# Firewall - NSA safe?



## voltage (Oct 16, 2013)

Hi guys,

I am new to BSD and my first contact is PfSense. I read that the NSA backdoored many services and gained keys. I am trying to get my network and the network of my customers as safe as possible since I am expecting that the firewalls made by US-companies are all in control of the NSA.

Therefore  I though an open source solutions like PfSense could be safe firewalls that are not backdoored by the NSA. But then I found out, that the owner of the packages were bought by big Cisco. Cisco bought ClamAV and Snort. Is there chance that HAVP or Snort were infiltrated by the NSA?

Would you suggest any other  firewall or its services?

Greets
voltage


----------



## voltage (Oct 16, 2013)

I forgot to mention this link: https://www.eff.org/deeplinks/2013/09/crucial-unanswered-questions-about-nsa-bullrun-program


----------



## zspider (Oct 16, 2013)

voltage said:
			
		

> Hi guys,
> 
> I am new to BSD and my first contact is pfsense. I read that the nsa backdoored many services and gained keys. I am trying to get my network and the network of my customers as safe as possible since I am expecting that the firewalls made by us-companies are all in  control of the nsa.
> 
> ...



If anyone was going to find anything wrong with PF, Theo would of.

Also if you have any routers by Cisco or other big companies, it's entirely possible that they've sold out to big daddy NSA and friends, something to keep in mind when trying to build secure networks.


----------



## drhowarddrfine (Oct 16, 2013)

voltage said:
			
		

> I am expecting that the firewalls made by US-companies are all in control of the NSA.


No. You read wrong. All of the *hardware* is under control by the Chinese. The NSA does not make it 'unsafe' but, if you want to concentrate on purported NSA problems, then you are ignoring the KGB, MI6, Interpol, and others.


----------



## kpa (Oct 16, 2013)

The question does not make much sense because PF is only a layer 3, the network layer, firewall. It doesn't do any filtering on the application layer where most of the tracking and spying activities are done. You can easily secure your network from direct threats coming from the outside but it can not help much with security problems in the applications that you use.

And, if you don't trust in the integrity of the PF implementation in FreeBSD you can stop using it now. There are dozens of well versed people working on it in both OpenBSD where it comes from and on FreeBSD and if you assume that they are all working for NSA... well that's the tinfoil hat world tbh


----------



## SirDice (Oct 16, 2013)

If you're that paranoid about the NSA you're going to shit bricks knowing that the entire FreeBSD MAC framework came from them.


----------



## Morte (Oct 16, 2013)

I'm not trusting closed source security products like a firewall. Could the NSA backdoor BSD/Linux? Yes. But then what are your alternatives? Cisco? Huawei? At least with open source firewalls there are enough eyes going over the code that a backdoor attack is going to require a high level of sophistication which may not even be exploitable depending on circumstances. Closed source could be as simple as having the right keys as far as we know.


----------



## youngunix (Oct 16, 2013)

NSA paranoia claims another victim huh!
No one knows the exact intentions behind NSA's operations or the tools they use and what they can do. Unless, Mr. Snowden reveals that...
Now, would it make you feel better knowing that you are behind four firewalls?!
Not a joke, let's say you have:

```
[MODEM]+[WIRELESS ROUTER]+[FreeBSD]=[$FIREWALL]+[$FIREWALL]+[pf]
```
You can add pfsense to the list like so:

```
[MODEM]+[pfsense]+[WIRELESS ROUTER]+[FreeBSD]=[$FIREWALL]+[pfsense]+[$FIREWALL]+[pf]
```

Lastly, encrypt your hard drive and force your browser to use SSL.


----------



## swirling_vortex (Oct 24, 2013)

If you're supplying security solutions to businesses, the NSA shouldn't even be on your worry list. Your clients face a much greater threat from disgruntled employees or people who are actively targeting the business. Remember that secure computing practices needs to happen behind the firewall too.

pfSense is a good tool if you need an easy-to-use solution. However, I would familiarize yourself with the syntax since you'll be able to understand how the rules work.

http://www.freebsd.org/doc/handbook/firewalls-pf.html
http://www.openbsd.org/faq/pf/

As the handbook states, FreeBSD doesn't have the latest version of pf (due to the difference between the way the releases for FreeBSD and OpenBSD are developed), so some of the examples may not work.

