PfSense security vs commercial options



  • Hello,

    We currently use psSense at my company.
    An IT consultant recently told us that we should purchase a commercial firewall because
    since pfSense is open source it is not as secure.
    Yes, I'm well away that it bs but I would like to get some literature (case studies, comparisons).

    Can someone point me in the right direction?

    Thanks
    Mike



  • I'd start by asking that IT consultant to support his conjecture.



  • told us that we should purchase a commercial firewall because
    since pfSense is open source it is not as secure.

    I always read this from consultants as "pfSense isn't going to make us enough money and we don't know how to use it."

    but-

    http://forum.pfsense.org/index.php/topic,41337.msg214292.html#msg214292



  • @gderf:

    I'd start by asking that IT consultant to support his conjecture.

    No offense, but when a consultant is hired, managers often take their word as gospel above hired employees until proven otherwise.  Remember, his explanation doesn't have to make sense, it just has to scare the manager.  Asking him to prove it is just going to make more work for you to dispel more myths.  Managers are scared to death of perceived security faults, but often ignore known faults.  Consultants play on this, I've been one before.

    I think all you need to do is expose a few security appliances that are based on open source software and companies that use either the appliances or open source applications for their security.  It may both dispel the myths and show that no consultancy is perfect and may raise the perception of your input.

    Sorry that my post doesn't directly answer your question, I think chpalmer gives you a great link to start with and explains a consultant's motives well.  I just wouldn't start out by letting the consultant start the conversation.  They will quickly point to the FUD (Fear, Uncertainty, and Doubt.)



  • If it was my business I wouldn't just accept an unsupported statement like the consultant offered.

    And as a consultant myself, I don't make unsupported statements like that either, as my continued employment depends on not doing things like that.



  • @gderf:

    If it was my business I wouldn't just accept an unsupported statement like the consultant offered.

    And as a consultant myself, I don't make unsupported statements like that either, as my continued employment depends on not doing things like that.

    You've just described the best case scenarios of the respective positions.  Many businesses aren't managed by their owners, especially for tech decisions.  Many managers that are making tech decisions aren't technical.  When it comes to making those decisions, it's easier for a manager to hide behind the advice of a consultant company than the advice of a subordinate.  It's easier to fire a consultant company and call a new one than to make disciplinary decisions toward an employee (which might lead to having to hire a new one, etc.)

    Many consultants aren't in it for the long run, quick $ makes them their monthly bonus, especially if they're just a short term consultant while they're looking for their next employment.  It's difficult for many decision makers to tell the difference between a fire fighter and an ambulance chaser and figure out that they really need a maintenance man with a small fire extinguisher.

    Just because a company may be good at their product, doesn't mean that their internal organization is coherent.



  • @matguy:

    @gderf:

    If it was my business I wouldn't just accept an unsupported statement like the consultant offered.

    And as a consultant myself, I don't make unsupported statements like that either, as my continued employment depends on not doing things like that.

    You've just described the best case scenarios of the respective positions.  Many businesses aren't managed by their owners, especially for tech decisions.  Many managers that are making tech decisions aren't technical.  When it comes to making those decisions, it's easier for a manager to hide behind the advice of a consultant company than the advice of a subordinate.  It's easier to fire a consultant company and call a new one than to make disciplinary decisions toward an employee (which might lead to having to hire a new one, etc.)

    Many consultants aren't in it for the long run, quick $ makes them their monthly bonus, especially if they're just a short term consultant while they're looking for their next employment.  It's difficult for many decision makers to tell the difference between a fire fighter and an ambulance chaser and figure out that they really need a maintenance man with a small fire extinguisher.

    Just because a company may be good at their product, doesn't mean that their internal organization is coherent.

    Insert any number of Dilbert comic strips here.   About one or two a month cover this subject with uncanny accuracy…



  • I'm somewhat of a IT consultant, I assist my customers with IT related issues and advise them as much as possible whenever it's within IT field.

    I mostly work with small to medium business but whenever I present a solution such as a firewall, I try to gather a few viable options and discuss it with the staff/managers/owners explaining the pros and cons and whenever as possible trying to cut costs and workload.

    Just recently I'm getting to know pfSense in a deeper approach and studying how to implement it.

    Doesn't matter if a firewall is opensource or a commercial solution, there are always chances of security exploits and honestly I do think an open-source based solution is updated more often and put to test in a much wider scale than commercial firewalls.

    Also keep in mind most bugs, exploits and security issues are generally caused by misconfiguration, indolence and not by the solution itself.



