please consider German BSI certification

Started by dstr, October 27, 2023, 10:25:10 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
October 27, 2023, 10:25:10 AM
please consider German BSI certification, otherwise you are very likely  dropped out of the markt for real professional solutions.
October 27, 2023, 11:10:27 AM #1 Last Edit: October 27, 2023, 11:11:59 AM by bimbar
October 27, 2023, 11:12:45 AM #2
The list of certified products is pretty short and largely irrelevant:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/Netzwerkprodukte_node.html

Most prominent BSI certified product is Genugate. Genua have a long history of tailoring their firewall to match public calls for bids and so they are effectively the go-to supplier for everything "government". But then their firewall really cannot do much.

For large enterprises down to SMBs BSI certification is completely irrelevant which is why you see almost no commercial vendor in that list.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 27, 2023, 11:12:54 AM #3
23.10 will be the first business edition to be fully LINCE certified.

See https://www.jtsec.es/lince-evaluation and https://docs.opnsense.org/security.html#framework-type-of-testing-lince


Cheers,
Franco
October 27, 2023, 11:13:27 AM #4
Fun fact about Genua is they use OpenBSD :)
October 27, 2023, 11:15:55 AM #5
And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.


Cheers,
Franco
October 27, 2023, 03:47:33 PM #6
October 27, 2023, 03:53:48 PM #7
most prominet is insys not genua, its probably to late anyway. we have a project to migrate around 80 sophos utm firewalls, because they are end of life in 2026. right now they will be insys not opnsense, because of this certification.
October 27, 2023, 03:59:30 PM #8
Never heard of them.

Prominent manufacturers of enterprise firewalls are among others:

Cisco
Juniper
Checkpoint
Palo-Alto
Fortigate
Forcepoint
Sophos
Sonicwall
...

This is the market OPNsense is competing in. None of the above has got a BSI certification. The one for Sophos is for their OS and completely outdated.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 27, 2023, 04:02:57 PM #9
Quote from: franco on October 27, 2023, 11:15:55 AM
And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.


Cheers,
Franco

not good... cannot argue then to not move to insys.
October 27, 2023, 04:12:48 PM #10
Quote from: Patrick M. Hausen on October 27, 2023, 03:59:30 PM
Never heard of them.

Prominent manufacturers of enterprise firewalls are among others:

Cisco
Juniper
Checkpoint
Palo-Alto
Fortigate
Forcepoint
Sophos
Sonicwall
...

This is the market OPNsense is competing in. None of the above has got a BSI certification. The one for Sophos is for their OS and completely outdated.

maybe prominent but only in corporate environment and not used in huge numbers. insys is used in industry environment, in huge numbers.
example: we running ~60 opnsense+ counting and ~80 sophos utm firewalls but only 4 corporate firewalls.
October 27, 2023, 04:13:57 PM #11 Last Edit: October 27, 2023, 04:16:22 PM by franco
Err, hold on a second..

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Beschleunigte-Sicherheitszertifizierung/Zertifizierte-Produkte-nach-BSZ/zertifizierte-produkte-nach-bsz_node.html

Only lists two things including insys but it says "Aktuelle Zertifikate der Beschleunigten Sicherheitszertifizierung" which suggests this is a lightweight process...

And like bimbar notes this is the REAL page with the known (fully) certified devices:

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Produkten/Zertifizierung-nach-CC/Zertifizierte-Produkte-nach-CC/Netzwerkprodukte/produkte.html?nn=456508

Nothing against your choice, but your conclusion is not based on all of the facts. If your requirement is BSI certification that's fair, but I wouldn't use the BSZ ones if I was on the line here.  ;)


Cheers,
Franco
October 27, 2023, 04:26:39 PM #12
welcome to the world of "decision makers" if its insys vs opnsense, bsi light vs no bsi, who would you choose rationally? and thats it.
October 27, 2023, 04:31:06 PM #13
No, honestly, here is free corporate advice: stick to the list that bimbar posted and avoid getting burned by BSZ.


Cheers,
Franco
October 27, 2023, 04:32:12 PM #14
Quote from: dstr on October 27, 2023, 04:12:48 PM
example: we running ~60 opnsense+ counting and ~80 sophos utm firewalls but only 4 corporate firewalls.
OPNsense and Sophos are corporate firewalls.

But you do you. If this particular vendor fits your criteria, go for it. You won't find many network and security engineers familiar with that product, but if they cater to industrial environments, then maybe things work differently, there. I can e.g. picture their direct support to be way better than any of the large firewall vendors'.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1 2 3
User actions