Episode 2: Netgate – Secure Networking Software with Jamie Thompson
Jamie Thompson is the President of Netgate, the company behind the popular open source firewall project, pfSense. Both Jamie and her husband Jim, who is also featured on this episode, have spent the last 15+ years making secure, high-performance network connectivity tools available to the masses. In this episode, Jamie and Jim discuss bootstrapping their company and Netgate’s unique business model that involves monetizing hardware that implements their open source software.
Michael Schwartz: Welcome back to open source underdogs, the podcast where we interview leaders from successful open source software companies and bring their stories to you.
Today my guests are Jamie and Jim Thompson, founders of Netgate, the company behind the popular open source firewall project pfSense which is over 1 million installations.
Jamie could you start by telling us a little about Netgate and your journey founding it?
Jaimie Thompson: Sure. Netgate is a open source network security company, both contribute to and utilize open source software and create products from those projects.
About me personally, I’m too old. I’m from Oklahoma originally. I was peak woman, there was a peak year for women in computer science and that was the year I graduated with a degree in computer science. And that was 1984, a long time ago. And I have a master’s degree in applied cognition and neuroscience which is essentially experimental psychology.
Worked as a software engineer. Early my career switched over to doing more of the sales engineering, worked for Sun Microsystems. I’ve worked for here in Austin a company called Tivoli Systems, which was ultimately went public in the 90s and got bought by IBM.
And I guess we started Netgate in about 2002 and I’ve been doing it ever since.
Jim Thompson: So Netgate was originally the name of a firewall that we’d done.
The first time we had an open source company called SmallWorks here in Austin that started with open-source I think my first open-source contribution was a port of new E-Maxx to a convex supercomputer in like 1987.
And there I went to Sun and that’s where I and Jamie met. Building out their worldwide network and got pretty involved in network security, that point I download the first set of proxies. Around 1989 or so I did that, because we had a need internally.
Once we started hooking up all the sales offices and remote facilities to this internal WAN and everybody wanted access to what we now know as the internet. It was really more ARPANET then. So I built a proxy so that people could get out and go fetch the latest version of the X11 system or something like that.
And that sort of, I saw that and saw people use it and sort of identified a need for actually agreeing to build a packet filter for the Sun Systems that was sort of the origination of the original Netgate packet filter or firewall.
Jamie Thompson: So when we started, Jim came up with this packet filtering firewall back in the early 1990s. And it was also open source but in kind of a different way – when you bought it from us, we gave you the source code so that you could analyze it and make sure that there weren’t any backdoors and you couldn’t sell it further on.
But you could certainly take it and analyze it internally, and in fact one of our early customers was Wells Fargo Bank. So we’ve kind of been dealing with network security and firewalls and took a detour through wireless for a decade. And have always been interested in and involved in network security and how do you create both privacy and security, both for companies and for individuals.
Michael Schwartz: Who are the customers of Netgate today?
Jamie Thompson: Well it’s really interesting, the software is very lightweight on providing any sort of feedback for us. It is open source, you can download it off the internet and run it.
You don’t have to sign up for anything, we don’t create any not paywall, but there’s no registration wall, to get the software. So we don’t always know who it is unless they are either asking us questions, either on the forum or in support or if they need some professional services or they want a private port or something like that.
So we’re we actually are learning more and more about who the customer base is at this time, but we have everything from individuals who are running it in their home labs, and then those people sometimes will take it into their companies.
And we also have a lot of government entities who run it. And then there’s actually in entire governments that run it, not the United States government but portions of it actually do, yeah. So it is used both inside the US and then other government entities around the world. Lots of individual, yeah, lots of S&B. There are some service providers who also use it.
It’s also integrated into some other products, so you’ll see people who’re providing some sort of service and they use our software either for the transport or for a firewalling, that sort of thing.
Michael Schwartz: Is there software that people can buy? Or do individuals just download the open source?
Jamie Thompson: Well both. They actually can download it for free or we also take that software and we package it onto hardware.
So Netgate utilizes the project and creates a product from it. And then the product is packaged either with hardware or in the cloud and we sell support and services around that. So really how we’re…
Jim Thompson: Some part of that is system integration. You know, product test and release testing. that kind of thing. We test primarily on the things we sell.
So there is a lot of system integration or ports to get on new hardware, so we expend the effort to get on some of them and make that experience. You know really clean and easy. But then we have to maintain that going forward.
