Re: [pfSense-discussion] pfSense comment packetpushers.net

2011-05-25 Thread Chris Buechler
On Wed, May 25, 2011 at 11:59 AM, BSDwiz  wrote:
>
> Guys,
> I was Listening to a packetpushers.netpodcast regarding the topic of
> firewalls and decided to chime in. I thought you may have some thoughts or
> opinions to add. Basically, I mentioned pfSense and was not very happy with
> his(Greg Ferro) response.  If you get a minute, check out this guys
> reasoning behind not using pfSense.

It's a reasonable response - I've heard much worse, and things that
have no basis in reality, from the likes of enterprise consultants
such as Greg (I've been following his blog for a long time and listen
to a few of the packetpushers podcasts). He's much more sensible in
general than a lot of Cisco fan boys I've encountered. Reasonable
response to the extent that it's possible to get in and screw with
things, install additional software, etc. and in some environments
that's unacceptable. In others it's a huge, huge plus, there are
countless examples of people being able to meet the specific
requirements in their environment only because it's an open platform
that can be easily modified or added to. In those instances they
simply could never meet the ideal requirements of their environment on
a closed platform, as you're never going to get Cisco, Juniper, etc.
to add a feature or do custom development for you - at best it may go
into some request queue and you may see it years down the road. With
an open platform you can do it yourself, or hire us to do it and have
what you're looking for in a matter of days or weeks depending on the
scope, that's how several of us make a full time living working on the
project. The type of customers Greg does work for probably don't need
anything a closed platform can't provide, and feel better about a big
name on the product, regardless of cost and lack of flexibility. That
lack of flexibility is viewed as a plus by some. Regardless of open or
closed, there's no one product that best suits every network.

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] pfSense comment packetpushers.net

2011-05-25 Thread Greg Hennessy
Doesn’t seem to be unreasonable TBH.  It's a case of horses for courses.
Some use cases take seperation of duties really seriously.

Can completely understand where he is coming from.
The commentary on Chokepoint is particularly apt.


Greg

From: BSDwiz [mailto:bsd...@gmail.com]
Sent: 26 May 2011 2:00 AM
To: discussion@pfsense.com
Subject: [pfSense-discussion] pfSense comment packetpushers.net


Guys,
I was Listening to a packetpushers.netpodcast 
regarding the topic of firewalls and decided to chime in. I thought you may 
have some thoughts or opinions to add. Basically, I mentioned pfSense and was 
not very happy with his(Greg Ferro) response.  If you get a minute, check out 
this guys reasoning behind not using pfSense.
http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425

Best,
Phil(phospher)


RE: [pfSense-discussion] pfSense comment packetpushers.net

2011-05-25 Thread Adam Thompson
I’d say Ferro’s response to pfSense is 100% valid and on the mark, *based on 
his requirements*.  I can trust pfSense’s UNIX underpinnings, for example, 
because I’m also the UNIX guy in all the places where I run pfSense!

In an environment with strict separation of duties, the security team would 
have two options:

1.  Purchase certified systems that function as “black boxes” and do not 
require any input from networking or IT
2.  Certify their own systems, which takes a lot of time, effort and money, 
and detracts them from doing their primary job: securing things.

 

pfSense is aimed at an entirely different slice of the market than NetScreen or 
ASA.  Those products are aimed squarely at people who want, or need, large 
brand-name reputation / tech support / warranty / certification.

 

If there’s a law that says you MUST be using security equipment that’s ICSA 
certified, would you seriously put pfSense in just because it’s the (possibly) 
better product?  Even if it could land you, or your boss, or the CEO of your 
company, in jail?

 

I love pfSense, it makes perfect sense for me in most environments.  But that 
doesn’t mean it’s the ideal product in all environments.  Which would you 
prefer to ride into a combat zone: an armored personnel carrier, a Corvette, or 
a kit car you built yourself?  Each product does something very well, fits a 
specific need, and is not appropriate in all situations.  OTOH, I would never 
want to drive an APC just to go get groceries, despite the fact it’s “more 
secure”.

 

Note also that Ferro’s comment on “reliability” and “pressure” is from a 
security standpoint, probably not a performance standpoint.  Anything running 
on FreeBSD will have certain weaknesses, that IF YOU AREN’T FAMILIAR WITH THEM, 
will be much bigger problems for you than the specific weaknesses you ARE 
familiar with on, say NetScreens or ASAs.  A Cisco ASA’s IP stack will respond 
to attack conditions differently than a NetScreen’s, which will be different 
than pfSense’s.

 

-Adam Thompson

athom...@athompso.net

 

 

From: BSDwiz [mailto:bsd...@gmail.com] 
Sent: Wednesday, May 25, 2011 11:00
To: discussion@pfsense.com
Subject: [pfSense-discussion] pfSense comment packetpushers.net

 


Guys, 
I was Listening to a packetpushers.netpodcast regarding the topic of firewalls 
and decided to chime in. I thought you may have some thoughts or opinions to 
add. Basically, I mentioned pfSense and was not very happy with his(Greg Ferro) 
response.  If you get a minute, check out this guys reasoning behind not using 
pfSense. 
http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425

Best,
Phil(phospher)



Re: [pfSense-discussion] pfSense comment packetpushers.net

2011-05-25 Thread Tim Dressel
This sort of points the finger then at a commercial need for a hardened
pfsense product running on a specialized ASIC of some sort.

