PfSense Not Secure for Enterprise Because "Open-Source"
-
I was laying in bed and was Googling pfSense related searches and I came across this thread.
https://community.spiceworks.com/topic/1916608-it-consultant-says-ubiquity-pfsense-are-not-enterprise-secure
When I asked them to backup their concerns over the pfSense firewall with facts, they would only say "it's an open source software, therefore it's not secure. Anyone can see the code". So I dug a little deeper and asked "Can you tell me any specific vulnerabilities that you discovered that led you to that conclusion- if so, I want to get them fixed" to which the response was basically the same "we don't recommend open-source source software in an enterprise network- it's too risky".That part hurt me the most, what's your opinion on that?
-
It means they are idiots, simples. ;D
-
Bogus as it gets. The real power of open source is that you have an army of people all scrutinizing the code and looking for weaknesses and reporting them back to be fixed. A closed source organization is never going to match the level of peer review that happens in an open source project.
Of course there are cases when open source gets it wrong horribly but since the code is all there to be seen it can be improved upon or used as a warning for everyone of what not to do.
Why do you think all of the leading crypto experts are all recommending that you don't try to implement your own crypto but use the publicly available open source products? Think about that for a moment.
-
I agree, I find it extremely impressive that army of people and the pfSense team & community working together is able to produce something like this.
-
Yes they would prefer to buy private equipment full with back doors that no one knows because its not open source … genious ppl. I bet that they are using openvpn without knowing that is opensource too xD
-
it-consultant
I have little faith in so called it-consultants. In my experience many of them are not worth the price of the business card that they carry. NOTE I said many, not all. I'd rather talk to somone who works at the coalface and has bags of experience in making things work, and does not get a freebie from the supplier!
-
As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".
-
Zyxel??? Was he being serious? :o
Probably challenged by the fact that pfSense requires a little more understanding than he had. There are good and bad IT Guys too, that has to be said.
-
"it's an open source software, therefore it's not secure. Anyone can see the code".
Oh lord! Do we have to go over this again? Common sense is not so common. I wonder if he knows how many things are running open-source in the world. Probably not. Must love not knowing what microsoft is downloading to his Windows 10. ::)
-
As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".
I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel. ;)
-
"It means they are idiots"
ding ding ding - @Marjohn56 gets the cookie ;)
-
To be fair they may not be an idiot per se, but they may get sales commissions from other big names for selling closed-source proprietary solutions, and the money makes them more than a little biased. But that's what people get for having an assessment done by a company with a clear conflict of interest.
If you want any kind of audit or assessment, run far away from a company that is a partner with any vendors or you can guess with 100% accuracy that magically your network will be insecure and "by the way here's a list of things you need to buy from us to fix it".
-
@kpa:
Bogus as it gets. The real power of open source is that you have an army of people all scrutinizing the code and looking for weaknesses and reporting them back to be fixed. A closed source organization is never going to match the level of peer review that happens in an open source project.
Of course there are cases when open source gets it wrong horribly but since the code is all there to be seen it can be improved upon or used as a warning for everyone of what not to do.
Why do you think all of the leading crypto experts are all recommending that you don't try to implement your own crypto but use the publicly available open source products? Think about that for a moment.
When it comes to security, it's not how many eyes, but the quality of the eyes. There's a lot of high quality eyes in the open source community in certain areas. If I worry about security, I focus on using projects from people who know what they're doing, not because something is more popular.
-
As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".
I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel. ;)
That client DID listen to his computer guy.
-
Just how open is open source if it cannot readily be built from the open source to produce the same image to insure there isn't a little something extra being included in the distribution image?
How to Build pfSense 2.3?
https://forum.pfsense.org/index.php?topic=109089.0Being able to look at the publicly available source doesn't mean squat, if one can't compile and produce the same image that is being distributed.
So far to this point in time I don't consider pfSense to be open source but rather corporate managed public contribution.
-
It's like as joke :)
-
It's like as joke :)
It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.
-
It's like as joke :)
It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.
Ah, sounds like you have the same faith in consultants that I do, maybe we've met the same consultants. :)
I found this, I think it's pretty accurate for many.
Top Ten Things You'll Never Hear from your Consultant
1. You're right; we're billing way too much for this.
2. Bet you I can go a week without saying "synergy" or "value-added".
3. How about paying us based on the success of the project?
4. This whole strategy is based on a Harvard business case I read.
5. Actually, the only difference is that we charge more than they do.
6. I don't know enough to speak intelligently about that.
7. Implementation? I only care about writing long reports.
8. I can't take the credit. It was Ed in your marketing department.
9. The problem is, you have too much work for too few people.
10. Everything looks okay to me. You really don't need me. -
11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.
-
If we are talking about about security and open-source then nobody is right. You can't say that open source is always secure and closed source is not and vice versa. There are no winners at all. That's why "pfSense Not Secure for Enterprise Because "Open-Source"" sentence is not correct also.
The code can be secure if somebody checks it and tests it against all possible flaws. Open-source does not always mean it will be happened ever, just remember CVE-2014-0160 and same for closed source, sometimes it closed just not to show how bad it is, but sometimes vice versa closed source code can be just perfect.If the core team who works on project have high-level skills and the project is commercial and open-source this would be the best model on market, because you have advantages of both — Full-time employment and community that helps the project.
