please consider German BSI certification

[dstr]

please consider German BSI certification, otherwise you are very likely  dropped out of the markt for real professional solutions.

[bimbar]

Looking at the list of certified networking products: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/produkte.html?nn=456508 , I have to disagree.

Also, CC certification is probably impossible for an open source project.

[Patrick M. Hausen]

The list of certified products is pretty short and largely irrelevant:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/Netzwerkprodukte_node.html

Most prominent BSI certified product is Genugate. Genua have a long history of tailoring their firewall to match public calls for bids and so they are effectively the go-to supplier for everything "government". But then their firewall really cannot do much.

For large enterprises down to SMBs BSI certification is completely irrelevant which is why you see almost no commercial vendor in that list.

[franco]

23.10 will be the first business edition to be fully LINCE certified.

See https://www.jtsec.es/lince-evaluation and https://docs.opnsense.org/security.html#framework-type-of-testing-lince


Cheers,
Franco

[franco]

Fun fact about Genua is they use OpenBSD

[franco]

And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.


Cheers,
Franco

[dstr]

this list is not up to date:

https://www.insys-icom.com/insys-icom-erhaelt-it-sicherheitszertifikat-vom-bundesamt-fuer-sicherheit-in-der-informationstechnik-bsi/

[dstr]

most prominet is insys not genua, its probably to late anyway. we have a project to migrate around 80 sophos utm firewalls, because they are end of life in 2026. right now they will be insys not opnsense, because of this certification.

[Patrick M. Hausen]

Never heard of them.

Prominent manufacturers of enterprise firewalls are among others:

Cisco
Juniper
Checkpoint
Palo-Alto
Fortigate
Forcepoint
Sophos
Sonicwall
...

This is the market OPNsense is competing in. None of the above has got a BSI certification. The one for Sophos is for their OS and completely outdated.

[dstr]

And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.


Cheers,
Franco

not good... cannot argue then to not move to insys.

[dstr]

Never heard of them.

Prominent manufacturers of enterprise firewalls are among others:

Cisco
Juniper
Checkpoint
Palo-Alto
Fortigate
Forcepoint
Sophos
Sonicwall
...

This is the market OPNsense is competing in. None of the above has got a BSI certification. The one for Sophos is for their OS and completely outdated.

maybe prominent but only in corporate environment and not used in huge numbers. insys is used in industry environment, in huge numbers.
example: we running ~60 opnsense+ counting and ~80 sophos utm firewalls but only 4 corporate firewalls.

[franco]

Err, hold on a second..

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Beschleunigte-Sicherheitszertifizierung/Zertifizierte-Produkte-nach-BSZ/zertifizierte-produkte-nach-bsz_node.html

Only lists two things including insys but it says "Aktuelle Zertifikate der Beschleunigten Sicherheitszertifizierung" which suggests this is a lightweight process...

And like bimbar notes this is the REAL page with the known (fully) certified devices:

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/produkte.html?nn=456508

Nothing against your choice, but your conclusion is not based on all of the facts. If your requirement is BSI certification that's fair, but I wouldn't use the BSZ ones if I was on the line here. 


Cheers,
Franco

[dstr]

welcome to the world of "decision makers" if its insys vs opnsense, bsi light vs no bsi, who would you choose rationally? and thats it.

[franco]

No, honestly, here is free corporate advice: stick to the list that bimbar posted and avoid getting burned by BSZ.


Cheers,
Franco

[Patrick M. Hausen]

example: we running ~60 opnsense+ counting and ~80 sophos utm firewalls but only 4 corporate firewalls.

OPNsense and Sophos are corporate firewalls.

But you do you. If this particular vendor fits your criteria, go for it. You won't find many network and security engineers familiar with that product, but if they cater to industrial environments, then maybe things work differently, there. I can e.g. picture their direct support to be way better than any of the large firewall vendors'.