creating an over complicated solution for us. Before working here he was in charge of Bridgestone's mail servers and firewall/load-balance infrastructure during the time when their tires were killing people and their website was getting more traffic per day than we see in a year (well, not really but still).

Right now, even though I have no certifications (in that area, I built our ecommerce site), I'm able to manage the 5520's via the web interface for _most_ things. Besides the fact that, in his opinion, at our level the firewalls are not the place for VLAN's, he knows taking it to that level would put it's administration beyond me. And I have no desire whatsoever to learn. My job is finding ways to make our website make more money (which I've been very successful at). We _want_ our firewall to be web admin based appliance level so that, in the event he left, we wouldn't have to look for alphabet soup on resume's to replace him.

Y'all might disagree with that but the point is, we are a small business with a 4 man IT shop. Yes, we are more advanced that most companies our size (they would most likely host their site somewhere for example) but we purposefully keep things simple where we can so we can focus our time/effort on the things that actually make us money (yes, if our network goes down we don't make money but the two aren't mutually exclusive).

Also, to clarify the originally issue, by "leg" I mean interface and his issue is, without unnecessarily over complicating our current solution, he doesn't have enough interfaces to do all he needs to do. I can't explain better than that without explaining our entire net config which is really beyond the scope of the question because I'm not seeking opinions on how we have configured out network or whether we are doing it right. Some of my databases aren't fully normalized either but there are reasons.

Now, another issue altogether that is a source of "whining" from our net admin is the fact that Cisco is telling us that one of our 5520's is "grey label" and won't allow us to re-up support. And we've got zero cooperation from the two companies that sold them two us in finding out which one is and what to do about it. And please, let's not go down a "that's what you get for buying xxx" road. Both of the companies we bought from were large local companies, Cisco partners, yada yada. And both represented them to us as completely brand new, fully legit, etc.

So all that BS just to say that we might actually have valid reasons for wanting to _research_ replacing our firewall. I didn't say we want to come take yours, I simply asked if there are alternatives.

You know, y'all really should lighten up.

EDIT:

Me: Hey guys, I've got a <insert your favorite dream car here> but it's really overkill and I'm looking to see if there are better, simpler solutions for my daily commute.

Y'all: You dumbass. That's an awesome car. There is no replacement for a <insert your favorite dream car here>, they're awesome and you're stupid for even thinking of replacing it.

Me: Thanks. Lot's O help there. I knew I could count on my fellow OCP'ers.

Well, I don't think my single reply was harsh so I won't take anything personally.

While at this moment it may be hard for Cisco to support your ASA's, the amount of experts out there that know the platform are immense. I think you'd actually be safer keeping the Cisco firewalls vs something else, not to mention they are very robust in features. ASA's also very easy to back up since everything runs from a config file. At least this way you can send your config to any number of experts for help, while a GUI only firewall (I'm looking at you Sonicwall) would require hands-on support, direct GUI access or remote-control of a PC that has access to it. They are also harder to replicate or replace when there is a failure.

Think for a second about a totally home-made *nix firewall (not even pfSense or another canned product), where the OS was tweaked to the hilt and customized to do a specific function. Other than the person who created it, who would know how to support or re-create it if he left...and it died?

Cisco hardware is a known quantity. That's my reason to stick with it. That...plus you have already invested in it, so the sting of the price is not part of the equation (like it is for many initial Cisco discussions).

Edit for your Edit:
I see your point, but I believe the point of us in this thread is you already purchased the BMW 7 series. Unless you are looking to sell it and get back most of your purchase price in order to go to something cheaper, it doesn't make sense to replace it (or there is a factor we don't know about?). It's like the good, yet expensive ASA's you already own. If this was a question about what to buy and you didn't have any solution in place, but had limited money, that would be a reason to look at many alternatives. What we didn't understand is why you would want to replace the BMW with something inferior when you already bought it? Keep it and let it run!!

I understand your point, however, what you're really saying is, in your opinion, there is no safe alternative to a pair of Cisco 5520's. That's fine. I can live with that answer.

However, I had no clue before I asked. I'm a programmer. For all I know, there might have been 2 pages of valid, stable, well supported by the community (think mysql), with paid support available, options listed here when I first checked back instead of 2 pages of people telling me how stupid and whiny my net admin is and how we should just learn2net (yes, a bit of hyperbole but not much).

I didn't know it was a "net sin" to _ask_ if there were alternatives to Cisco.

Correct. There are inferior options certainly, and probably more powerful options for even more money. It would be hard for us to tell you if a Sonicwall or pfSense feature-set would be adequate for your company's needs, but it is easy for us to say that because you already own the Cisco ASA, it should certainly be up to snuff.

So if he can't make do with four interfaces for a small business, there's something wrong.

And, if this is all for you and you have no desire to learn anything, what is better about using a new product you don't understand?

As for the support issue, you NEED to work with your "large local company, Cisco partners" and figure out wtf is going on. If you truly purchased from a Cisco partner and they sold you gray hardware, you need to let Cisco know. Cisco partners are not allowed to sell gray hardware. If your purchase was truly through a partner, this is a non-issue, just work with your partner (or Cisco) to get it resolved.

