Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense security vs commercial options

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 9 Posters 10.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kmichal2223
      last edited by

      Hello,

      We currently use psSense at my company.
      An IT consultant recently told us that we should purchase a commercial firewall because
      since pfSense is open source it is not as secure.
      Yes, I'm well away that it bs but I would like to get some literature (case studies, comparisons).

      Can someone point me in the right direction?

      Thanks
      Mike

      1 Reply Last reply Reply Quote 0
      • G
        gderf
        last edited by

        I'd start by asking that IT consultant to support his conjecture.

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by

          told us that we should purchase a commercial firewall because
          since pfSense is open source it is not as secure.

          I always read this from consultants as "pfSense isn't going to make us enough money and we don't know how to use it."

          but-

          http://forum.pfsense.org/index.php/topic,41337.msg214292.html#msg214292

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • M
            matguy
            last edited by

            @gderf:

            I'd start by asking that IT consultant to support his conjecture.

            No offense, but when a consultant is hired, managers often take their word as gospel above hired employees until proven otherwise.  Remember, his explanation doesn't have to make sense, it just has to scare the manager.  Asking him to prove it is just going to make more work for you to dispel more myths.  Managers are scared to death of perceived security faults, but often ignore known faults.  Consultants play on this, I've been one before.

            I think all you need to do is expose a few security appliances that are based on open source software and companies that use either the appliances or open source applications for their security.  It may both dispel the myths and show that no consultancy is perfect and may raise the perception of your input.

            Sorry that my post doesn't directly answer your question, I think chpalmer gives you a great link to start with and explains a consultant's motives well.  I just wouldn't start out by letting the consultant start the conversation.  They will quickly point to the FUD (Fear, Uncertainty, and Doubt.)

            1 Reply Last reply Reply Quote 0
            • G
              gderf
              last edited by

              If it was my business I wouldn't just accept an unsupported statement like the consultant offered.

              And as a consultant myself, I don't make unsupported statements like that either, as my continued employment depends on not doing things like that.

              1 Reply Last reply Reply Quote 0
              • M
                matguy
                last edited by

                @gderf:

                If it was my business I wouldn't just accept an unsupported statement like the consultant offered.

                And as a consultant myself, I don't make unsupported statements like that either, as my continued employment depends on not doing things like that.

                You've just described the best case scenarios of the respective positions.  Many businesses aren't managed by their owners, especially for tech decisions.  Many managers that are making tech decisions aren't technical.  When it comes to making those decisions, it's easier for a manager to hide behind the advice of a consultant company than the advice of a subordinate.  It's easier to fire a consultant company and call a new one than to make disciplinary decisions toward an employee (which might lead to having to hire a new one, etc.)

                Many consultants aren't in it for the long run, quick $ makes them their monthly bonus, especially if they're just a short term consultant while they're looking for their next employment.  It's difficult for many decision makers to tell the difference between a fire fighter and an ambulance chaser and figure out that they really need a maintenance man with a small fire extinguisher.

                Just because a company may be good at their product, doesn't mean that their internal organization is coherent.

                1 Reply Last reply Reply Quote 0
                • chpalmerC
                  chpalmer
                  last edited by

                  @matguy:

                  @gderf:

                  If it was my business I wouldn't just accept an unsupported statement like the consultant offered.

                  And as a consultant myself, I don't make unsupported statements like that either, as my continued employment depends on not doing things like that.

                  You've just described the best case scenarios of the respective positions.  Many businesses aren't managed by their owners, especially for tech decisions.  Many managers that are making tech decisions aren't technical.  When it comes to making those decisions, it's easier for a manager to hide behind the advice of a consultant company than the advice of a subordinate.  It's easier to fire a consultant company and call a new one than to make disciplinary decisions toward an employee (which might lead to having to hire a new one, etc.)

                  Many consultants aren't in it for the long run, quick $ makes them their monthly bonus, especially if they're just a short term consultant while they're looking for their next employment.  It's difficult for many decision makers to tell the difference between a fire fighter and an ambulance chaser and figure out that they really need a maintenance man with a small fire extinguisher.

                  Just because a company may be good at their product, doesn't mean that their internal organization is coherent.

                  Insert any number of Dilbert comic strips here.   About one or two a month cover this subject with uncanny accuracy…

                  Triggering snowflakes one by one..
                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                  1 Reply Last reply Reply Quote 0
                  • N
                    nitz
                    last edited by

                    I'm somewhat of a IT consultant, I assist my customers with IT related issues and advise them as much as possible whenever it's within IT field.

                    I mostly work with small to medium business but whenever I present a solution such as a firewall, I try to gather a few viable options and discuss it with the staff/managers/owners explaining the pros and cons and whenever as possible trying to cut costs and workload.

                    Just recently I'm getting to know pfSense in a deeper approach and studying how to implement it.

                    Doesn't matter if a firewall is opensource or a commercial solution, there are always chances of security exploits and honestly I do think an open-source based solution is updated more often and put to test in a much wider scale than commercial firewalls.

