please consider German BSI certification, otherwise you are very likely dropped out of the markt for real professional solutions.
Looking at the list of certified networking products: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/produkte.html?nn=456508 , I have to disagree.
Also, CC certification is probably impossible for an open source project.
The list of certified products is pretty short and largely irrelevant:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/Netzwerkprodukte_node.html
Most prominent BSI certified product is Genugate. Genua have a long history of tailoring their firewall to match public calls for bids and so they are effectively the go-to supplier for everything "government". But then their firewall really cannot do much.
For large enterprises down to SMBs BSI certification is completely irrelevant which is why you see almost no commercial vendor in that list.
23.10 will be the first business edition to be fully LINCE certified.
See https://www.jtsec.es/lince-evaluation and https://docs.opnsense.org/security.html#framework-type-of-testing-lince
Cheers,
Franco
Fun fact about Genua is they use OpenBSD :)
And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.
Cheers,
Franco
this list is not up to date:
https://www.insys-icom.com/insys-icom-erhaelt-it-sicherheitszertifikat-vom-bundesamt-fuer-sicherheit-in-der-informationstechnik-bsi/
most prominet is insys not genua, its probably to late anyway. we have a project to migrate around 80 sophos utm firewalls, because they are end of life in 2026. right now they will be insys not opnsense, because of this certification.
Never heard of them.
Prominent manufacturers of enterprise firewalls are among others:
Cisco
Juniper
Checkpoint
Palo-Alto
Fortigate
Forcepoint
Sophos
Sonicwall
...
This is the market OPNsense is competing in. None of the above has got a BSI certification. The one for Sophos is for their OS and completely outdated.
Quote from: franco on October 27, 2023, 11:15:55 AM
And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.
Cheers,
Franco
not good... cannot argue then to not move to insys.
Quote from: Patrick M. Hausen on October 27, 2023, 03:59:30 PM
Never heard of them.
Prominent manufacturers of enterprise firewalls are among others:
Cisco
Juniper
Checkpoint
Palo-Alto
Fortigate
Forcepoint
Sophos
Sonicwall
...
This is the market OPNsense is competing in. None of the above has got a BSI certification. The one for Sophos is for their OS and completely outdated.
maybe prominent but only in corporate environment and not used in huge numbers. insys is used in industry environment, in huge numbers.
example: we running ~60 opnsense+ counting and ~80 sophos utm firewalls but only 4 corporate firewalls.
Err, hold on a second..
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Beschleunigte-Sicherheitszertifizierung/Zertifizierte-Produkte-nach-BSZ/zertifizierte-produkte-nach-bsz_node.html
Only lists two things including insys but it says "Aktuelle Zertifikate der Beschleunigten Sicherheitszertifizierung" which suggests this is a lightweight process...
And like bimbar notes this is the REAL page with the known (fully) certified devices:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/produkte.html?nn=456508
Nothing against your choice, but your conclusion is not based on all of the facts. If your requirement is BSI certification that's fair, but I wouldn't use the BSZ ones if I was on the line here. ;)
Cheers,
Franco
welcome to the world of "decision makers" if its insys vs opnsense, bsi light vs no bsi, who would you choose rationally? and thats it.
No, honestly, here is free corporate advice: stick to the list that bimbar posted and avoid getting burned by BSZ.
Cheers,
Franco
Quote from: dstr on October 27, 2023, 04:12:48 PM
example: we running ~60 opnsense+ counting and ~80 sophos utm firewalls but only 4 corporate firewalls.
OPNsense and Sophos
are corporate firewalls.
But you do you. If this particular vendor fits your criteria, go for it. You won't find many network and security engineers familiar with that product, but if they cater to industrial environments, then maybe things work differently, there. I can e.g. picture their direct support to be way better than any of the large firewall vendors'.
Quote from: dstr on October 27, 2023, 04:02:57 PM
Quote from: franco on October 27, 2023, 11:15:55 AM
And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.
not good... cannot argue then to not move to insys.
I don't think you understand common criteria certification levels at all. It's near impossible for software to go beyond 4+ because of formal verification requirements. The higher levels are tailored for hardware and mathematics (like radio communication encryption).
You haven't even stated what you would expect from common criteria. If you want level 7 you don't get it in a firewall...ever. If you look for level 4 which is fair I don't think insys has it according to their website. So why are you snubbing not having CC off for anyone else and try to prove your point? ;)
Cheers,
Franco
I would also argue that CC certification says very little about the actual security of the product.
I had a some contact with EAL4 not that long ago and it did not fill me with confidence.
If you want manageable security in a corporate environment with a high number of devices, go for fortinet, is my advice.
Folks, you misunderstand something here: In corporate environments, more often than not, decisions are made by managers who neither know nor care about the things they have to decide about. However, they have to take the responsibility.
