Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense Not Secure for Enterprise Because "Open-Source"

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    30 Posts 17 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • w0wW
      w0w
      last edited by

      If we are talking about about security and open-source then nobody is right. You can't say that open source is always secure and closed source is not and vice versa. There are no winners at all. That's why "pfSense Not Secure for Enterprise Because "Open-Source"" sentence is not correct also.
      The code can be secure if somebody checks it and tests it against all possible flaws. Open-source does not always mean it will be happened ever, just remember CVE-2014-0160 and same for closed source, sometimes it closed just not to show how bad it is, but sometimes vice versa closed source code can be just perfect.

      If the core team who works on project have high-level skills and the project is commercial and open-source this would be the best model on market, because you have advantages of both — Full-time employment and community that helps the project.

      1 Reply Last reply Reply Quote 0
      • M
        MasterX-BKC- Banned
        last edited by

        Ive run into several such morons, usually 1 of 2 scenarios then follows….

        1.  They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.

        2.  They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.

        Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by

          https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

          ;)

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            https://www.netgate.com/blog/netgate-taps-infosec-global-for-pfsense-code-review.html

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by

              @MasterX-BKC-:

              Ive run into several such morons, usually 1 of 2 scenarios then follows….

              1.  They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.

              2.  They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.

              Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.

              My ISP was recently having latency issues and it turned out Cisco's DDOS protection causes the line-card ASIC to run about 15% its rated speed by having the host CPU interrupt the heck out of it. Don't let others DDOS you, DOS yourself!

              You can compare the DDOS protection doing it's "magic" with the first image.

              My target for the graph is 4.2.2.2

              I pay a fair $20/m for this 150/150 dedicated fiber connection! I best be getting a 13ms ping to Chicago!  8)

              ![Loss Graph.PNG](/public/imported_attachments/1/Loss Graph.PNG)
              ![Loss Graph.PNG_thumb](/public/imported_attachments/1/Loss Graph.PNG_thumb)
              Fixed.PNG
              Fixed.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • K
                kobzar
                last edited by

                OpenSource projects always will be secure. All people must understand the one simple things:
                When you are use open source code - you always know what are you use!!! Another way - you don't know!

                WatchGuard x750e + 2GB + SATA-IDE 320GB

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  See Also: GOTO FAIL: and countless other examples.

                  Open Source is readily-auditable by third parties, where closed source is not.

                  I don't know if that makes it any more secure or not.

                  Mistakes will always happen because humans are not perfect.

                  I have looked at the code for OpenSSL and I can't make any sense out of any of it so it might as well be closed as far as I am concerned. I am trusting someone else to ensure it is correct.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • N
                    NOYB
                    last edited by

                    Compiled "open source" is closed.  Unless the build instructions are also open source for reproducing it from the publicly available source.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      @NOYB:

                      Compiled "open source" is closed.  Unless the build instructions are also open source for reproducing it from the publicly available source.

                      Stop talking bollocks, the compiled instructions are perfectly available to anyone by use of a disassembler on the compiled objects/executables. Whether you can verify that what you're reading from the disassembly matches with the sources you're reading on the side is a whole different issue though. None of the mainstream operating systems or hardware platforms just don't have support for such verification *), open source or closed source.

                      *) Unless you write everything directly in assembler of course.

                      1 Reply Last reply Reply Quote 0
                      • J
                        JorgeOliveira
                        last edited by

                        @Soarin:

                        I was laying in bed and was Googling pfSense related searches and I came across this thread.

                        https://community.spiceworks.com/topic/1916608-it-consultant-says-ubiquity-pfsense-are-not-enterprise-secure
                        When I asked them to backup their concerns over the pfSense firewall with facts, they would only say "it's an open source software, therefore it's not secure.  Anyone can see the code".  So I dug a little deeper and asked "Can you tell me any specific vulnerabilities that you discovered that led you to that conclusion- if so, I want to get them fixed" to which the response was basically the same "we don't recommend open-source source software in an enterprise network- it's too risky".

                        That part hurt me the most, what's your opinion on that?

                        In one word: LOL

                        @marjohn56:

                        Top Ten Things You'll Never Hear from your Consultant
                        1. You're right; we're billing way too much for this.
                        2. Bet you I can go a week without saying "synergy" or "value-added".
                        3. How about paying us based on the success of the project?
                        4. This whole strategy is based on a Harvard business case I read.
                        5. Actually, the only difference is that we charge more than they do.
                        6. I don't know enough to speak intelligently about that.
                        7. Implementation? I only care about writing long reports.
                        8. I can't take the credit. It was Ed in your marketing department.
                        9. The problem is, you have too much work for too few people.
                        10. Everything looks okay to me. You really don't need me.

                        @webtyro:

                        11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.

                        Ba Dum Tss!

                        When I think I saw everything to see in IT. I always find something new. Thanks for the laughs :)

                        My views have absolutely no warranty express or implied. Always do your own research.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by

                          At first I know this is a pretty old thread, but something I was personally missing here in and this just for the records now.

                          We are all placed and living in different countries, with different laws and also working with different standards, but in normal
                          the networking field will be cut in several parts, as I know it this are;

                          • Home networks
                          • SOHO networks
                          • professional networks
                          • and enterprise networks!

                          And if we are talking here now about enterprise networks, about at the NASDAQ notated companies, you will not really
                          see that there is a problem pointed to your company that is based on your computer network on Monday and till Friday
                          you was not able to solve this out and the market analysts are writing about that in the public only once! And your
                          companies stocks are going down and they were loosing ~7 million dollars on that behaviour! And what you all think is then
                          going on in that company? ….....

                          "we don't recommend open-source source software in an enterprise network- it's too risky".

                          If a company is opening their doors and is entering in a market, it is normal to hire an insurance that is then
                          saving that risk and work against individuals and other companies who gets in trouble or pain based on that
                          product or service of the enterprise company. And this insurances are very often looking at first how high is
                          the entire risk and how high must be the fee for them, and then they look often in their own company rules
                          and orders and tell that enterprise company what firewall they have to take! Not exactly which one, but it
                          must be a ICSA I, II or III proofed firewall and if this is not given or they don´t do it, the insurance company
                          will not pay if something occurs! Pretty simple but that´s it, or it is todays practice.

                          Greater companies likes enterprise companies have to follow their own standards, industrial standards, standards
                          of their partners, supplier or customers and for sure also with an keeping eye on laws and orders or their own
                          company rules. So often many employees are not knowing directly why something is not allowed to use or to
                          take inside and then they are often only speaking about something likes "it is not secure or safe", but in real
                          they simply don´t know on what this is based on. So please don´t forget this if you are talking about
                          OpenSource Software and enterprise companies.

                          So please don´t forget under pressure to implement the latest industry standards and comply with new
                          regulatory requirements and/or laws the most companies want to be on the "safe site" from their point of view.

                          Inside of many computer networks this companies will be more OpenSource software as you may could imagine
                          but they all don´t talk about it.

                          The second thing is the certification of the administrators or employees, if someone hires an admin and he is showing
                          certificates from Cisco, Juniper, Brocade, Netgear or perhaps also MikroTik, he is on the safe site. If something occurs
                          all people in that company are asking at the human recourses office who and why was hiring that employee? And if then
                          someone is able to tell that this employee was showing up certifications all is mostly fine, but if he is telling around or
                          he is answering that is the best Unix, Linux or BSD guy around this city as he know it, he gets more questions then
                          walking the other road. For sure not a guarantee for him, but this is like business runs as today.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.