Take a look at Juniper SSG perhaps.

They're pretty damned cheap, even the cheap ones have a lot of physical interfaces.

I wouldn't go the DIY route for a firewall. I have no issue with open source but if you're expected to look after this thing in the admins absence do you really want to go trawling forums when there's a problem or do you just want to log a case with the vendor?

hutchingsp said:

Take a look at Juniper SSG perhaps.

They're pretty damned cheap, even the cheap ones have a lot of physical interfaces.

I wouldn't go the DIY route for a firewall. I have no issue with open source but if you're expected to look after this thing in the admins absence do you really want to go trawling forums when there's a problem or do you just want to log a case with the vendor?

Click to expand...

I second the Juniper suggestion. We run multiple SSG520s across my organization and they are relatively pretty simple to config/manage through the web interface in my opinion. Our programmer helps me maintain them when ever I need him to and he has little to no networking experience.

Vito_Corleone said:

So if he can't make do with four interfaces for a small business, there's something wrong.

Click to expand...

So under no circumstances whatsoever should any small business ever need more than four interfaces (three really as 1 per each is taken up by fail-over). Got ya.

Vito_Corleone said:

And, if this is all for you and you have no desire to learn anything, what is better about using a new product you don't understand?

Click to expand...

You're right. That part where I mentioned that I've learned how to administer all our current needs using ADSM which would imply I've learned enough about basic networking to understand a new, simpler product was a lie. It would normally imply the complete opposite of "no desire to learn anything" too, that is, if it wasn't a lie.

Vito_Corleone said:

As for the support issue, you NEED to work with your "large local company, Cisco partners" and figure out wtf is going on. If you truly purchased from a Cisco partner and they sold you gray hardware, you need to let Cisco know. Cisco partners are not allowed to sell gray hardware. If your purchase was truly through a partner, this is a non-issue, just work with your partner (or Cisco) to get it resolved.

Click to expand...

That completely never occurred to me. I mean I know I said we've got zero cooperation from both of them which would normally imply we've TRIED to work them but I was lying about that too.

This whole thing has been a train wreck. Full of pompousness and wrong assumptions and basically all the _wrong_ things about asking for help. Seriously, "there's nothing remotely comparable to the 5520's you have that anyone sane would touch with a ten-foot pole" would have been just fine...

Re-read my original post. I didn't say, "these 5520's suck balls and we are damned determined to replace them with Windows Firewall, is that okay". I simply asked if there was something along the lines of a "Switchvox" alternative to Cisco/Avaya phone systems. In my clarification, I said something along the lines of mysql for a company that was unnecessarily using Oracle.

I asked because _I did not know_.

Not that long ago I asked whether there were alternatives to an EMC NS20 (Celerra/Clarion) for a SAN. I got some "OMG you can't use anything other than Cisco" answers but for the most part, everyone described the "current state of small enterprise SAN" - from roll your own all the way up to beginner large enterprise. And because of that, we now have a Scale Computing M4 cluster that will be replacing our EMC NS20.

Had I know what a total waste of time asking the same type question here would be, I wouldn't have bothered.

EDIT: BTW, that whole comment about "you need to let Cisco know" is wrong, from our experience. You make it sound like if you tell Cisco that, that they will send out the Cisco Police or something. In our case they just said, basically, "you need to work that out with the company you bought it from".

waa waa

Obviously you're lying or an idiot. If you bought these from a valid Cisco partner and they're gray market, you should be able to work that out with your partner or Cisco. I find it hard to believe that you can't get an answer from any of these companies. Get real.

So you've learned some, but aren't willing to learn more. By the way, I'm basing it off of this comment:

"And I have no desire whatsoever to learn"

That YOU made.

And no, no small business should need more than four physical interfaces on a firewall. Ever. I don't think too many people were being all that rude. You asked a stupid question and got helpful answers, for the most part. If you're not happy with the answers, ask somewhere else.

I think if we had a better idea of your environment, we'd probably give you a better answer.
But with the few details that were in this thread, I think you could move to pfsense and be fine.
It might be that the ASA 5520 is being used as a glorified NAT and packet filtering FW, which the PF sense box can easily do.

But to give you more of an educated answer, we would need some more information regarding your environment.

Things like:

How much throughput do you push through the FW today?
How many DMZ's do you have?
Do you have regulatory requirement that may restrict your options?
Why do you need additional network segments?
Do you need IDS/IPS?
What functions of the ASA do you use today?

Your statement about needing more network segments may indicate that there is a network design issue. If you are using the ASA as a L3 boundary, something sounds wrong. I'm not saying that no one needs more than x amount of segments (we have 8 on one pair, 4 on another), but there are different way to address that issue.

Lastly, you can't be too small of a company if you spent money on ASA5520 and the NS20's. Not sure if the scale computing M4 was an improvment, as I haven't come across them in about 3 years, but sounds like to me this is no mom and pop shop.