So we test and release in part just on what we sell, we make a generic version available to anyone. But the actual, if you will, hard work of making sure that things really work has to be done on some hardware platform.
This we have to focus on, we sell or cloud platforms, virtualization, that kind of thing.
Michael Schwartz: Do you sell support services?
Jamie Thompson: Not everyone who purchases hardware from us gets a support contract or needs professional services, a lot of people already know how to use the software. It’s straightforward enough that they don’t need any extra work.
So like a lot of other companies out there, we can’t sustain the project on just support and services.
Jim Thompson: There are both large and small customers on the forum. US Army Cyber School we discovered on Reddit. Literally, one day. They were already a customer and they are user of pfSense. We didn’t know it because we have no way of testing them.
So again, it’s sort of across the entire range of customer types or segments of the market, if you will. We only know and work with people who have approached us.
Now, we know the approximate attach rate for people that we sell to versus how many instances of pfSense are turning up in the world. We can’t measure on a very granular, non-granular or scale that we see, more and more IP addresses if you will, looking for updates, or downloading additional functionality via packages, that kind of thing.
So we can see in approximation of the size of the installed base on any given month, and we know who we sold. And you know that ratio is about 1 and 20.
Michael Schwartz: Are there some companies who are OEMing the product?
Jamie Thompson: Well, there are companies that have taken it – it is open source, and so they can integrate that into their own product or in the cloud.
We have versions of the software available on the public Cloud so they can utilize it and in their businesses or integrated as part of their own software as a service product offering.
Michael Schwartz: How about channels? Do you mostly sell direct, or do you have any integration partners who help you reach customers?
Jamie Thompson: We have both a set of hardware resellers. So there are people who wanted to be involved with pfSense and especially in other countries, or in other languages we don’t have the ability to speak with them directly, we have ported the, it’s not call port it’s a…
Jim Thompson: Endemic translations.
Jamie Thompson: Yeah we’ve done a bunch of language translations, do you remember how many?
Jim Thompson: It’s approximately 30.
Jamie Thompson: Yeah I was thinking 30 as well. So the software runs in these other languages and obviously we can’t speak all those languages, no one here is that good.
So we have in-country partners who can either sell support service, and we have both people who are doing straight reselling, we have people who are MSP’s or MSSP’s. We have people who are buying it direct and then daily lease it. So there’s all kinds of different models.
We also, in terms of channels on the cloud, we do support some of the cloud service providers. People who do the integrations to basically create an entire stack. So if you wanted to move your application or the set of applications to have as a company into the cloud you could do that and the cloud service providers, their partners would help you migrate all of your data and put together your infrastructure and help you monitor and manage it.
And our best partners right now are in Europe. Some of them again are MSP’s or MSSP’s and some of them are just selling direct or helping people integrate.
Michael Schwartz: What’s the value proposition of Netgate?
Jim Thompson: We are the developers of pfSense primarily. There are community contributions that you can actually go out and look at like the list of Git commits. And you filter out the ones that you know staff here have done. It’s you know 90% plus Netgate.
And so since we’re the developer a lot of people feel safer when they’re dealing with the people who actually make software, you know, why wouldn’t we give the best possible experience on things we sell.
Jamie Thompson: We employ a lot of engineers, we have people who have commitments for FreeBSD. We have people who are just fantastically gifted both in hardware and software. We couldn’t do it without the engineering team, they’re just fantastic.
And it’s, you know the kind of thing you can’t get from a community because it’s hard to prioritize that open source development over what you’re doing in order to be able to be paid so that you can eat, and have a house, and all those good things.
So we actually do employ a huge team of Engineers to work on this open source product. And do the testing and the architecture and we run the infrastructure and…
Jim Thompson: You’d be amazed at how low-level we have to go to fix some issues. You’re talking about, you know, peak of second timing on NMMC bus, or we run into in situations where Ethernet PHYs don’t have the right choke on them, and so you can see more power in the PHY than you otherwise would. And we’ve had to actually go back and debug designs we didn’t do.
So there are there literally three people on staff who are EE’s, know them and engaged with EE on a day-to-day basis. The 4th who knows enough about it he could, he used to design medical devices. So we have a depth here, the technical depth that some people would find astonishing.
