1

I have used pfsense before as the main gateway, load balancer, traffic shaping, proxy, firewall, virus/malware protection, enterprise wifi solution for an entire office of 50+ users. Yet I have received criticism from top IT companies who have done an audit on our IT infrastructure calling this solution immature and insecure. While top security experts I have consulted with have told me "using pfsense for everything is of poor quality and most likely cannot handle all of these tasks efficiently".

Yet these same companies that made such claims have been attacked with viruses such as WannaCry, while our infrastructure was maintained without incident.

My reasoning for choosing pfsense are due to the following points:

  1. No Cost due to open source free software.
  2. Large community support.
  3. Capability of handling many services at once.
  4. No subscription costs for anti-virus and/or other services.

The setup consisted of the following hardware:

  • Quad Core Intel Pentium Processor
  • 8GB of DDR3 RAM
  • 500GB HDD
  • 4 x 1Gbps NICs

Services used:

  • Anti-Virus protection: ClamAV
  • Proxy & Caching: Squid Proxy
  • Enterprise Wifi Management & Authentication: FreeRADIUS

This firewall has handled security very well and load balancing/traffic shaping without any drop-outs. All the services mentioned above were running without straining the CPU while also having MAC Address routing enabled which is known to be CPU intensive.

I have read articles where some of these mentioned IT consultants actually discourage the use of open source firewalls due to the fact that they have contracts with large providers like Fortinet and Cisco. I'm sure that with proper configuration pfsense can be as secure as commercial offering if not maybe even more secure.

Questions:

  1. Is this setup truly insecure as mentioned by other IT companies and what are best practices for securing such a setup?
  2. Are large security companies truly afraid of such solutions rendering their products obsolete, looking at the most used servers and firewall operating systems world wide Linux is used over commercial offerings like Microsoft?
WMRamadan
  • 113
  • 6

1 Answers1

3

Is this setup truly insecure as mentioned by other IT companies and what are best practices for securing such a setup?

The quality of both open source and commercial solutions differ widely. There are commercial firewalls which more or less do what pfSense does and there are firewalls which do a lot more. From what you mention as security features of your firewall the only one is actually "ClamAV", neither a squid proxy nor a radius authentication are security features by themselves: it does not matter if the authentication uses radius if the passwords are weak and it does not matter if you use squid if it allows unlimited access to all websites.

ClamAV is definitely a weak option compared to many commercial AV. Commercial solutions for example are often backed by cloud services which allow dynamic code analysis for suspicious files and thus can react faster to new threats. But commercial AV don't provide 100% security either. Relying for security only on an AV in a perimeter firewall is a bad idea from start.

A secure setup would not just put some firewall at the perimeter and then forget about it. For a secure setup one would first analyze the actual risks and threats and then decide how these can be mitigated best using the time and money available. This usually does not only involve using firewalls but also endpoint security and maybe segmenting the local network further. In some cases free firewalls are sufficient, in other cases commercial firewalls are better since they often allow a more granular addressing of the risks, more visibility into what's going on and have a faster reaction to new threats. But again, the actual advantage depends on which firewall is used since the quality, capabilities (and price) vary a lot.

This firewall has handled security very well and load balancing/traffic shaping without any drop-outs.

What you address here is mainly availability and performance and not actual security. From this statement it is not really clear what your installation does better in terms of security than a simple network cable - which is even cheaper.

Are large security companies truly afraid of such solutions rendering their products obsolete, looking at the most used servers and firewall operating systems world wide Linux is used over commercial offerings like Microsoft?

Not really. Commercial companies today use open software a lot themselves. For example Microsoft is actually a very large user of Linux itself and not only in Azure. Open source software is also often used in commercial firewalls and security companies also contribute to open source themselves.

Also, open source does not magically address all the needs: while one can use Linux to build a firewall (and many commercial firewalls are based on Linux) it takes lots of time and lots of specialized knowledge to create and maintain a solution which does more then just filling basic needs.

Yet these same companies that made such claims have been attacked with viruses such as WannaCry, while our infrastructure was maintained without incident.

Such Anecdotal evidence is pretty useless for comparing security solutions. It comes down to picking the aspects which support your claims and ignoring the others. See also Cherry picking and Confirmation bias.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424