The first was purchase like 6 years ago and the second about 4 years ago (IIRC) and our sales rep at both places has changed like 15 times since then and in the second case, the whole company changed hands 2 months ago and they are blaming the transition for the lack of communication. When I went over the sales rep head to the owner and complained, the idiot CC'd me on his forwarding my email to the sales rep and added, "please look into this". That was 2 weeks ago.

"you should be able to work that out with your partner" - no shit, in about 6 months from now.

And "I have no desire whatsoever to learn" all the shit it would take to understand if he started VLAN'ing on our firewall. Said explicity so you will be able to understand, IN ADDITION TO all the shit I've learned in order to be able to make sure I can keep the websites up should something go wrong and my net admin is not available. Which is a SUBSTANTIAL amount above and beyond what your average programmer learns.

That's a _freakin'_ large stretch from your comment of "no desire to learn _anything_".

As far as the no more than four interfaces issue... all I can do is shake my head... I'll give you some elbow room and say that "small business" is not at all accurate. Our revenue last year was solid mid eight figures and we're shaping up for a sizable increase this year. We maintain one 300,000 sqft warehouse and two 100,000+ sqft branch warehouse. Though how the hell we do with such idiots like me running the place I have no idea...

EDIT: Though we are still a family owned, "mom and pop at heart" business and willing to look at alternatives to traditional enterprise solutions when those alternatives make sense.

I'll just say again in case it got lost amongst the other fun stuff, take a look at the Juniper SSG's.

I still want to know why you need more interfaces?
I mean d00d, you sit here and ask for help but arent willing to give us any specifics about your environment.

Recap of what we know:
You need more interfaces? Why?
You aren't willing to learn anything.
You like to keep things simple.
You bought grey market hardware.

Based off that information you want recommendations on what to replace a pair of 5520s with.
What kind of answers did you expect?

Some people have shouted out PFsense, Juniper SGS. OK great
If you really just need more ports (which you probably don't), then just go buy the 4 port SSM expansion module and keep what you have.

Darthkim said:

It might be that the ASA 5520 is being used as a glorified NAT and packet filtering FW,

Click to expand...

^ this (actually not _completely_ but close)

See, that wasn't so difficult.

But to give you more of an educated answer, we would need some more information regarding your environment.

Things like:

How much throughput do you push through the FW today?
A lot because of the way we do our data as described next.

How many DMZ's do you have?
We have one but this is at the heart of matter. My net admin thinks we might benefit from having 2 for various reasons (some of which I don't completely follow). Some of it might be we do "near" real-time on our website inventory and have several "liaison" apps running that sync data back and forth between our in-house and web data.

Do you have regulatory requirement that may restrict your options?
Nope

Why do you need additional network segments?
I'm not completely sure yet. Asking.

Do you need IDS/IPS?
Nope. Had it and pulled the modules.

What functions of the ASA do you use today?
Only basic firewall functions if I understand correctly.

Your statement about needing more network segments may indicate that there is a network design issue. If you are using the ASA as a L3 boundary, something sounds wrong. I'm not saying that no one needs more than x amount of segments (we have 8 on one pair, 4 on another), but there are different way to address that issue.

Lastly, you can't be too small of a company if you spent money on ASA5520 and the NS20's. Not sure if the scale computing M4 was an improvment, as I haven't come across them in about 3 years, but sounds like to me this is no mom and pop shop.

Yep.

nitrobass24 said:

I still want to know why you need more interfaces?
I mean d00d, you sit here and ask for help but arent willing to give us any specifics about your environment.

Recap of what we know:
You need more interfaces? Why?
You aren't willing to learn anything.
You like to keep things simple.
You bought grey market hardware.

Based off that information you want recommendations on what to replace a pair of 5520s with.
What kind of answers did you expect?

Some people have shouted out PFsense, Juniper SGS. OK great
If you really just need more ports (which you probably don't), then just go buy the 4 port SSM expansion module and keep what you have.

Click to expand...

Wrong. Go back and check. By the time I made my 2nd post, a page and half of posts into it, I'd gotten Vyatta and, basically, "damn y'all suck bro". I completely missed the post about adding modules (which may be what we wind up doing now that I've learned there's not a lot of stellar supported open source type solutions) since it was mixed up among all the "you're doing it wrong" posts.

And, damn, do you HAVE to keep saying "you don't want to learn anything". I said I don't want to learn how to manage/understand VLAN'ing on a Cisco ASA 5520 (and complexity beyond that). That's it. I don't mind learning HTML5, JQuery, ASP.NET MVC, IIS Reverse Proxy, Highly Available ARR deployments, SEO, SEM, Adwords API, Fedex API, USPS API, PCI Compliance, kernel level caching, Web Sockets...

Or any of the other 500 things I'm studying right now to make sure our website stays on the upside of profitability. Damn.

EDIT: and we didn't "buy grey market hardware" - we were "sold" grey market hardware when what we paid for was legit hardware from a Cisco partner. From what we've been able to piece together, the "Cisco partner" sold us a unit that was new in the box that they took in on trade from another customer, or something like that.