PCI certification at the business level isn’t about whether your firewall vendor has gone through an audit and paid someone. You can build your own firewall if you wish and it must meet all of the necessary requirements. So will a commercial firewall, because it’s certainly possible to configure anyone’s firewall in an insecure manner. In fact, my name brand expensive firewall automatically fails the regular security scans because it answers ISAKMP. When asked, and it took awhile to get the truth, the answer was “We automatically flag because ISAMKP can be configured insecurely, so we automatically flag.” Showing my config wasn’t insecure got me a green light. On May 6, 2016, at 1:45 PM, amuse <nanog-amuse@foofus.com<mailto:nanog-amuse@foofus.com>> wrote: Don't forget ponying up the fees and charges for paying the auditors - which is why most OSS projects don't end up going through them. On Fri, May 6, 2016 at 11:41 AM, Keith Stokes <keiths@neilltech.com<mailto:keiths@neilltech.com>> wrote: I've been told by various PCI auditors that a noncommercial/FOSS firewall could pass as long as you have implemented the necessary controls such as encryption/logging/management and passing actual testing. -- Keith Stokes
On May 6, 2016, at 1:31 PM, Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in private source you may never know. In these cases I rely on the vendor’s public statements about their development processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run in-house security threat research groups that publish to the community.
There are also outside certifications. For example, www.icsalabs.com<http://www.icsalabs.com/><http://www.icsalabs.com<http://www.icsalabs.com/>> lists certifications by vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency or thoroughness of the test regimen.
This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t require specific overall firewall certifications, they do require various specific standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory organization.
-mel
On May 6, 2016, at 11:05 AM, Aris Lambrianidis <effulgence@gmail.com<mailto:effulgence@gmail.com><mailto:effulgence@gmail.com<mailto:effulgence@gmail.com>>> wrote:
amuse wrote: One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape? Perhaps not. In fact, probably not, judging by the apparent lack of audit processes for say, OpenSSL libraries re-used in commercial products.
It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality.
Aris
--- Keith Stokes