PfSense Not Secure for Enterprise Because "Open-Source"



  • I was laying in bed and was Googling pfSense related searches and I came across this thread.

    https://community.spiceworks.com/topic/1916608-it-consultant-says-ubiquity-pfsense-are-not-enterprise-secure
    When I asked them to backup their concerns over the pfSense firewall with facts, they would only say "it's an open source software, therefore it's not secure.  Anyone can see the code".  So I dug a little deeper and asked "Can you tell me any specific vulnerabilities that you discovered that led you to that conclusion- if so, I want to get them fixed" to which the response was basically the same "we don't recommend open-source source software in an enterprise network- it's too risky".

    That part hurt me the most, what's your opinion on that?



  • It means they are idiots, simples.  ;D



  • Bogus as it gets. The real power of open source is that you have an army of people all scrutinizing the code and looking for weaknesses and reporting them back to be fixed. A closed source organization is never going to match the level of peer review that happens in an open source project.

    Of course there are cases when open source gets it wrong horribly but since the code is all there to be seen it can be improved upon or used as a warning for everyone of what not to do.

    Why do you think all of the leading crypto experts are all recommending that you don't try to implement your own crypto but use the publicly available open source products? Think about that for a moment.



  • I agree, I find it extremely impressive that army of people and the pfSense team & community working together is able to produce something like this.



  • Yes they would prefer to buy private equipment full with back doors that no one knows because its not open source … genious ppl. I bet that they are using openvpn without knowing that is opensource too xD



  • @Soarin:

    it-consultant

    I have little faith in so called it-consultants. In my experience many of them are not worth the price of the business card that they carry. NOTE I said many, not all. I'd rather talk to somone who works at the coalface and has bags of experience in making things work, and does not get a freebie from the supplier!



  • As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".



  • Zyxel??? Was he being serious?  :o

    Probably challenged by the fact that pfSense requires a little more understanding than he had. There are good and bad IT Guys too, that has to be said.



  • @Soarin:

    "it's an open source software, therefore it's not secure.  Anyone can see the code".

    Oh lord! Do we have to go over this again? Common sense is not so common. I wonder if he knows how many things are running open-source in the world. Probably not. Must love not knowing what microsoft is downloading to his Windows 10.  ::)



  • @a_null:

    As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".

    I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel.  ;)


  • LAYER 8 Global Moderator

    "It means they are idiots"

    ding ding ding - @Marjohn56 gets the cookie ;)


  • Rebel Alliance Developer Netgate

    To be fair they may not be an idiot per se, but they may get sales commissions from other big names for selling closed-source proprietary solutions, and the money makes them more than a little biased. But that's what people get for having an assessment done by a company with a clear conflict of interest.

    If you want any kind of audit or assessment, run far away from a company that is a partner with any vendors or you can guess with 100% accuracy that magically your network will be insecure and "by the way here's a list of things you need to buy from us to fix it".



  • @kpa:

    Bogus as it gets. The real power of open source is that you have an army of people all scrutinizing the code and looking for weaknesses and reporting them back to be fixed. A closed source organization is never going to match the level of peer review that happens in an open source project.

    Of course there are cases when open source gets it wrong horribly but since the code is all there to be seen it can be improved upon or used as a warning for everyone of what not to do.

    Why do you think all of the leading crypto experts are all recommending that you don't try to implement your own crypto but use the publicly available open source products? Think about that for a moment.

    When it comes to security, it's not how many eyes, but the quality of the eyes. There's a lot of high quality eyes in the open source community in certain areas. If I worry about security, I focus on using projects from people who know what they're doing, not because something is more popular.



  • @Soarin:

    @a_null:

    As an IT Consultant, I just ran into this, but reversed. I recommended pfSense to a client, but their "computer guy" says they should have Sonicwall or Zyxel, because "they are more suited to small business and have a friendly interface".

    I would listen to their computer guy, he convinced me to switch from pfSense to Zyxel.  ;)

    That client DID listen to his computer guy.



  • Just how open is open source if it cannot readily be built from the open source to produce the same image to insure there isn't a little something extra being included in the distribution image?

    How to Build pfSense 2.3?
    https://forum.pfsense.org/index.php?topic=109089.0

    Being able to look at the publicly available source doesn't mean squat, if one can't compile and produce the same image that is being distributed.

