security function

[baranmatin]

Hi
How the opnsense can check security function operation?

[mimugmail]

What exactly do you mean with security functions

[baranmatin]

security function like Cryptographic algorithms , digital signature algorithms , hash functions ,random bit generators etc
Tanx

[franco]

We do not hand-roll any cryptography so all the verification is done by included projects such as libsodium, LibreSSL/OpenSSL, OpenSSH, kernel opencrypto, etc.


Cheers,
Franco

[baranmatin]

that's right, How can I test and  validate this function's operation?
In fact how the opnsnese  can validate it when turn on by itself .How is its mechanism?

[franco]

So what's your threat model?


Cheers,
Franco

[baranmatin]

perhaps I couldn't explain  my mean well.
In fact I want to introduce OPNsense to my company as an opensource  firewall. I should  to assure my boss about security of OPNsense. My boss ask me if there is a way to test security functionality when start the device to working or in duration of working .for example does opensense check  security algorithms that they work correctly before using it?

[chemlud]

What's your current firewall? How do you check "security" there?

Which size of company? Which threat model?

[baranmatin]

Hi and thanx for your answering.
at the moment we don't have any firewall in this branch but we have other branch same as this that we use Fortigate 111C.
We want to use Opnsense as a firewall and we want to apply some firewall rules with IPS. we want to use snort as an IPS.
This branch of our compony have about 20 computers with 4 or 5 Mb traffic at most.
Unfortunately I cannot understand your mean about threat model. I'm sorry.
I will be pleasure if you can help me.
best regards

[fabian]

Unfortunately I cannot understand your mean about threat model. I'm sorry.
I will be pleasure if you can help me.

Usually you have the diamond model:

https://owasp.org/www-chapter-dorset/assets/presentations/2019-04/Cyber_Kill_Chains-11-Apr-19-OWASP-Dorset.pdf Page 8+

Some general Questions for yourself are:
* Who is the attacker?
* Who/What is the Victim?
* Threat?
* Impact?

If you answered that questions, you can calculate the risk (= probablillty * impact) and with that information, you know the required protection level and you can decide, what products etc. are needed.

[lfirewall1243]

perhaps I couldn't explain  my mean well.
In fact I want to introduce OPNsense to my company as an opensource  firewall. I should  to assure my boss about security of OPNsense. My boss ask me if there is a way to test security functionality when start the device to working or in duration of working .for example does opensense check  security algorithms that they work correctly before using it?

And how do you check that stuff on your Fortigate?