  • @nitz:

    I'm somewhat of a IT consultant, I assist my customers with IT related issues and advise them as much as possible whenever it's within IT field.

    I mostly work with small to medium business but whenever I present a solution such as a firewall, I try to gather a few viable options and discuss it with the staff/managers/owners explaining the pros and cons and whenever as possible trying to cut costs and workload.

    Just recently I'm getting to know pfSense in a deeper approach and studying how to implement it.

    Doesn't matter if a firewall is opensource or a commercial solution, there are always chances of security exploits and honestly I do think an open-source based solution is updated more often and put to test in a much wider scale than commercial firewalls.

    Also keep in mind most bugs, exploits and security issues are generally caused by misconfiguration, indolence and not by the solution itself.

    It's also worth noting that open source products often have less financial incentive to hide issues/exploits than corporations with stockholders.


  • Rebel Alliance Developer Netgate

    And don't forget that some "commercial solutions" are really just the same sort of hardware with a customized open source OS on top, with some closed-source software driving. It's very rare for someone to roll their own OS from the bottom up for these things.

    Even Juniper is (admittedly highly customized) based on BSD. Many others are based on Linux, and so on. Ever wonder how so many people here on this forum have simply wiped boxes from Watchguard, Symantec, Nortel, Barracuda, etc and ran pfSense instead?

    Just because the GUI and some controlling software is open or closed doesn't make either one more or less secure.



  • There are about a dozen large vendors of "commercial" firewalls, and at least a dozen more FOSS projects (offering specialized distributions of Linux/BSD) with varying levels of added value.

    The decision of which firewall to deploy should depend on your actual needs, although in my experience it's rarely the case: typically on the client's side it's CYA ("nobody got fired for buying xyz") and expectations of better tech support, and on the consultant's side it's the product he knows best and offers him the highest commissions).

    The key is proper initial setup and thorough periodic auditing.

    pfSense in based on proven tools (FreeBSD OS, OpenBSD pf, ISC dhcp, OpenVPN, lighttpd etc) that have been around for many years and are widely deployed. If pfsense is properly configured and you only allow webGUI access from the "management" VLAN, it will be a fine packet filtering solution for practically all setups. If you require features beyond L3 packet filtering, like IDS/IPS or L7 filtering like that offered by PaloAlto, you'll have to look elsewhere.


  • Netgate Administrator

    @dhatz:

    If you require features beyond L3 packet filtering, like IDS/IPS or L7 filtering like that offered by PaloAlto, you'll have to look elsewhere.

    I've read a number of posts here and elsewhere recently expressing that same opinion regarding IDS/IPS. I have always been under the impression that Snort served perfectly well for IPS however I've only ever used it as a test. I pretty soon turned it off again as it wasn't really necessary and huge resource hog.
    Any opinions?

    Steve



  • @stephenw10:

    @dhatz:

    If you require features beyond L3 packet filtering, like IDS/IPS or L7 filtering like that offered by PaloAlto, you'll have to look elsewhere.

    I've read a number of posts here and elsewhere recently expressing that same opinion regarding IDS/IPS. I have always been under the impression that Snort served perfectly well for IPS however I've only ever used it as a test. I pretty soon turned it off again as it wasn't really necessary and huge resource hog.
    Any opinions?

    I consider Snort (and Suricata) perfectly good IDS (or IPS if run inline), however last time I checked pfsense's Snort package wasn't yet ready for production use …

    By the way, I think the Snort package is an ideal candidate for a crowd-funding initiative, as it is a really valuable add-on for many of the 100K+ pfsense known live installs.



  • Thank you for all the replies.

    Ironically they guy recommended Fortinet firewall which uses Linux.
    The guy mentioned the market share and the fact that it was tested by icsa labs.



  • @kmichal2223:

    The guy mentioned the market share and the fact that it was tested by icsa labs.

    We're not up to the market share of Fortinet, but we have a very significant install base nearing 140,000 known live installs, growing by 3000-5000 new installs every month. That's bigger than a lot of commercial solutions, and more than big enough that you don't have any concerns that you might have if running something obscure.

    ICSA? The guys who have certified products before with massive security holes. There is no value outside of marketing in ICSA certification. If it wasn't absurdly expensive I'd get us certified, as their marketing has convinced some people that they provide value, but it's just not worth the money. A lot of commercial solutions aren't even bothering with ICSA certification anymore. Cisco, for instance, is no longer on their list of certified products and hasn't been for a while.



  • I created this page on the wiki to answer this common question/concern. If anyone can think of any points I missed, let me know.

    http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives


Locked