Re: sub $500-750 CPE firewall for voip-centric application

[Aris Lambrianidis <effulgence () gmail com>]

Mel Beckman wrote:
> The question of code quality is always a difficult one, since in FOSS 
> it’s public and often found lacking, but in private source you may 
> never know. In these cases I rely on the vendor’s public statements 
> about their development processes and certifications (e.g., ICSA). 
> Commercial products often disclose their development processes and 
> even run in-house security threat research groups that publish to the 
> community.
>
> There are also outside certifications. For example, www.icsalabs.com 
> <http://www.icsalabs.com> lists certifications by vendor for those 
> that have passed their test regimen, and both Dell SonicWall and 
> Fortinet Fortigate are shown to be current. PFSense isn’t listed, and 
> although it is theoretically vetted by many users, there is no 
> guarantee of recency or thoroughness of the test regimen.
>
> This brings up the question of whether PFSense can meet regulatory 
> requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory 
> organizations don’t require specific overall firewall certifications, 
> they do require various specific standards, such as encryption 
> strength, logging, VPN timeouts, etc. I don’t know if PFsense meets 
> these requirements, as they don’t say so on their site. Companies like 
> Dell publish white papers on their compliance with each regulatory 
> organization.
It seems those certifications are not offering the assurance at least 
*some* people would expect from them, unless
of course we're talking about feeding the paper pushing beast. This is a 
mere observation on my part, principally
I'm not against them, but I seriously doubt bad coding practices happen 
only on non certified/audited code, so
I find the question of value difficult to answer in a satisfactory manner.

Random germane example: 
http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips

Aris