Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense Not Secure for Enterprise Because "Open-Source"

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    30 Posts 17 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • SoarinS
      Soarin
      last edited by

      @a_null:

      As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".

      I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel.  ;)

      I hardly understand pfSense but it was love at first sight.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "It means they are idiots"

        ding ding ding - @Marjohn56 gets the cookie ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          To be fair they may not be an idiot per se, but they may get sales commissions from other big names for selling closed-source proprietary solutions, and the money makes them more than a little biased. But that's what people get for having an assessment done by a company with a clear conflict of interest.

          If you want any kind of audit or assessment, run far away from a company that is a partner with any vendors or you can guess with 100% accuracy that magically your network will be insecure and "by the way here's a list of things you need to buy from us to fix it".

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66
            last edited by

            @kpa:

            Bogus as it gets. The real power of open source is that you have an army of people all scrutinizing the code and looking for weaknesses and reporting them back to be fixed. A closed source organization is never going to match the level of peer review that happens in an open source project.

            Of course there are cases when open source gets it wrong horribly but since the code is all there to be seen it can be improved upon or used as a warning for everyone of what not to do.

            Why do you think all of the leading crypto experts are all recommending that you don't try to implement your own crypto but use the publicly available open source products? Think about that for a moment.

            When it comes to security, it's not how many eyes, but the quality of the eyes. There's a lot of high quality eyes in the open source community in certain areas. If I worry about security, I focus on using projects from people who know what they're doing, not because something is more popular.

            1 Reply Last reply Reply Quote 0
            • A
              a_null
              last edited by

              @Soarin:

              @a_null:

              As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".

              I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel.  ;)

              That client DID listen to his computer guy.

              \x0

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                Just how open is open source if it cannot readily be built from the open source to produce the same image to insure there isn't a little something extra being included in the distribution image?

                How to Build pfSense 2.3?
                https://forum.pfsense.org/index.php?topic=109089.0

                Being able to look at the publicly available source doesn't mean squat, if one can't compile and produce the same image that is being distributed.

                So far to this point in time I don't consider pfSense to be open source but rather corporate managed public contribution.

                1 Reply Last reply Reply Quote 0
                • K
                  kobzar
                  last edited by

                  It's like as joke  :)

                  WatchGuard x750e + 2GB + SATA-IDE 320GB

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    @kobzar:

                    It's like as joke  :)

                    It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      @phil.davis:

                      @kobzar:

                      It's like as joke  :)

                      It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.

                      Ah, sounds like you have the same faith in consultants that I do, maybe we've met the same consultants. :)

                      I found this, I think it's pretty accurate for many.

                      Top Ten Things You'll Never Hear from your Consultant
                      1. You're right; we're billing way too much for this.
                      2. Bet you I can go a week without saying "synergy" or "value-added".
                      3. How about paying us based on the success of the project?
                      4. This whole strategy is based on a Harvard business case I read.
                      5. Actually, the only difference is that we charge more than they do.
                      6. I don't know enough to speak intelligently about that.
                      7. Implementation? I only care about writing long reports.
                      8. I can't take the credit. It was Ed in your marketing department.
                      9. The problem is, you have too much work for too few people.
                      10. Everything looks okay to me. You really don't need me.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by

                        11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.

                        1 Reply Last reply Reply Quote 0
                        • w0wW
                          w0w
                          last edited by

                          If we are talking about about security and open-source then nobody is right. You can't say that open source is always secure and closed source is not and vice versa. There are no winners at all. That's why "pfSense Not Secure for Enterprise Because "Open-Source"" sentence is not correct also.
                          The code can be secure if somebody checks it and tests it against all possible flaws. Open-source does not always mean it will be happened ever, just remember CVE-2014-0160 and same for closed source, sometimes it closed just not to show how bad it is, but sometimes vice versa closed source code can be just perfect.

                          If the core team who works on project have high-level skills and the project is commercial and open-source this would be the best model on market, because you have advantages of both — Full-time employment and community that helps the project.

                          1 Reply Last reply Reply Quote 0
                          • M
                            MasterX-BKC- Banned
                            last edited by

                            Ive run into several such morons, usually 1 of 2 scenarios then follows….

                            1.  They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.

                            2.  They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.

                            Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.

