[pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

Eugen Leitl eugen at leitl.org
Thu Oct 10 07:39:35 PDT 2013 

----- Forwarded message from Giles Coochey <giles at coochey.net> -----

Date: Thu, 10 Oct 2013 14:50:41 +0100
From: Giles Coochey <giles at coochey.net>
To: list at lists.pfsense.org
Subject: Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
Message-ID: <5256B0B1.2050501 at coochey.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
Reply-To: pfSense support and discussion <list at lists.pfsense.org>

Trying to get this back on-topic, I will change the subject however,
to alleviate the issues the anti-tin-foil-hat-brigade have. (ps I am
also top-posting on purpose as I believe the conversation below has
near to no relevance to my questions, but simply is an argument as to
whether these questions should be asked, to which I believe in the
affirmative).

I have various questions to offer for discussion  which have been
bothering me since various security related issues that have appeared
in the media recently: (see:
https://www.schneier.com/crypto-gram-1309.html)

Clearly, at the moment, open source security tools ought to have an
advantage over closed-source tools. However, peer review of
open-source code is not always complete, and there have been questions
whether even algorithms have been subverted.

1. The random number generator - As pfSense uses FreeBSD this may well
be a FreeBSD specific question, however, are there any ways within
pfsense that we can improve the entropy pool that the random number
gets its randomness from? Has anyone had any experience of
implementing an external entropy source (e.g.
http://www.entropykey.co.uk/) in pfsense?
2. Cipher Selection - we're not all cryptoanalysts, so statements like
'trust the math' don't always mean much to us, given the reports in
the media, what is considered a safe cypher? I recently switched from
AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2
to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800.
Could that be considered overkill? What Cipher's are others using?
Have any of you, who have been made recently aware of the media
coverage recently, also changed your cipher selection? What kind of
changes did you make?
3. pfSense - In general do you consider pfsense secure?? As we are
apparently told, asking whether the NSA has inserted or influenced the
code in any way either in the pfsense code, or the upstream base
(FreeBSD) is a question that we can't ask, as if it were the case then
the NSA would have instructed someone in the know, to answer in the
no.


On 10/10/2013 12:33, Rüdiger G. Biernat wrote:
> This discussion about security/NSA/encryption IS important. Please go on.
> 
> 
> Von Samsung Mobile gesendet
> 
> 
> -------- Ursprüngliche Nachricht --------
> Von: Giles Coochey
> Datum:10.10.2013 11:39 (GMT+01:00)
> An: list at lists.pfsense.org
> Betreff: Re: [pfSense] NSA: Is pfSense infiltrated by "big brother"
> NSA or others?
> 
> On 10/10/2013 09:38, Thinker Rix wrote:
> > On 2013-10-10 01:13, Przemys?aw Pawe?czyk wrote:
> >> On Thu, 10 Oct 2013 00:05:22 +0300
> >> Thinker Rix <thinkerix at rocketmail.com> wrote:
> >>
> >>> Well, actually I started this thread with a pretty frank,
> >>> straight-forward and very simple question.
> >> That's right and they were justified.
> >
> > Thank you!
> >
> >> BTW, you pushed to the corner the (un)famous American hubris (Obama: US
> >> is exceptional.), that's the nasty answers from some.
> >
> > Yes, I guess I have hit a whole bunch of different nerves with my
> > question, and I find it to be highly interesting to observe some of
> > the awkward reactions, socioscientificly and psychologically.
> >
> > I have been insulted, I have been bullied, I have been called to
> > self-censor myself and at the end some users "virtually joined" to
> > give the illusion of a majority an muzzle me, stating, that my
> > question has no place at this pfSense mailing list. Really amazing,
> > partly hilarious reactions, I think.
> > These reactions say so much about how far the whole surveillance and
> > mind-suppression has proceeded already and how much it has influenced
> > the thoughts and behavior of formerly free people by now. Frightening.
> >
> >> Thinker Rix, you are not alone at your unease pressing you to ask
> >> those questions about pfSense and NSA.
> >
> > Thank you for showing your support openly!
> 
> I too was surprised to see some activity on the pfsense list, after
> seeing only a few posts per week I checked today to find several dozen
> messages talking about a topic I have been concerned with myself - as a
> network security specialist, how much can I trust the firewalls I use,
> be they embedded devices, software packages, or 'hardware' from
> manufacturers.
> There are many on-topic things to discuss here:
> 1. Which Ciphers & Transforms should we now consider secure (pfsense
> provides quite a few cipher choices over some other off the shelf
> hardware.
> 2. What hardware / software & configuration changes can we consider to
> improve RNG and ensure that should we increase the bit size of our
> encryption, reduce lifetimes of our SAs that we can still ensure we have
> enough entropy in the RNG on a device that is typically starved of
> traditional entropy sources.
> 
> This is so much on-topic, I am surprised that there has been a movement
> to call this thread to stop, granted - it may seem that the conversation
> may drift into a political one, with regard to privacy law etc...
> however, that is a valid sub-topic for a discussion list that addresses
> devices that are designed and implemented to safe-guard privacy.
> 
> -- 
> Regards,
> 
> Giles Coochey, CCNP, CCNA, CCNAS
> NetSecSpec Ltd
> +44 (0) 8444 780677
> +44 (0) 7983 877438
> http://www.coochey.net
> http://www.netsecspec.co.uk
> giles at coochey.net
> 
> 
> 
> _______________________________________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
> 
> 
> _______________________________________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list


-- 
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at coochey.net




_______________________________________________
List mailing list
List at lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the cypherpunks mailing list