This sort of points the finger then at a commercial need for a hardened pfsense product running on a specialized ASIC of some sort.
So when can Chris sort that out? :) On Wed, May 25, 2011 at 9:32 AM, Ian Bowers <iggd...@gmail.com> wrote: > I think the gist of what he's saying is that because it's running on a > *nix, anyone can log in and install any software they want on it. > Ultimately this is a gaping security hole from certain perspectives. > I don't mean that the firewall software or the OS contains gaping > security holes. Don't get me wrong, I love OpenBSD, pf, FreeBSD, and > PFsense when I tried it. What Greg is saying is that because, in this > case, it's FreeBSD underneath, anyone with root access can go in and > install stuff. So the only way you can certify the performance and > security is as it exists when its still in the box. Then take an ASA > for example. You get it in state X. It's capable of almost limitless > config variations, but the underlying functions the platform can > perform are static. You can never SSH from the ASA to another device. > you can never run mysql on it. And all I mean by this is that some > asshole or rogue IT guy can come along and install whatever they want > on a PFSense firewall. In a proper environment there would be > controls against this, but thats dependent on the environment the > device is installed in so you can't really roll that up into a > security specification/certification. I think he's also getting at > that it's just software, and it depends on the hardware you run it on. > Take Soekris for example... Love Soekris, love their hardware, but I > hate VIA chipsets. Less now as before, but over time they've proven a > headache and a burden. You can't certify pfsense to perform and > operate a certain way unless you wrap up the software with specific > tested hardware. and having the ability to install arbitrary software > on it makes it open to more than just config errors. > > I'm digressing a little bit, but it's mostly related. Basically his > point is you can't trust IT staff to not muck something up. So having > a platform where arbitrary stuff can be installed isn't something that > can be afforded in many cases. > > Again I'm a huge proponent of open source, BSD, and pf. And > personally believe they're a great solution in many of cases. I'm > just responding based on what I think Greg's thinking. He's very > knowledgeable and he's been in the networking game a while. I've > rarely seen him hate on products simply because they're niche. > > -Ian > > On Wed, May 25, 2011 at 11:59 AM, BSDwiz <bsd...@gmail.com> wrote: > > > > Guys, > > I was Listening to a packetpushers.netpodcast regarding the topic of > > firewalls and decided to chime in. I thought you may have some thoughts > or > > opinions to add. Basically, I mentioned pfSense and was not very happy > with > > his(Greg Ferro) response. If you get a minute, check out this guys > > reasoning behind not using pfSense. > > > http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425 > > > > Best, > > Phil(phospher) > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