Use Of Open Source
Michael Schwartz: Has open source served as the main distribution channel for Netgate?
Jim Thompson: Well principally it’s a licensing structure. It’s almost all open source licenses are based on copyright, the original, the ability of the original author for assigning to control that copyright or leverage it.
The original, if you will, of the GPL turned copyright on its head that’s why some people call it copyleft. They use copyright to enforce the fact that you can control the copying. It’s an interesting hack if you own the legal system.
We have benefited enormously as has, you know, RedHat and a slew of other companies you can name from, if you will, marketing via these you know user groups. They’re in control of their own conversation, there’s no marketing conversation in the room. There’s all this experimentation if you will, 10000 flowers.
Try the successful ones are successful, and the unsuccessful ones you never heard about. So yeah we’ve engaged that too, and the fact that the the software is open source and free has been quite a bit of the actual marketing.
People discovered it and use for their own purposes and introduce to people who we were never gonna here from unless they approach us directly. It spread largely through that if you will, word of mouth or word of forum, association of use pfSense, it’s great.
You can still see that going on today. There are hundreds and thousands of people I will never meet who are using software we create.
Michael Schwartz: What is the primary activity of Netgate?
Jamie Thompson: Software development is the primary activity. If you say what are you as a company? We would say that we’re a software company.
But in order to leverage that software, in order to be able to actually continue to develop that software we do need an income stream, we need a revenue stream. And since we are self-funded, we don’t have VC, we’ve had to do that by selling hardware and services and renting it in the cloud.
So just like any any other company would do, I’d say that our number 2 activity actually is probably hardware development, which is kind of weird.
We have hardware, we work with some of the ODM’s and OEM’s on hardware designs and so we’ll go to them and say well we need, an Intel box that has 4+ next, you know i350 and two i210’s, don’t want those i211’s.
So like Jim said earlier, we have a lot of hardware depth that you wouldn’t expect for a software company. And that really isn’t normal, I think that, you know, if you look back we’re kind of more of a throwback to the kinds of companies that you had in the 80s where you would, you would develop both the hardware and software together and sell tell the system.
So that’s what we’re doing, we’re selling appliances and we’re providing both the software and the hardware that it runs the best on.
Jim Thompson: Vertically integrated.
Jamie Thompson: Yes, oh there you go.
How Did You Figure Out How To Vertically Integrate And Self-Fund?
Michael Schwartz: Normally I would think a hardware company needs a lot of capital. How did you figure out how to vertically integrate and self-fund?
Jim Thompson: A lot of credit card debt.
Jamie Thompson: Yes there’s been a lot of credit card debt, that’s true. When we started down this path with the hardware we were taking components that were available, and we were basically integrating those components and we were doing it on a pretty small scale.
And as we were able to convince people that we knew what we were doing in terms of both the software and the hardware and the integration. And we just had some really good solid products out there. That, actually, stuff that we sold 8 years ago is still on the field running today. And we basically just slowly grew and slowly grew.
Then we would reach kind of the limit of that hardware or of the supplier. We had one supplier, so we were doing 500 a month and we’re like okay we need to go 600 a month. Well we can’t do that, we can’t manufacture that much.
Okay we have to go off and find a different manufacturing and we’ve slowly gotten to the point where it’s just been a pretty much continuous ramp to the point now where we can go to some of the larger people in China or Taiwan or wherever they happen to be. And say, okay we will sign up to this many systems over this period of time and …
Jim Thompson: We can write large PO’s and back them with financial strength of what we built together over the past decade.
But has taken reinvesting almost everything we made to continue to make the business grow. So we live, sleep, and breathe Netgate… While raising a child!
What’s Next For Netgate?
Jamie Thompson: Kind of more interesting thing is that over time we’re looking at the software which actually started with Manual Casper, manu wall back in the day. And we’ve improved the software, we’ve ported it as FreeBSD has changed, we gone along with that.
One of the big things that we’ve just done is we’ve all ported to PHP 7.2. So we were running with the older version of PHP and the current person that’ll be coming out here shortly we’ve had to to update to 7.2 because of course you know software end-of-life’s, over period of time it goes to a no-support model.
One of the interesting things we did about three and a half years ago, four years ago, is we sat down, we said you know – if we were going to rewrite this what would we do? Because the questions that were being asked and the requests we were getting from the customer base who talk to us are like you know, it’s easy to do one firewall.
