I think the gist of what he's saying is that because it's running on a *nix, anyone can log in and install any software they want on it. Ultimately this is a gaping security hole from certain perspectives. I don't mean that the firewall software or the OS contains gaping security holes. Don't get me wrong, I love OpenBSD, pf, FreeBSD, and PFsense when I tried it. What Greg is saying is that because, in this case, it's FreeBSD underneath, anyone with root access can go in and install stuff. So the only way you can certify the performance and security is as it exists when its still in the box. Then take an ASA for example. You get it in state X. It's capable of almost limitless config variations, but the underlying functions the platform can perform are static. You can never SSH from the ASA to another device. you can never run mysql on it. And all I mean by this is that some asshole or rogue IT guy can come along and install whatever they want on a PFSense firewall. In a proper environment there would be controls against this, but thats dependent on the environment the device is installed in so you can't really roll that up into a security specification/certification. I think he's also getting at that it's just software, and it depends on the hardware you run it on. Take Soekris for example... Love Soekris, love their hardware, but I hate VIA chipsets. Less now as before, but over time they've proven a headache and a burden. You can't certify pfsense to perform and operate a certain way unless you wrap up the software with specific tested hardware. and having the ability to install arbitrary software on it makes it open to more than just config errors.
I'm digressing a little bit, but it's mostly related. Basically his point is you can't trust IT staff to not muck something up. So having a platform where arbitrary stuff can be installed isn't something that can be afforded in many cases. Again I'm a huge proponent of open source, BSD, and pf. And personally believe they're a great solution in many of cases. I'm just responding based on what I think Greg's thinking. He's very knowledgeable and he's been in the networking game a while. I've rarely seen him hate on products simply because they're niche. -Ian On Wed, May 25, 2011 at 11:59 AM, BSDwiz <[email protected]> wrote: > > Guys, > I was Listening to a packetpushers.netpodcast regarding the topic of > firewalls and decided to chime in. I thought you may have some thoughts or > opinions to add. Basically, I mentioned pfSense and was not very happy with > his(Greg Ferro) response. If you get a minute, check out this guys > reasoning behind not using pfSense. > http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425 > > Best, > Phil(phospher) > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