So when can Chris sort that out? :)

On Wed, May 25, 2011 at 9:32 AM, Ian Bowers  wrote:

> I think the gist of what he's saying is that because it's running on a
> *nix, anyone can log in and install any software they want on it.
> Ultimately this is a gaping security hole from certain perspectives.
> I don't mean that the firewall software or the OS contains gaping
> security holes.  Don't get me wrong, I love OpenBSD, pf, FreeBSD, and
> PFsense when I tried it.  What Greg is saying is that because, in this
> case, it's FreeBSD underneath, anyone with root access can go in and
> install stuff.  So the only way you can certify the performance and
> security is as it exists when its still in the box.  Then take an ASA
> for example.  You get it in state X.  It's capable of almost limitless
> config variations, but the underlying functions the platform can
> perform are static.  You can never SSH from the ASA to another device.
>  you can never run mysql on it.  And all I mean by this is that some
> asshole or rogue IT guy can come along and install whatever they want
> on a PFSense firewall.  In a proper environment there would be
> controls against this, but thats dependent on the environment the
> device is installed in so you can't really roll that up into a
> security specification/certification.  I think he's also getting at
> that it's just software, and it depends on the hardware you run it on.
>  Take Soekris for example...  Love Soekris, love their hardware, but I
> hate VIA chipsets.  Less now as before, but over time they've proven a
> headache and a burden.  You can't certify pfsense to perform and
> operate a certain way unless you wrap up the software with specific
> tested hardware.  and having the ability to install arbitrary software
> on it makes it open to more than just config errors.
>
> I'm digressing a little bit, but it's mostly related.  Basically his
> point is you can't trust IT staff to not muck something up.  So having
> a platform where arbitrary stuff can be installed isn't something that
> can be afforded in many cases.
>
> Again I'm a huge proponent of open source, BSD, and pf.  And
> personally believe they're a great solution in many of cases.  I'm
> just responding based on what I think Greg's thinking.  He's very
> knowledgeable and he's been in the networking game a while.  I've
> rarely seen him hate on products simply because they're niche.
>
> -Ian
>
> On Wed, May 25, 2011 at 11:59 AM, BSDwiz  wrote:
> >
> > Guys,
> > I was Listening to a packetpushers.netpodcast regarding the topic of
> > firewalls and decided to chime in. I thought you may have some thoughts
> or
> > opinions to add. Basically, I mentioned pfSense and was not very happy
> with
> > his(Greg Ferro) response.  If you get a minute, check out this guys
> > reasoning behind not using pfSense.
> >
> http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425
> >
> > Best,
> > Phil(phospher)
> >
> >
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


Re: [pfSense-discussion] pfSense comment packetpushers.net

2011-05-25 Thread Ian Bowers
I think the gist of what he's saying is that because it's running on a
*nix, anyone can log in and install any software they want on it.
Ultimately this is a gaping security hole from certain perspectives.
I don't mean that the firewall software or the OS contains gaping
security holes.  Don't get me wrong, I love OpenBSD, pf, FreeBSD, and
PFsense when I tried it.  What Greg is saying is that because, in this
case, it's FreeBSD underneath, anyone with root access can go in and
install stuff.  So the only way you can certify the performance and
security is as it exists when its still in the box.  Then take an ASA
for example.  You get it in state X.  It's capable of almost limitless
config variations, but the underlying functions the platform can
perform are static.  You can never SSH from the ASA to another device.
 you can never run mysql on it.  And all I mean by this is that some
asshole or rogue IT guy can come along and install whatever they want
on a PFSense firewall.  In a proper environment there would be
controls against this, but thats dependent on the environment the
device is installed in so you can't really roll that up into a
security specification/certification.  I think he's also getting at
that it's just software, and it depends on the hardware you run it on.
 Take Soekris for example...  Love Soekris, love their hardware, but I
hate VIA chipsets.  Less now as before, but over time they've proven a
headache and a burden.  You can't certify pfsense to perform and
operate a certain way unless you wrap up the software with specific
tested hardware.  and having the ability to install arbitrary software
on it makes it open to more than just config errors.

I'm digressing a little bit, but it's mostly related.  Basically his
point is you can't trust IT staff to not muck something up.  So having
a platform where arbitrary stuff can be installed isn't something that
can be afforded in many cases.

Again I'm a huge proponent of open source, BSD, and pf.  And
personally believe they're a great solution in many of cases.  I'm
just responding based on what I think Greg's thinking.  He's very
knowledgeable and he's been in the networking game a while.  I've
rarely seen him hate on products simply because they're niche.

-Ian

On Wed, May 25, 2011 at 11:59 AM, BSDwiz  wrote:
>
> Guys,
> I was Listening to a packetpushers.netpodcast regarding the topic of
> firewalls and decided to chime in. I thought you may have some thoughts or
> opinions to add. Basically, I mentioned pfSense and was not very happy with
> his(Greg Ferro) response.  If you get a minute, check out this guys
> reasoning behind not using pfSense.
> http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425
>
> Best,
> Phil(phospher)
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org