    So far to this point in time I don't consider pfSense to be open source but rather corporate managed public contribution.



  • It's like as joke  :)



  • @kobzar:

    It's like as joke  :)

    It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.



  • @phil.davis:

    @kobzar:

    It's like as joke  :)

    It would be nice if everybody took it is a joke, but unfortunately even people in the industry will believe what some "consultant" tells them.

    Ah, sounds like you have the same faith in consultants that I do, maybe we've met the same consultants. :)

    I found this, I think it's pretty accurate for many.

    Top Ten Things You'll Never Hear from your Consultant
    1. You're right; we're billing way too much for this.
    2. Bet you I can go a week without saying "synergy" or "value-added".
    3. How about paying us based on the success of the project?
    4. This whole strategy is based on a Harvard business case I read.
    5. Actually, the only difference is that we charge more than they do.
    6. I don't know enough to speak intelligently about that.
    7. Implementation? I only care about writing long reports.
    8. I can't take the credit. It was Ed in your marketing department.
    9. The problem is, you have too much work for too few people.
    10. Everything looks okay to me. You really don't need me.



  • 11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.



  • If we are talking about about security and open-source then nobody is right. You can't say that open source is always secure and closed source is not and vice versa. There are no winners at all. That's why "pfSense Not Secure for Enterprise Because "Open-Source"" sentence is not correct also.
    The code can be secure if somebody checks it and tests it against all possible flaws. Open-source does not always mean it will be happened ever, just remember CVE-2014-0160 and same for closed source, sometimes it closed just not to show how bad it is, but sometimes vice versa closed source code can be just perfect.

    If the core team who works on project have high-level skills and the project is commercial and open-source this would be the best model on market, because you have advantages of both — Full-time employment and community that helps the project.


  • Banned

    Ive run into several such morons, usually 1 of 2 scenarios then follows….

    1.  They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.

    2.  They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.

    Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.




  • LAYER 8 Netgate



  • @MasterX-BKC-:

    Ive run into several such morons, usually 1 of 2 scenarios then follows….

    1.  They try to sell you a Cisco, Juniper, Sonicwall, UB, or whatever they purport to specialize in, and claim is the best.

    2.  They actually believe the misleading and slanted marketing materials of the vendors of the above, and believe that these proprietary, closed source, security through obscurity, systems offer better security and reliability.

    Its usually not to hard to argue the differences with one of these types if you know your subject matter well, at least well enough that those around see that they cannot explain their position other than to quote the marketing, and make assumptions.

    My ISP was recently having latency issues and it turned out Cisco's DDOS protection causes the line-card ASIC to run about 15% its rated speed by having the host CPU interrupt the heck out of it. Don't let others DDOS you, DOS yourself!

    You can compare the DDOS protection doing it's "magic" with the first image.

    My target for the graph is 4.2.2.2

    I pay a fair $20/m for this 150/150 dedicated fiber connection! I best be getting a 13ms ping to Chicago!  8)

    ![Loss Graph.PNG](/public/imported_attachments/1/Loss Graph.PNG)
    ![Loss Graph.PNG_thumb](/public/imported_attachments/1/Loss Graph.PNG_thumb)



  • OpenSource projects always will be secure. All people must understand the one simple things:
    When you are use open source code - you always know what are you use!!! Another way - you don't know!


  • LAYER 8 Netgate

    See Also: GOTO FAIL: and countless other examples.

    Open Source is readily-auditable by third parties, where closed source is not.

    I don't know if that makes it any more secure or not.

    Mistakes will always happen because humans are not perfect.

    I have looked at the code for OpenSSL and I can't make any sense out of any of it so it might as well be closed as far as I am concerned. I am trusting someone else to ensure it is correct.



  • Compiled "open source" is closed.  Unless the build instructions are also open source for reproducing it from the publicly available source.



  • @NOYB:

    Compiled "open source" is closed.  Unless the build instructions are also open source for reproducing it from the publicly available source.

    Stop talking bollocks, the compiled instructions are perfectly available to anyone by use of a disassembler on the compiled objects/executables. Whether you can verify that what you're reading from the disassembly matches with the sources you're reading on the side is a whole different issue though. None of the mainstream operating systems or hardware platforms just don't have support for such verification *), open source or closed source.

