46
General Discussion / Compliance with standards (FIPS, SOX, LEADS, HIPAA), etc.
« on: November 27, 2018, 05:16:26 pm »
Hi all,
I've been around the community for a few years now, but I'm a pfSense convert like most of us here. I've used pf/OpnSense for going on 10 years (?) now. So, not exactly a newb, but I generally stay pretty quiet.
I have a small municipality who is running pfSense. I'm in the process of converting all the firewalls over to OpnSense. The local Sheriff's Office IT only uses Cisco, and nothing else. Since we have to interface with them for various agency records, this means they have Cisco appliances in key buildings sitting right next to the pf/OpenSense firewalls, plugged into the same ISP router, and with their own external and internal IP address. This creates two points of entry into the networks instead of one, which makes it doubly difficult for me to take responsibility for keeping the network safe. So, on this last expansion run (for ancillary stations) I suggested that we just set up an IPSec VPN tunnel between the county and the existing pfSense/OpnSense firewalls that are on-site at each location.
You'd think I dropped a bomb on them.
The present (valid) argument for why this is not feasible is that the OpnSense firewall platform is not FIPS 140-2 certified. Looking purely at the technical requirements, I think it'd pass with no problem, but the question is, what does it cost to make a firewall FIPS compliant? Is this something the OpnSense community should consider pursuing? Is HardenedBSD going to make this easier for us, assuming the development of OpnSense eventually gets there?
I can foresee running into this problem with other industries that have a standards-based auditing system of firewalls, examples being PCI, SOX, HIPAA, etc. so it'd be nice to hammer this one out before those come up.
Any/all responses are appreciated.
I've been around the community for a few years now, but I'm a pfSense convert like most of us here. I've used pf/OpnSense for going on 10 years (?) now. So, not exactly a newb, but I generally stay pretty quiet.
I have a small municipality who is running pfSense. I'm in the process of converting all the firewalls over to OpnSense. The local Sheriff's Office IT only uses Cisco, and nothing else. Since we have to interface with them for various agency records, this means they have Cisco appliances in key buildings sitting right next to the pf/OpenSense firewalls, plugged into the same ISP router, and with their own external and internal IP address. This creates two points of entry into the networks instead of one, which makes it doubly difficult for me to take responsibility for keeping the network safe. So, on this last expansion run (for ancillary stations) I suggested that we just set up an IPSec VPN tunnel between the county and the existing pfSense/OpnSense firewalls that are on-site at each location.
You'd think I dropped a bomb on them.
The present (valid) argument for why this is not feasible is that the OpnSense firewall platform is not FIPS 140-2 certified. Looking purely at the technical requirements, I think it'd pass with no problem, but the question is, what does it cost to make a firewall FIPS compliant? Is this something the OpnSense community should consider pursuing? Is HardenedBSD going to make this easier for us, assuming the development of OpnSense eventually gets there?
I can foresee running into this problem with other industries that have a standards-based auditing system of firewalls, examples being PCI, SOX, HIPAA, etc. so it'd be nice to hammer this one out before those come up.
Any/all responses are appreciated.