Re: sub $500-750 CPE firewall for voip-centric application

[Mel Beckman <mel () beckman org>]

But bug reports and response can be measured, at least by those with support contracts for the commercial products. I 
found PFSense less reliable by a quite large margin than commercial offerings. Plus when I have a problem, I can open a 
case and somebody else is working on it (because I paid them to), and they usually solve the problem without a lot more 
involvement on my part.

I tried PFSense Premium Support once when it first launched, and they simply didn’t have their act together. Also, the 
cheapest PFSense support contract cost nearly as much as an entire commercial firewall including hardware and a year 
support! Maybe they’ve improved. I don’t have time to research it though, as the commercial products are quite 
reasonably priced and generally superior in features. I’ve also looked at the PFSense appliances for sale, and they are 
not remarkable (either in price or features). I think what store.pfsense.org<http://store.pfsense.org> demonstrates is 
that the commercial offerings are justified in what they charge, since it’s about equal to what PFSense hardware costs.

Then there is the available skills problem. It’s much easier to find a Cisco, Dell, Juniper, or whatever-conversant 
tech than it is to find someone facile in PFSense.

It’s a valiant effort, but to me the value differential just isn’t making sense for PFSense.

 -mel



On May 6, 2016, at 11:50 AM, Aris Lambrianidis <effulgence () gmail com<mailto:effulgence () gmail com>> wrote:

Mel Beckman wrote:
The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in 
private source you may never know. In these cases I rely on the vendor’s public statements about their development 
processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run 
in-house security threat research groups that publish to the community.

There are also outside certifications. For example, www.icsalabs.com<http://www.icsalabs.com/> lists certifications by 
vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be 
current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency 
or thoroughness of the test regimen.

This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While 
these regulatory organizations don’t require specific overall firewall certifications, they do require various specific 
standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, 
as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory 
organization.
It seems those certifications are not offering the assurance at least *some* people would expect from them, unless
of course we're talking about feeding the paper pushing beast. This is a mere observation on my part, principally
I'm not against them, but I seriously doubt bad coding practices happen only on non certified/audited code, so
I find the question of value difficult to answer in a satisfactory manner.

Random germane example: http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips

Aris