The less informed they are, the more likely is that they will resort to labels which seem to promise good quality. If anything serious happens afterwards, at least they can say: "But I chose the product with certification - what else should I have done? This clearly was not my fault." - which sounds believeable to higher managers who know/care even less than he does.
This is why a few years ago, in financial institutions, IBM was always chosen for anything (database, OS, CRM solution, whatever). The saying was: "If it goes wrong, and it was not an IBM product, I'm fired. If it goes wrong and it was an IBM product, I can always blame it on IBM.". So, they even chose OS/2, which was later abolished by IBM. Bank IT managers would laugh at that decision and not believe it. So, the IBM CEO invited german manager to IBM headquarters and told them he was serious about it. It has been reported that there were fisticuffs and the CEO had to be lead out of the room by his security staff. After that episode, IBM was done in german financial IT.
This is not new, it is called the Peter Princple (https://en.wikipedia.org/wiki/Peter_principle), or more concise: "In a hierarchy every employee tends to rise to his level of incompetence.". @dstr looks to me like the savvy tech guy who wants to keep the better product but has to justify his choice according to what I laid out.
Any update to this topic?
Well if Opnsense is an corp only soluton, how come landitec and thomas krenn offering industrial hardware solutions with opnsense preinstalled? I mean you wasnt even aware of its purpose in industrial solutions before I told you so.
Apart from this, we have 60 business licenses alone coming with our firewall, so we are paying a huge share for the opnsense existense, and there would be another 80 licenses ( it would be 160 license, because we planning clusterd firewall)
I do not understand why you talking like that.
Just want to tell, we turned to an kritis environment which gives opnsense a REAL case and not just some dumb idiot corp or hobby case.
To be frank, I am unsure what you are looking for pressuring others and not responding to the questions and concerns we have. I'm out of this one... good luck! ;)
I dont want to pressure anyone, I want opnsense to live (and Insys to die)
If thats too much, then sorry.
Quote from: dstr on November 03, 2023, 12:39:10 PM
Well if Opnsense is an corp only soluton, how come landitec and thomas krenn offering industrial hardware solutions with opnsense preinstalled?
Because it's a good product? Most customers don't demand a certification that is not worth the paper.
Do you have any idea how many person years it takes to go through a certification process? And you have to recertify for every single new version. Good luck with new releases every 6 months.
I have done corporate and industrial IT as a systems integrator and I have never met a single customer for whom certification was mandatory. Either I could talk them out of it. Or EAL4 like Sidewinder had was enough. Or they bought from someone else. That's life.
Kind regards,
Patrick
P.S. If you want to root for OPNsense in your own corporation, suggest an independent evaluation of both alternatives. Secorvo in Karlsruhe are renowned for their knowledge, professional attitude and the fact that they really are impartial.
I went through exactly this process for the country of Hessen and BSI certification or not Genugate "lost" and Sidewinder "won". Because apart from a certification sometimes you just need certain features. If you support very little like Genugate does, certification is of course way easier.
Mark my words, the BSI train will hit anybody. Its starting with kritis, where we have to deal with it. And there will be enough momentum when this will get to every single corporate firewall.
....and only because its hard, you should fear it so much to not even try it, thats a live quote.
Quote from: Patrick M. Hausen on November 03, 2023, 12:59:59 PM
P.S. If you want to root for OPNsense in your own corporation, suggest an independent evaluation of both alternatives. Secorvo in Karlsruhe are renowned for their knowledge, professional attitude and the fact that they really are impartial.
I went through exactly this process for the country of Hessen and BSI certification or not Genugate "lost" and Sidewinder "won". Because apart from a certification sometimes you just need certain features. If you support very little like Genugate does, certification is of course way easier.
problem, thats not all, we need at least a wide temperature. landitec offers 0-50°, i just googled quick and sidewinder does not have a device to meet it.
its really hard to find we searched 6 months to get the perfect combination. thats why I want to stick with opnsense.
Quote from: franco on November 03, 2023, 12:51:37 PM
To be frank, I am unsure what you are looking for pressuring others and not responding to the questions and concerns we have. I'm out of this one... good luck! ;)
If you dont want to talk to me anymore, than I will reach out via other channels.
I mean we have the business support too, where you need to answer.
Sidewinder is an EOL product. I just wanted to share an anecdote about the value of certifications from my personal experience.
Industrial environments are not a problem with OPNsense. You can pick any suitable hardware.
I seriously doubt the world of corporate firewalls will revolve around german ideas of certification. Look at the official BSI list - practically no relevant product from one of the major suppliers is on that list. Wanna bet if T-Systems will throw out all of their Cisco gear? Or if Cisco will give a damn about BSI? No and no.
