[189143] in North American Network Operators' Group
Re: sub $500-750 CPE firewall for voip-centric application
daemon@ATHENA.MIT.EDU (Keith Stokes)
Fri May 6 14:41:45 2016
X-Original-To: nanog@nanog.org
From: Keith Stokes <keiths@neilltech.com>
To: Mel Beckman <mel@beckman.org>
Date: Fri, 6 May 2016 18:41:40 +0000
In-Reply-To: <F3633B8E-92A4-417B-9D0A-5CBB6CC24159@beckman.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I've been told by various PCI auditors that a noncommercial/FOSS firewall c=
ould pass as long as you have implemented the necessary controls such as en=
cryption/logging/management and passing actual testing.
--
Keith Stokes
> On May 6, 2016, at 1:31 PM, Mel Beckman <mel@beckman.org> wrote:
>=20
> The question of code quality is always a difficult one, since in FOSS it=
=92s public and often found lacking, but in private source you may never kn=
ow. In these cases I rely on the vendor=92s public statements about their d=
evelopment processes and certifications (e.g., ICSA). Commercial products o=
ften disclose their development processes and even run in-house security th=
reat research groups that publish to the community.
>=20
> There are also outside certifications. For example, www.icsalabs.com<http=
://www.icsalabs.com> lists certifications by vendor for those that have pas=
sed their test regimen, and both Dell SonicWall and Fortinet Fortigate are =
shown to be current. PFSense isn=92t listed, and although it is theoretical=
ly vetted by many users, there is no guarantee of recency or thoroughness o=
f the test regimen.
>=20
> This brings up the question of whether PFSense can meet regulatory requir=
ements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizatio=
ns don=92t require specific overall firewall certifications, they do requir=
e various specific standards, such as encryption strength, logging, VPN tim=
eouts, etc. I don=92t know if PFsense meets these requirements, as they don=
=92t say so on their site. Companies like Dell publish white papers on thei=
r compliance with each regulatory organization.
>=20
> -mel
>=20
>=20
> On May 6, 2016, at 11:05 AM, Aris Lambrianidis <effulgence@gmail.com<mail=
to:effulgence@gmail.com>> wrote:
>=20
> amuse wrote:
> One question I have is: Is there any reason to believe that the source
> code for Sonicwall, Cisco, etc are any better than the PFSense code? Or
> are we just able to see the PFSense code and make unfounded assumptions
> that the commercial code is in better shape?
> Perhaps not. In fact, probably not, judging by the apparent lack of
> audit processes for say,
> OpenSSL libraries re-used in commercial products.
>=20
> It still doesn't detract from the value of what people are aware of, in
> this case,
> pfSense code quality.
>=20
> Aris
>=20