While the OpenBSD guys aren't too fond of pfSense, Michael Lucas recommends it. There's also Untangle if you don't mind Linux, but it's a bit heavier than pfSense.


----------



## Anonymous (Oct 26, 2013)

voltage said:
			
		

> ...I read that the NSA backdoored many services...
> ...
> Would you suggest any other  firewall or its services?



The SonicWall NSA Series FireWalls look promising. You don't think that the NSA backdoored their own firewalls, do you?

:-D


----------



## xibo (Oct 26, 2013)

youngunix said:
			
		

> Lastly, encrypt your hard drive and force your browser to use SSL.


What good is hard drive encryption against attacks from the network?

Browsers on the other hand are - independend of the used HTTP variant - likely the number one security issue of most systems (especially if java and flash get considered browser components).


----------



## youngunix (Oct 27, 2013)

xibo said:
			
		

> What good is hard drive encryption against attacks from the network?



Why would someone attack your network? To gain access to your server and steal data. Unless you know another reason, try decrypting the data you stole from an encrypted system. And that's how good an encrypted hard drive is.


----------



## kpa (Oct 27, 2013)

Are you aware that while a system is running all data that is encrypted on the disk is potentially available as unencrypted on the operating system and application level?


----------



## youngunix (Oct 27, 2013)

kpa said:
			
		

> Are you aware that while a system is running all data that is encrypted on the disk is potentially available as unencrypted on the operating system and application level?



I never said it was a flawless solution, and yes that is a drawback. Encrypting data is one step into hardening the security of servers, desktops, and mobile devices (better than nothing at least).


----------



## ronaldlees (Nov 1, 2013)

swirling_vortex said:
			
		

> If you're supplying security solutions to businesses, the NSA shouldn't even be on your worry list. Your clients face a much greater threat from disgruntled employees or people who are actively targeting the business. Remember that secure computing practices needs to happen behind the firewall too.
> 
> pfSense is a good tool if you need an easy-to-use solution. However, I would familiarize yourself with the syntax since you'll be able to understand how the rules work.
> 
> ...



My guess is that as many or more secrets go out of the office in the briefcases of employees and contractors - or in their USB keys.  One of these days, underwear will be manufactured with tiny USB keys embedded in the labels.

The employees are not disgruntled, smile almost continuously, and were hired (by others) to do the espionage.

Additionally, if all the telecoms manipulate customer's internal subnet environments, routers and proxies, etc ... then it's pretty much game over anyway.


----------



## tzoi516 (Nov 1, 2013)

ronaldlees said:
			
		

> One of these days, underwear will be manufactured with tiny USB keys embedded in the labels.


I thought everyone had USB pockets in their skivvies?


----------



## vanessa (Nov 1, 2013)

kpa said:
			
		

> The question does not make much sense because PF is only a layer 3, the network layer, firewall. It doesn't do any filtering on the application layer where most of the tracking and spying activities are done. You can easily secure your network from direct threats coming from the outside but it can not help much with security problems in the applications that you use.



Yes, this is true. But a reverse per-application firewall helps here a lot. Unfortunately I don't know of any for FreeBSD clients. For Linux there is Leopard Flower, for OS X Little Snitch.


----------



## lopezi (Nov 4, 2013)

swirling_vortex said:
			
		

> pfSense is a good tool if you need an easy-to-use solution. However, I would familiarize yourself with the syntax since you'll be able to understand how the rules work.



I've used pfSense since version 1.2 and have found it to be solid and pretty straightforward to use.



			
				swirling_vortex said:
			
		

> While the OpenBSD guys aren't too fond of pfSense, Michael Lucas recommends it.



Really? Why is there any issue between both camps?



			
				swirling_vortex said:
			
		

> There's also Untangle if you don't mind Linux, but it's a bit heavier than pfSense.



Last year around this time I had to make a recommendation for solution and was really wanting to leverage pfSense but the 2.1 build was still a ways out from being complete so I ended up making a recommendation for Endian. I've found Endian to be a pretty decent solution. I had looked at Untangle as well but Endian had a few more features that leaned more in its favor.


----------

