I’d say Ferro’s response to pfSense is 100% valid and on the mark, *based on his requirements*. I can trust pfSense’s UNIX underpinnings, for example, because I’m also the UNIX guy in all the places where I run pfSense!
In an environment with strict separation of duties, the security team would have two options: 1. Purchase certified systems that function as “black boxes” and do not require any input from networking or IT 2. Certify their own systems, which takes a lot of time, effort and money, and detracts them from doing their primary job: securing things. pfSense is aimed at an entirely different slice of the market than NetScreen or ASA. Those products are aimed squarely at people who want, or need, large brand-name reputation / tech support / warranty / certification. If there’s a law that says you MUST be using security equipment that’s ICSA certified, would you seriously put pfSense in just because it’s the (possibly) better product? Even if it could land you, or your boss, or the CEO of your company, in jail? I love pfSense, it makes perfect sense for me in most environments. But that doesn’t mean it’s the ideal product in all environments. Which would you prefer to ride into a combat zone: an armored personnel carrier, a Corvette, or a kit car you built yourself? Each product does something very well, fits a specific need, and is not appropriate in all situations. OTOH, I would never want to drive an APC just to go get groceries, despite the fact it’s “more secure”. Note also that Ferro’s comment on “reliability” and “pressure” is from a security standpoint, probably not a performance standpoint. Anything running on FreeBSD will have certain weaknesses, that IF YOU AREN’T FAMILIAR WITH THEM, will be much bigger problems for you than the specific weaknesses you ARE familiar with on, say NetScreens or ASAs. A Cisco ASA’s IP stack will respond to attack conditions differently than a NetScreen’s, which will be different than pfSense’s. -Adam Thompson athom...@athompso.net From: BSDwiz [mailto:bsd...@gmail.com] Sent: Wednesday, May 25, 2011 11:00 To: discussion@pfsense.com Subject: [pfSense-discussion] pfSense comment packetpushers.net Guys, I was Listening to a packetpushers.netpodcast regarding the topic of firewalls and decided to chime in. I thought you may have some thoughts or opinions to add. Basically, I mentioned pfSense and was not very happy with his(Greg Ferro) response. If you get a minute, check out this guys reasoning behind not using pfSense. http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425 Best, Phil(phospher)