It’s easy for me to sit down in my home lab and control the firewall for my house. But at work I’ve got 50 of these things and I have to go control them individually just have a GUI, rather than a GUI, do you have an API? Can we use rest RESTCONF for NETCONF, or basically as architectures have changed and people’s thinking about management has changed.
We saw that there really wasn’t a way for us to change that software because of the way that was originally architected. If would be really difficult to put an API in. So while we’re also moving pfSense along we’re also thinking in the back of our heads what do we need to be doing differently.
We have actually some new software and it’s also based on open source, it’s Linux-based. It’s called TNSR.
And TNSR is really the result of a lot of architecture discussions within the engineering group and looking out to see what other people are doing now in terms of managing their networks and providing security for their networks.
So now you’re looking at orchestration and automation. A lot of people are are looking at well how does this run with Kubernetes how does this run with containers.
How I manage 50 of these things at once, and so not only are we working with pfSense but we’re also working with TNSR is really, well it’s available today in the cloud, but it’s really trying to kind of solve the next generation of problems around network security.
Why TNSR Was Needed
Jim Thompson: In those environments computers and the networks they run on have disappeared inside a machine, there is no box, there’s just one box, it’s the big box that you don’t even know it or see it.
It’s on a cloud provider somewhere, so on Amazon or Google cloud or Azure or something, and you never see it, and you never see the networks around. You just have the sort of remote ability to control via an API so there’s no there’s no blinking lights, there’s nothing left to touch.
And so that ends up being very different environment, these Kubernetes environments have messaging rates sometimes that are you know hundred thousand messages a second you have to be able to tell what’s happening.
So TNSR, which Jamie started talking about, is sort of an answer to what’s starting to occur in-network.
How Much Profit Gets Re-Invested In R&D?
Michael Schwartz: How much profit gets reinvested in R&D?
Jamie Thompson: All of it, basically. Yeah.
So, basically as we’ve grown the company and have been able to add more people, or we’re really lucky and in the respect that we took whatever we had, and said okay, what’s the next thing that we can do to make ourselves be more useful to our customer base or to be more useful to enterprise.
One year we added 24/7 support. And suddenly, oh okay, you guys are real because you do 24/7 support now.
But we’re no more real the next day then we were the day before. It’s just suddenly people felt more comfortable because they can get a hold of us and they can we can help him walk through their problems. And of course no firewall problem ever occurs at noon on Monday it’s always midnight on Friday.
So going to the 24/7 support model was huge for us, starting a partner program, a worldwide program, to help support people in-country and in-language with our partners was another huge bump for us because we’re now able to actually answer the questions that people had in a way that was more comfortable for them.
As things have changed out if to focus more on the cloud and to focus on this automation and orchestration.
Michael Schwartz: What are some of the non-integrator partnerships?
Jamie Thompson: We didn’t see a way for us to take the software that we had and move it forward so we started looking around.
We have supported the BSD Foundation in the past. We’ve also now joined Linux Foundation and we’re big contributors with LFN, with Fido. We also support Clixon. So, not only we are supporting the software that we have written, we’re also supporting groups and other software projects where we’re either contributing with monetary contribution or code.
So you actually if you got look at at Fido, you’ll see that we are in the top five maybe even top three contributors for VPP which is the vector packet processing, that LFN is doing.
So we’re trying to help contribute to the ecosystem not only the code that we’re writing and that we’re putting forward, but helping, trying to help move networking and security long a little bit further in ways that we couldn’t do on our own.
But we can we can contribute to it, we can help.
Jim Thompson: In the same way that we have a community for pfSense were part of other communities around some of these constituent technologies. There’s even marketing on that side as well, the Linux Foundation markets LFN.
Fido’s BPP is a big part of that. So we know we show up at conferences and occasionally talk and participate in various mailing lists, you know online conference calls about where should we go next and that kind of thing. So all that tend to count for contribution.
Making the technology move along even though that technology ends up in potentially competitors product system.
Like I said, in the same way we have a community of people that we support. We’re also constituents in a community of some of these technologies that we take advantage of.
VC Money Risks
Michael Schwartz: You’ve avoided raising venture capital, why?
Jim Thompson: As with almost any decision there are pros and cons to that particular decision. The money is what people tend to focus on, how do I get this thing bootstrapped to get enough people working on it while I have something.