It will get to the point where cisco has to apply, sooner or later. I worked for Daimler for example in the network department, where all of the devices where Cisco. I would bet a thousand euro that if Daimler decides it will only install BSI certified hardware because of security risks, cisco will run. Its just a matter of enough industrial momentun, like I said before.
Quote from: dstr on October 27, 2023, 03:53:48 PM
most prominet is insys not genua, its probably to late anyway. we have a project to migrate around 80 sophos utm firewalls, because they are end of life in 2026. right now they will be insys not opnsense, because of this certification.
Those are not on the BSI list either, btw.
Update, the hardware you are selling in your shop will get the BSI certification, plus opnsense will get it too
Thanks for this :-)
And who is sponsoring this? :)
The OP is 6 months old, but for anyone who ends-up here looking into CC...
Back in 2008, I wrote a paper on the published criticism about CC.
I presented the paper at a DoD conference.
"Common Criteria: A Survey of Its Problems and Criticism"
Department of Defense Cyber Crime Conference 2009, St. Louis, MO, January 2009
I just put the paper on my website, FYI:
https://jimyuill.com/cs-research/comp-sec-papers/
The paper is dated, but may be useful, as some of the problems likely persist.
Abstract: The Common Criteria (CC) is a computer-security standard that some governments use for procurement, e.g., the U.S. Department of Defense. To sell information-security products in these markets, CC certification is required. Much has been published about problems with CC, and there is extensive criticism of CC. For example, a director of the U.S. CC program was recently quoted as saying, "Defending the program is a full-time effort. It is a difficult job." This paper presents a survey of the problems and criticism reported about CC. The paper provides: (a) a categorization for the reported problems, (b) a survey of the reported problems, organized by category, and (c) an annotated guide to the sources that were especially useful and authoritative. This paper is intended as a resource for those who are: evaluating CC for possible use, preparing to use CC, or researching CC itself.
The criticism about CC fell into three categories:
* Problems with CC's effectiveness
* Problems with CC's stated limitations
* Problems with CC implementation
another update. The opnsense hardware distributor just tried to catch us with BSI promises. Then sold us a overpriced garbage device that failed on the initial installation. Therefor opnsense is not on the list anymore after 2026. Maybe I reach the 100 active devices until then.
With all due respect I don't think your posts (old and new) ooze professionalism. Part of it is knowing when to stop a discussion and the other part is knowing not to throw shade at random anonymous entities allegedly screwing you over. You can solve all those things in business scopes yet you choose to drag them out in public. ;)
It's time to let this thread go.
Does BSI stand for BullShit Initiative, or what? Wasted 10 minutes of my life trying to make sense of what this thread is about... Next time, I'd rather have some beer. WTH.
It's Bundesamt für Sicherheit in der Informationstechnik - Federal Bureau for IT Security, and they do publish a lot of pretty good things. Like the IT Grundschutzhandbuch - IT Basic Security Manual. A catalog with concrete advice for dozens of products and protocols and their respective recommendations.
My core argument is that their certification is so niche, no major vendor actually cares and I know of no large enterprise (and I worked for quite some) that would run anything but Cisco, Juniper, Checkpoint, Fortigate, ... all not BSI certified.
Only vendor that regularly re-certifies their firewalls with BSI is german Genua. They specialise in winning government contracts ;)
The downside: their firewall actually cannot do much. Think of TIS FWTK or very early Gauntlet. Yes - that. So the firewall is highly secure, but it does not support many applications or modern concepts.
Kind regards,
Patrick
Oh, OK, sounds pretty standard then - certification made for the sole purpose of being able to make the befriended vendors win in public tenders. I guess OPNsense rather needs the Dutch variant of the BSI certificate. ;D :P
Quote from: doktornotor on August 19, 2024, 07:51:08 PM
Oh, OK, sounds pretty standard then - certification made for the sole purpose of being able to make the befriended vendors win in public tenders. I guess OPNsense rather needs the Dutch variant of the BSI certificate. ;D :P
yes makes sense that opnsense should apply to dutch regulation. currently it looks like for critical infrastructe (where it comes to real security and not just homelab security) they will change laws, so you can only use hardware/software built in germany. at that point, opnsense would not able to use anyway for real security needs (in germany).
Quote from: dstr on August 20, 2024, 11:05:24 AM
opnsense would not able to use anyway for real security needs (in germany).
I think we already know that was your opinion from the start. No need to reiterate. :)
Cheers,
Franco
Quote from: dstr on August 20, 2024, 11:05:24 AM
they will change laws, so you can only use hardware/software built in germany.
Yeah, I can see Siemens, Deutsche Bank, Volkswagen, ... all throw out their million Euro worth of Cisco and Checkpoint gear for some "real security" ;D ::)