[189144] in North American Network Operators' Group
Re: sub $500-750 CPE firewall for voip-centric application
daemon@ATHENA.MIT.EDU (amuse)
Fri May 6 14:46:22 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <010AD2B9-179E-4296-9FBF-12E5E2B61E91@neilltech.com>
From: amuse <nanog-amuse@foofus.com>
Date: Fri, 6 May 2016 11:45:36 -0700
To: Keith Stokes <keiths@neilltech.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Don't forget ponying up the fees and charges for paying the auditors -
which is why most OSS projects don't end up going through them.
On Fri, May 6, 2016 at 11:41 AM, Keith Stokes <keiths@neilltech.com> wrote:
> I've been told by various PCI auditors that a noncommercial/FOSS firewall
> could pass as long as you have implemented the necessary controls such as
> encryption/logging/management and passing actual testing.
>
> --
>
> Keith Stokes
>
> > On May 6, 2016, at 1:31 PM, Mel Beckman <mel@beckman.org> wrote:
> >
> > The question of code quality is always a difficult one, since in FOSS
> it=E2=80=99s public and often found lacking, but in private source you ma=
y never
> know. In these cases I rely on the vendor=E2=80=99s public statements abo=
ut their
> development processes and certifications (e.g., ICSA). Commercial product=
s
> often disclose their development processes and even run in-house security
> threat research groups that publish to the community.
> >
> > There are also outside certifications. For example, www.icsalabs.com<
> http://www.icsalabs.com> lists certifications by vendor for those that
> have passed their test regimen, and both Dell SonicWall and Fortinet
> Fortigate are shown to be current. PFSense isn=E2=80=99t listed, and alth=
ough it is
> theoretically vetted by many users, there is no guarantee of recency or
> thoroughness of the test regimen.
> >
> > This brings up the question of whether PFSense can meet regulatory
> requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory
> organizations don=E2=80=99t require specific overall firewall certificati=
ons, they
> do require various specific standards, such as encryption strength,
> logging, VPN timeouts, etc. I don=E2=80=99t know if PFsense meets these
> requirements, as they don=E2=80=99t say so on their site. Companies like =
Dell
> publish white papers on their compliance with each regulatory organizatio=
n.
> >
> > -mel
> >
> >
> > On May 6, 2016, at 11:05 AM, Aris Lambrianidis <effulgence@gmail.com
> <mailto:effulgence@gmail.com>> wrote:
> >
> > amuse wrote:
> > One question I have is: Is there any reason to believe that the source
> > code for Sonicwall, Cisco, etc are any better than the PFSense code? O=
r
> > are we just able to see the PFSense code and make unfounded assumptions
> > that the commercial code is in better shape?
> > Perhaps not. In fact, probably not, judging by the apparent lack of
> > audit processes for say,
> > OpenSSL libraries re-used in commercial products.
> >
> > It still doesn't detract from the value of what people are aware of, i=
n
> > this case,
> > pfSense code quality.
> >
> > Aris
> >
>