                    Also keep in mind most bugs, exploits and security issues are generally caused by misconfiguration, indolence and not by the solution itself.

                    1 Reply Last reply Reply Quote 0
                    • M
                      matguy
                      last edited by

                      @nitz:

                      I'm somewhat of a IT consultant, I assist my customers with IT related issues and advise them as much as possible whenever it's within IT field.

                      I mostly work with small to medium business but whenever I present a solution such as a firewall, I try to gather a few viable options and discuss it with the staff/managers/owners explaining the pros and cons and whenever as possible trying to cut costs and workload.

                      Just recently I'm getting to know pfSense in a deeper approach and studying how to implement it.

                      Doesn't matter if a firewall is opensource or a commercial solution, there are always chances of security exploits and honestly I do think an open-source based solution is updated more often and put to test in a much wider scale than commercial firewalls.

                      Also keep in mind most bugs, exploits and security issues are generally caused by misconfiguration, indolence and not by the solution itself.

                      It's also worth noting that open source products often have less financial incentive to hide issues/exploits than corporations with stockholders.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        And don't forget that some "commercial solutions" are really just the same sort of hardware with a customized open source OS on top, with some closed-source software driving. It's very rare for someone to roll their own OS from the bottom up for these things.

                        Even Juniper is (admittedly highly customized) based on BSD. Many others are based on Linux, and so on. Ever wonder how so many people here on this forum have simply wiped boxes from Watchguard, Symantec, Nortel, Barracuda, etc and ran pfSense instead?

                        Just because the GUI and some controlling software is open or closed doesn't make either one more or less secure.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • D
                          dhatz
                          last edited by

                          There are about a dozen large vendors of "commercial" firewalls, and at least a dozen more FOSS projects (offering specialized distributions of Linux/BSD) with varying levels of added value.

                          The decision of which firewall to deploy should depend on your actual needs, although in my experience it's rarely the case: typically on the client's side it's CYA ("nobody got fired for buying xyz") and expectations of better tech support, and on the consultant's side it's the product he knows best and offers him the highest commissions).

                          The key is proper initial setup and thorough periodic auditing.

                          pfSense in based on proven tools (FreeBSD OS, OpenBSD pf, ISC dhcp, OpenVPN, lighttpd etc) that have been around for many years and are widely deployed. If pfsense is properly configured and you only allow webGUI access from the "management" VLAN, it will be a fine packet filtering solution for practically all setups. If you require features beyond L3 packet filtering, like IDS/IPS or L7 filtering like that offered by PaloAlto, you'll have to look elsewhere.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            @dhatz:

                            If you require features beyond L3 packet filtering, like IDS/IPS or L7 filtering like that offered by PaloAlto, you'll have to look elsewhere.

                            I've read a number of posts here and elsewhere recently expressing that same opinion regarding IDS/IPS. I have always been under the impression that Snort served perfectly well for IPS however I've only ever used it as a test. I pretty soon turned it off again as it wasn't really necessary and huge resource hog.
                            Any opinions?

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • D
                              dhatz
                              last edited by

                              @stephenw10:

                              @dhatz:

                              If you require features beyond L3 packet filtering, like IDS/IPS or L7 filtering like that offered by PaloAlto, you'll have to look elsewhere.

                              I've read a number of posts here and elsewhere recently expressing that same opinion regarding IDS/IPS. I have always been under the impression that Snort served perfectly well for IPS however I've only ever used it as a test. I pretty soon turned it off again as it wasn't really necessary and huge resource hog.
                              Any opinions?

                              I consider Snort (and Suricata) perfectly good IDS (or IPS if run inline), however last time I checked pfsense's Snort package wasn't yet ready for production use …

                              By the way, I think the Snort package is an ideal candidate for a crowd-funding initiative, as it is a really valuable add-on for many of the 100K+ pfsense known live installs.

                              1 Reply Last reply Reply Quote 0
                              • K
                                kmichal2223
                                last edited by

                                Thank you for all the replies.

                                Ironically they guy recommended Fortinet firewall which uses Linux.
                                The guy mentioned the market share and the fact that it was tested by icsa labs.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cmb
                                  last edited by

                                  @kmichal2223:

                                  The guy mentioned the market share and the fact that it was tested by icsa labs.

                                  We're not up to the market share of Fortinet, but we have a very significant install base nearing 140,000 known live installs, growing by 3000-5000 new installs every month. That's bigger than a lot of commercial solutions, and more than big enough that you don't have any concerns that you might have if running something obscure.

                                  ICSA? The guys who have certified products before with massive security holes. There is no value outside of marketing in ICSA certification. If it wasn't absurdly expensive I'd get us certified, as their marketing has convinced some people that they provide value, but it's just not worth the money. A lot of commercial solutions aren't even bothering with ICSA certification anymore. Cisco, for instance, is no longer on their list of certified products and hasn't been for a while.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cmb
                                    last edited by

                                    I created this page on the wiki to answer this common question/concern. If anyone can think of any points I missed, let me know.

                                    http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.