                            1 Reply Last reply Reply Quote 0
                            • chpalmerC
                              chpalmer
                              last edited by

                              https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

                              ;)

                              Triggering snowflakes one by one..
                              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                https://www.netgate.com/blog/netgate-taps-infosec-global-for-pfsense-code-review.html

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • H
                                  Harvy66
                                  last edited by

                                  @MasterX-BKC-:

                                  Ive run into several such morons, usually 1 of 2 scenarios then follows….

                                  1.  They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.

                                  2.  They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.

                                  Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.

                                  My ISP was recently having latency issues and it turned out Cisco's DDOS protection causes the line-card ASIC to run about 15% its rated speed by having the host CPU interrupt the heck out of it. Don't let others DDOS you, DOS yourself!

                                  You can compare the DDOS protection doing it's "magic" with the first image.

                                  My target for the graph is 4.2.2.2

                                  I pay a fair $20/m for this 150/150 dedicated fiber connection! I best be getting a 13ms ping to Chicago!  8)

                                  ![Loss Graph.PNG](/public/imported_attachments/1/Loss Graph.PNG)
                                  ![Loss Graph.PNG_thumb](/public/imported_attachments/1/Loss Graph.PNG_thumb)
                                  Fixed.PNG
                                  Fixed.PNG_thumb

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kobzar
                                    last edited by

                                    OpenSource projects always will be secure. All people must understand the one simple things:
                                    When you are use open source code - you always know what are you use!!! Another way - you don't know!

                                    WatchGuard x750e + 2GB + SATA-IDE 320GB

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      See Also: GOTO FAIL: and countless other examples.

                                      Open Source is readily-auditable by third parties, where closed source is not.

                                      I don't know if that makes it any more secure or not.

                                      Mistakes will always happen because humans are not perfect.

                                      I have looked at the code for OpenSSL and I can't make any sense out of any of it so it might as well be closed as far as I am concerned. I am trusting someone else to ensure it is correct.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        NOYB
                                        last edited by

                                        Compiled "open source" is closed.  Unless the build instructions are also open source for reproducing it from the publicly available source.

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kpa
                                          last edited by

                                          @NOYB:

                                          Compiled "open source" is closed.  Unless the build instructions are also open source for reproducing it from the publicly available source.

                                          Stop talking bollocks, the compiled instructions are perfectly available to anyone by use of a disassembler on the compiled objects/executables. Whether you can verify that what you're reading from the disassembly matches with the sources you're reading on the side is a whole different issue though. None of the mainstream operating systems or hardware platforms just don't have support for such verification *), open source or closed source.

                                          *) Unless you write everything directly in assembler of course.

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            JorgeOliveira
                                            last edited by

                                            @Soarin:

                                            I was laying in bed and was Googling pfSense related searches and I came across this thread.

                                            https://community.spiceworks.com/topic/1916608-it-consultant-says-ubiquity-pfsense-are-not-enterprise-secure
                                            When I asked them to backup their concerns over the pfSense firewall with facts, they would only say "it's an open source software, therefore it's not secure.  Anyone can see the code".  So I dug a little deeper and asked "Can you tell me any specific vulnerabilities that you discovered that led you to that conclusion- if so, I want to get them fixed" to which the response was basically the same "we don't recommend open-source source software in an enterprise network- it's too risky".

                                            That part hurt me the most, what's your opinion on that?

                                            In one word: LOL

                                            @marjohn56:

                                            Top Ten Things You'll Never Hear from your Consultant
                                            1. You're right; we're billing way too much for this.
                                            2. Bet you I can go a week without saying "synergy" or "value-added".
                                            3. How about paying us based on the success of the project?
                                            4. This whole strategy is based on a Harvard business case I read.
                                            5. Actually, the only difference is that we charge more than they do.
                                            6. I don't know enough to speak intelligently about that.
                                            7. Implementation? I only care about writing long reports.
                                            8. I can't take the credit. It was Ed in your marketing department.
                                            9. The problem is, you have too much work for too few people.
                                            10. Everything looks okay to me. You really don't need me.

                                            @webtyro:

                                            11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.

                                            Ba Dum Tss!

                                            When I think I saw everything to see in IT. I always find something new. Thanks for the laughs :)

                                            My views have absolutely no warranty express or implied. Always do your own research.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.