search

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
https://securedrop.org/
Other
3.62k stars 686 forks source link

Recommended SG-4860 firewall has reached end-of-sale #3520

Closed eloquence closed 6 years ago

eloquence commented 6 years ago

The officially recommended pfSense 4860 firewall has reached end-of-sale. Netgate recommends SG-3100 and XG-7100 as alternatives.

We should evaluate alternatives and update our recommendation. See #2605 for additional background on alternatives like the SG-3100.

anxiousnix commented 6 years ago

I would move to recommend the SG-3100 firewall from Netgate. At US$349, it's probably the cheapest option we've recommended so far. Additionally, reports of people using it as part of a SecureDrop instance have been positive.

We will need to rework some documentation to support this hardware. We had some documentation that we removed (see #1718) that we can dig up and refurbish into new and improved documentation.

Side note: We should perhaps consider looking at another vendor for firewall appliance solutions, so we have more redundancy. Netgate loves to put new firewalls out all the time it seems.

b-meson commented 6 years ago

I ran through a clean install on the SG-3100 and here are my results:

Basic Server Testing

Command Line User Generation

Application Acceptance Testing

Journalist Interface

Login base cases

Additionally here is how I physically configured the firewall for my (incoming) PR:

Server Static IP Gateway Port Used
Application Server 10.20.1.2 10.20.1.1 LAN2
Monitor Server 10.20.2.2 10.20.2.1 OPT1
Application Workstation 10.20.1.2 10.20.1.1 LAN1
b-meson commented 6 years ago

There is a WIP on my branch https://github.com/b-meson/securedrop/tree/docs-sg3100

anxiousnix commented 6 years ago

Thanks for the detailed test plan, @b-meson! I look forward to progress in your WIP branch. :)