I’ve been the CTO of two companies, that combined I helped raise over a quarter billion dollars of venture capital, over seven or eight rounds. One of those companies was in product and one of those companies was in services.
My best advice is while things are going according to plan, the venture capitalist are here to help. They will open the Rolodex and they’ll introduce you to additional partners, give you some legitimacy into accounts that potentially you didn’t, you couldn’t enter.
If you can’t execute on the plan that you told him about, that’s when things can take a turn.
Jamie Thompson: That’s when they change the plan. Sometimes.
Jim Thompson: You know, VC’s are financial engineers. They’re there to optimize return for their fund.
And so the best advice I have for anyone who’s looking at this is to go out and really understand what VC is and how it can help. And what the VC’s goals are versus what your goals are. And if you can find a way to line those it can be great.
If those goals aren’t aligned then it’s just money and there are potential other places to make that happen.
Jamie Thompson: If it’s something you can articulate and something that is a physical product you can always go Kickstarter, or crowdfund, or there’s all kinds of other ways to do it.
But like Jim said I mean we’ve both been involved in companies that have been VC-backed and we’ve seen them sling the company around to try to meet whatever their goals are.
And so that’s actually one of the things that we’ve talked about occasionally, is okay are we at the point now where we can’t continue to bootstrap it ourselves, are we at the point where we should take some money and so we can do some additional marketing.
And we were real hesitant on that. Trying to decide.
How do we move forward and how do we maintain the spirit and the feeling of the company. How do we maintain our open source roots because we were all very focused on security and privacy and we believe that everybody should be able to have security and privacy if they want.
But if a VC makes it, if a VC says okay well now you have to get everybody to register, well you know we’ve got people who don’t want to do that.
Michael Schwartz: Any advice for entrepreneurs starting an open source software business?
Jamie Thompson: It’s harder than it looks. It can be fun, it can be difficult.
But if you have what they call today grit, if you have that ability to stick with your idea and keep going but yet, if someone is able to influence you and you change your mind help steer you in a new direction, that’s great.
But it really, it’s on you and you find, they would say find your passion, but find a thing that’s really interesting to you and stick with it.
Jim Thompson: Businesses survive at the will of their customers. Solving customer problems and providing value to the customer is literally why you have a business. Because without that nobody is sending money your way unless they feel bad for you.
As an entrepreneur you have to be willing to engage with and talk to your customers and prospects. You have to be willing to take the call that says your code is broken, fix it now. You have to be able to hear rejection when somebody chooses another solution and get up the next morning and go back to work.
These things all sounds trite but a lot of people the computer field are into the computer field because they like working with computers, not other people. They have friends but population at large can be scary to approach because what if they say no.
The best thing you can do for yourself as a business or as an entrepreneur is to be willing to interact with the people who think your product is interesting. And they would like to find a way to use it and they have potentially other ideas about how it could be used and you have to be willing to listen.
If the number of bright people on a given body of people is, I think as Bill Joy famously said, is the log of the number of people in a group, so the number of smart people in a group is log of number of people in a group, and he didn’t say what the base was, but it’s this diminishing returns, a larger group you have the fewer smarter people you have per out of basis.
But these ideas occur everywhere. And open source is really one of the answers to the question of how do we adopt other people’s ideas. Somebody can have an idea and they can develop an open source project and it flourishes or it doesn’t. If it flourishes it was a great idea, incorporate that into their technology stack.
It’s the same thing with customers, some customers will help you focus your products in ways that you weren’t going to think of. And so that ability to be open to hear both positive and negative messages about the thing you’re doing with your life or that part of your life is really critical.
Michael Schwartz: Jamie and Jim, thank you so much for sharing your insights and best of luck with Netgate.
Jamie Thompson: Thanks for having us.
Jim Thompson: Thank you.
Michael Schwartz: That’s it for episode 2. Transcription and episode audio can be found on opensourceunderdogs.com.
Special thanks to the Linux kernel for co-sponsoring this podcast, to the all things open conference for helping us publicize the launch.
Music from Broke for Free, Chris Zabriskie and Lee Rosevere.
Production assistance from Natalie Lowe. Operational support from William Lowe. Thanks for the staff of Netgate for logistical support.
Next week we’ll talk to one of the superstars of open source business, Michael Howard CEO of Maria DB. Until then, thanks for listening.