    *) Unless you write everything directly in assembler of course.



  • @Soarin:

    I was laying in bed and was Googling pfSense related searches and I came across this thread.

    https://community.spiceworks.com/topic/1916608-it-consultant-says-ubiquity-pfsense-are-not-enterprise-secure
    When I asked them to backup their concerns over the pfSense firewall with facts, they would only say "it's an open source software, therefore it's not secure.  Anyone can see the code".  So I dug a little deeper and asked "Can you tell me any specific vulnerabilities that you discovered that led you to that conclusion- if so, I want to get them fixed" to which the response was basically the same "we don't recommend open-source source software in an enterprise network- it's too risky".

    That part hurt me the most, what's your opinion on that?

    In one word: LOL

    @marjohn56:

    Top Ten Things You'll Never Hear from your Consultant
    1. You're right; we're billing way too much for this.
    2. Bet you I can go a week without saying "synergy" or "value-added".
    3. How about paying us based on the success of the project?
    4. This whole strategy is based on a Harvard business case I read.
    5. Actually, the only difference is that we charge more than they do.
    6. I don't know enough to speak intelligently about that.
    7. Implementation? I only care about writing long reports.
    8. I can't take the credit. It was Ed in your marketing department.
    9. The problem is, you have too much work for too few people.
    10. Everything looks okay to me. You really don't need me.

    @webtyro:

    11. Have you looked at any open-source replacements. Price is just time involved and they are actually very good.

    Ba Dum Tss!

    When I think I saw everything to see in IT. I always find something new. Thanks for the laughs :)



  • At first I know this is a pretty old thread, but something I was personally missing here in and this just for the records now.

    We are all placed and living in different countries, with different laws and also working with different standards, but in normal
    the networking field will be cut in several parts, as I know it this are;

    • Home networks
    • SOHO networks
    • professional networks
    • and enterprise networks!

    And if we are talking here now about enterprise networks, about at the NASDAQ notated companies, you will not really
    see that there is a problem pointed to your company that is based on your computer network on Monday and till Friday
    you was not able to solve this out and the market analysts are writing about that in the public only once! And your
    companies stocks are going down and they were loosing ~7 million dollars on that behaviour! And what you all think is then
    going on in that company? ….....

    "we don't recommend open-source source software in an enterprise network- it's too risky".

    If a company is opening their doors and is entering in a market, it is normal to hire an insurance that is then
    saving that risk and work against individuals and other companies who gets in trouble or pain based on that
    product or service of the enterprise company. And this insurances are very often looking at first how high is
    the entire risk and how high must be the fee for them, and then they look often in their own company rules
    and orders and tell that enterprise company what firewall they have to take! Not exactly which one, but it
    must be a ICSA I, II or III proofed firewall and if this is not given or they don´t do it, the insurance company
    will not pay if something occurs! Pretty simple but that´s it, or it is todays practice.

    Greater companies likes enterprise companies have to follow their own standards, industrial standards, standards
    of their partners, supplier or customers and for sure also with an keeping eye on laws and orders or their own
    company rules. So often many employees are not knowing directly why something is not allowed to use or to
    take inside and then they are often only speaking about something likes "it is not secure or safe", but in real
    they simply don´t know on what this is based on. So please don´t forget this if you are talking about
    OpenSource Software and enterprise companies.

    So please don´t forget under pressure to implement the latest industry standards and comply with new
    regulatory requirements and/or laws the most companies want to be on the "safe site" from their point of view.

    Inside of many computer networks this companies will be more OpenSource software as you may could imagine
    but they all don´t talk about it.

    The second thing is the certification of the administrators or employees, if someone hires an admin and he is showing
    certificates from Cisco, Juniper, Brocade, Netgear or perhaps also MikroTik, he is on the safe site. If something occurs
    all people in that company are asking at the human recourses office who and why was hiring that employee? And if then
    someone is able to tell that this employee was showing up certifications all is mostly fine, but if he is telling around or
    he is answering that is the best Unix, Linux or BSD guy around this city as he know it, he gets more questions then
    walking the other road. For sure not a guarantee for him, but this is like business runs as today.


Log in to reply