Re: [pfSense-discussion] pfSense comment packetpushers.net
I think the gist of what he's saying is that because it's running on a *nix, anyone can log in and install any software they want on it. Ultimately this is a gaping security hole from certain perspectives. I don't mean that the firewall software or the OS contains gaping security holes. Don't get me wrong, I love OpenBSD, pf, FreeBSD, and PFsense when I tried it. What Greg is saying is that because, in this case, it's FreeBSD underneath, anyone with root access can go in and install stuff. So the only way you can certify the performance and security is as it exists when its still in the box. Then take an ASA for example. You get it in state X. It's capable of almost limitless config variations, but the underlying functions the platform can perform are static. You can never SSH from the ASA to another device. you can never run mysql on it. And all I mean by this is that some asshole or rogue IT guy can come along and install whatever they want on a PFSense firewall. In a proper environment there would be controls against this, but thats dependent on the environment the device is installed in so you can't really roll that up into a security specification/certification. I think he's also getting at that it's just software, and it depends on the hardware you run it on. Take Soekris for example... Love Soekris, love their hardware, but I hate VIA chipsets. Less now as before, but over time they've proven a headache and a burden. You can't certify pfsense to perform and operate a certain way unless you wrap up the software with specific tested hardware. and having the ability to install arbitrary software on it makes it open to more than just config errors. I'm digressing a little bit, but it's mostly related. Basically his point is you can't trust IT staff to not muck something up. So having a platform where arbitrary stuff can be installed isn't something that can be afforded in many cases. Again I'm a huge proponent of open source, BSD, and pf. And personally believe they're a great solution in many of cases. I'm just responding based on what I think Greg's thinking. He's very knowledgeable and he's been in the networking game a while. I've rarely seen him hate on products simply because they're niche. -Ian On Wed, May 25, 2011 at 11:59 AM, BSDwiz bsd...@gmail.com wrote: Guys, I was Listening to a packetpushers.netpodcast regarding the topic of firewalls and decided to chime in. I thought you may have some thoughts or opinions to add. Basically, I mentioned pfSense and was not very happy with his(Greg Ferro) response. If you get a minute, check out this guys reasoning behind not using pfSense. http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425 Best, Phil(phospher) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense comment packetpushers.net
This sort of points the finger then at a commercial need for a hardened pfsense product running on a specialized ASIC of some sort. So when can Chris sort that out? :) On Wed, May 25, 2011 at 9:32 AM, Ian Bowers iggd...@gmail.com wrote: I think the gist of what he's saying is that because it's running on a *nix, anyone can log in and install any software they want on it. Ultimately this is a gaping security hole from certain perspectives. I don't mean that the firewall software or the OS contains gaping security holes. Don't get me wrong, I love OpenBSD, pf, FreeBSD, and PFsense when I tried it. What Greg is saying is that because, in this case, it's FreeBSD underneath, anyone with root access can go in and install stuff. So the only way you can certify the performance and security is as it exists when its still in the box. Then take an ASA for example. You get it in state X. It's capable of almost limitless config variations, but the underlying functions the platform can perform are static. You can never SSH from the ASA to another device. you can never run mysql on it. And all I mean by this is that some asshole or rogue IT guy can come along and install whatever they want on a PFSense firewall. In a proper environment there would be controls against this, but thats dependent on the environment the device is installed in so you can't really roll that up into a security specification/certification. I think he's also getting at that it's just software, and it depends on the hardware you run it on. Take Soekris for example... Love Soekris, love their hardware, but I hate VIA chipsets. Less now as before, but over time they've proven a headache and a burden. You can't certify pfsense to perform and operate a certain way unless you wrap up the software with specific tested hardware. and having the ability to install arbitrary software on it makes it open to more than just config errors. I'm digressing a little bit, but it's mostly related. Basically his point is you can't trust IT staff to not muck something up. So having a platform where arbitrary stuff can be installed isn't something that can be afforded in many cases. Again I'm a huge proponent of open source, BSD, and pf. And personally believe they're a great solution in many of cases. I'm just responding based on what I think Greg's thinking. He's very knowledgeable and he's been in the networking game a while. I've rarely seen him hate on products simply because they're niche. -Ian On Wed, May 25, 2011 at 11:59 AM, BSDwiz bsd...@gmail.com wrote: Guys, I was Listening to a packetpushers.netpodcast regarding the topic of firewalls and decided to chime in. I thought you may have some thoughts or opinions to add. Basically, I mentioned pfSense and was not very happy with his(Greg Ferro) response. If you get a minute, check out this guys reasoning behind not using pfSense. http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425 Best, Phil(phospher) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] pfSense comment packetpushers.net
Doesn’t seem to be unreasonable TBH. It's a case of horses for courses. Some use cases take seperation of duties really seriously. Can completely understand where he is coming from. The commentary on Chokepoint is particularly apt. Greg From: BSDwiz [mailto:bsd...@gmail.com] Sent: 26 May 2011 2:00 AM To: discussion@pfsense.com Subject: [pfSense-discussion] pfSense comment packetpushers.net Guys, I was Listening to a packetpushers.nethttp://packetpushers.netpodcast regarding the topic of firewalls and decided to chime in. I thought you may have some thoughts or opinions to add. Basically, I mentioned pfSense and was not very happy with his(Greg Ferro) response. If you get a minute, check out this guys reasoning behind not using pfSense. http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425 Best, Phil(phospher)