PfSense Not Secure for Enterprise Because "Open-Source"
-
As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".
I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel. ;)
-
"It means they are idiots"
ding ding ding - @Marjohn56 gets the cookie ;)
-
To be fair they may not be an idiot per se, but they may get sales commissions from other big names for selling closed-source proprietary solutions, and the money makes them more than a little biased. But that's what people get for having an assessment done by a company with a clear conflict of interest.
If you want any kind of audit or assessment, run far away from a company that is a partner with any vendors or you can guess with 100% accuracy that magically your network will be insecure and "by the way here's a list of things you need to buy from us to fix it".
-
@kpa:
Bogus as it gets. The real power of open source is that you have an army of people all scrutinizing the code and looking for weaknesses and reporting them back to be fixed. A closed source organization is never going to match the level of peer review that happens in an open source project.
Of course there are cases when open source gets it wrong horribly but since the code is all there to be seen it can be improved upon or used as a warning for everyone of what not to do.
Why do you think all of the leading crypto experts are all recommending that you don't try to implement your own crypto but use the publicly available open source products? Think about that for a moment.
When it comes to security, it's not how many eyes, but the quality of the eyes. There's a lot of high quality eyes in the open source community in certain areas. If I worry about security, I focus on using projects from people who know what they're doing, not because something is more popular.
-
As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".
I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel. ;)
That client DID listen to his computer guy.
-
Just how open is open source if it cannot readily be built from the open source to produce the same image to insure there isn't a little something extra being included in the distribution image?
How to Build pfSense 2.3?
https://forum.pfsense.org/index.php?topic=109089.0Being able to look at the publicly available source doesn't mean squat, if one can't compile and produce the same image that is being distributed.
So far to this point in time I don't consider pfSense to be open source but rather corporate managed public contribution.
-
It's like as joke :)
-
It's like as joke :)
It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.
-
It's like as joke :)
It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.
Ah, sounds like you have the same faith in consultants that I do, maybe we've met the same consultants. :)
I found this, I think it's pretty accurate for many.
Top Ten Things You'll Never Hear from your Consultant
1. You're right; we're billing way too much for this.
2. Bet you I can go a week without saying "synergy" or "value-added".
3. How about paying us based on the success of the project?
4. This whole strategy is based on a Harvard business case I read.
5. Actually, the only difference is that we charge more than they do.
6. I don't know enough to speak intelligently about that.
7. Implementation? I only care about writing long reports.
8. I can't take the credit. It was Ed in your marketing department.
9. The problem is, you have too much work for too few people.
10. Everything looks okay to me. You really don't need me. -
11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.
-
If we are talking about about security and open-source then nobody is right. You can't say that open source is always secure and closed source is not and vice versa. There are no winners at all. That's why "pfSense Not Secure for Enterprise Because "Open-Source"" sentence is not correct also.
The code can be secure if somebody checks it and tests it against all possible flaws. Open-source does not always mean it will be happened ever, just remember CVE-2014-0160 and same for closed source, sometimes it closed just not to show how bad it is, but sometimes vice versa closed source code can be just perfect.If the core team who works on project have high-level skills and the project is commercial and open-source this would be the best model on market, because you have advantages of both — Full-time employment and community that helps the project.
-
Ive run into several such morons, usually 1 of 2 scenarios then follows….
1. They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.
2. They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.
Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.
-
https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives
;)
-
https://www.netgate.com/blog/netgate-taps-infosec-global-for-pfsense-code-review.html
-
Ive run into several such morons, usually 1 of 2 scenarios then follows….
1. They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.
2. They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.
Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.
My ISP was recently having latency issues and it turned out Cisco's DDOS protection causes the line-card ASIC to run about 15% its rated speed by having the host CPU interrupt the heck out of it. Don't let others DDOS you, DOS yourself!
You can compare the DDOS protection doing it's "magic" with the first image.
My target for the graph is 4.2.2.2
I pay a fair $20/m for this 150/150 dedicated fiber connection! I best be getting a 13ms ping to Chicago! 8)
-
OpenSource projects always will be secure. All people must understand the one simple things:
When you are use open source code - you always know what are you use!!! Another way - you don't know! -
See Also: GOTO FAIL: and countless other examples.
Open Source is readily-auditable by third parties, where closed source is not.
I don't know if that makes it any more secure or not.
Mistakes will always happen because humans are not perfect.
I have looked at the code for OpenSSL and I can't make any sense out of any of it so it might as well be closed as far as I am concerned. I am trusting someone else to ensure it is correct.
-
Compiled "open source" is closed. Unless the build instructions are also open source for reproducing it from the publicly available source.
-
Compiled "open source" is closed. Unless the build instructions are also open source for reproducing it from the publicly available source.
Stop talking bollocks, the compiled instructions are perfectly available to anyone by use of a disassembler on the compiled objects/executables. Whether you can verify that what you're reading from the disassembly matches with the sources you're reading on the side is a whole different issue though. None of the mainstream operating systems or hardware platforms just don't have support for such verification *), open source or closed source.
*) Unless you write everything directly in assembler of course.
-
I was laying in bed and was Googling pfSense related searches and I came across this thread.
https://community.spiceworks.com/topic/1916608-it-consultant-says-ubiquity-pfsense-are-not-enterprise-secure
When I asked them to backup their concerns over the pfSense firewall with facts, they would only say "it's an open source software, therefore it's not secure. Anyone can see the code". So I dug a little deeper and asked "Can you tell me any specific vulnerabilities that you discovered that led you to that conclusion- if so, I want to get them fixed" to which the response was basically the same "we don't recommend open-source source software in an enterprise network- it's too risky".That part hurt me the most, what's your opinion on that?
In one word: LOL
@marjohn56:
Top Ten Things You'll Never Hear from your Consultant
1. You're right; we're billing way too much for this.
2. Bet you I can go a week without saying "synergy" or "value-added".
3. How about paying us based on the success of the project?
4. This whole strategy is based on a Harvard business case I read.
5. Actually, the only difference is that we charge more than they do.
6. I don't know enough to speak intelligently about that.
7. Implementation? I only care about writing long reports.
8. I can't take the credit. It was Ed in your marketing department.
9. The problem is, you have too much work for too few people.
10. Everything looks okay to me. You really don't need me.@webtyro:
11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.
When I think I saw everything to see in IT. I always find something new. Thanks for the laughs :)
