Hi together,
we have a probleme with an elevator company. They mean we need a firewall with certification, for our network security, like ISO 9001 or something else. What can I answer them?
Regards Bernd
So far, we have loads of customers who have passed any audit like this.
We do however do not seek certification ourselves, because IPFire changes way too quickly for keeping up with that, and is deployed in very many different environments that all require different things.
1 Like
To me, That is an odd certification to require for a firewall.
If I remember correctly from 20+ years ago, ISO 9001 is a certification around documenting and following those documents .
The ISO 9001 motto we always heard was:
âDo what you document and document what you do!â
Everything piece of code is documented on public sites like GitHub at:
and here:
2 Likes
They might be right. However⌠Key point is lacking.
For which certification (or standard) and to achieve what on this certification.
This means, you have to certify the whole system.
IPFire software is only a part of that. The firewall system consist of the ( downloadable ) IPFire firewall OS and the configuration of it.
The software and the building process is documented in the git repository, as @jon statet.
But to be exact this is true for the part developed by the community only. The âstandardâ linux modules are added just as they are. Documentation of these programs would not be part of a certification of IPFire.
The other part, the configuration, could be documented inside the IPFire system. But this is a task, which is active in each installation ( with certification necessity or without ). Usually this means a higher effort.
Therefore it is preferable to certificate the whole system ( outside IPFire ):
- define tasks, which assure a stable version of IPFire is installed.
- define tasks to react on found issues; regulary updates, âŚ
- define ways of configuration of the IPFire system and document the steps
- assure that no other means exist to alter the system
- assure the reliability of the HW which run the IPFire system ( IMO this denies a virtual machine solution )
1 Like
Hi all,
as far as i understand âDIN ISO 9001:2015â (correct one ?) it should be an quality management system which uses customer satisfaction to serve optimizations/development for the companyâs own quality management system but also to scrutinize the same in the internal company processes. So the primary aim is to optimize internal communication, understanding and control of company processes.
So the question arises which company should be optimized, since it can´t be the IPFire community, the standard is therefore not a specific standard for IT service providers or software developers but for the company itself as far as i understand it.
Best,
Erik
2 Likes
Iâm using ipfire for many years. I had no problemes over the hole time and that is the first time that I hear something about certification. I searched for firewall with certification. I found
EAL1 to EAL7. Does everyone know in witch class ipfire would be?
Hello barny,
this one might be interesting but it is i think defined in âISO/IEC 15408â and not âDIN ISO 9001:2015â , nevertheless i think EAL1-4 is practical for âcommercial productsâ (which IPFire is not) 6-7 might be an laboratory check even practical needs to be defined since e.g. the BSI lines out â BSI - Certification and accreditation FAQ under âHow long it takesâ â
"
All intensive and high-quality audits take a certain amount of time. However, having the certification running parallel to the product development, which is the most common way for audits to be processed by the BSI, can sharply reduce the time required. The necessary audit steps take place step-by-step in parallel to the product development. The certificate is therefore almost always available before the market release.
"
BEFORE the market release AND takes place step-by-step in parallel to the product development (integrated third party software included 
???), i ask myself how fast they are if e.g. the CVE listing is a little faster at some time (which are more and more frequent) and the included software is not part of the certification (EAL) process and updates needs to come out may more times in a month? To not integrate the point of costs for the first but the benefits of a e.g. EAL level , checkout EAL4 in here â Evaluation Assurance Level - Wikipedia ⌠for myself am not sure if i wanted to use every distro listed in there even before they are expiredâŚ
Also if " Validation, Reliability and Trustworthiness" is a point for a commercial product, e.g. â Common Criteria - Cisco (i think Ciscodoes not use EAL norms anymore but not sureâŚ) you have nevertheless bugs to fix and vulnerabilities to close â Cisco : Products and vulnerabilities â Ipfire : Security vulnerabilities, CVEs.
More interesting, what did you wrote the âelevator companyâ and are there some answers for the public to learn a little more ?
Best,
Erik
1 Like
A small question to @ummeegge.
Does this link
includes all the CVEs for all the underlying packages/sources?
This is the first thing that I see, from the Wiki page.
âAchieving a higher EAL certification generally costs more money and takes more time than achieving a lower one.â
So, who does that? And what does it cost?
Never heard of them.
As a side note. elevator repair people have very specialized job and they have very little competition. So it makes it very lucrative field.
And it makes it hard to find a quality company.
2 Likes
I don´t think so.
Best,
Erik
I have been part of a certification process as a manager in production.
So the certification was based on processes and quality insurance and not in hardware.
Not a machine or even a telefon system was part of the certification process. So why should it be ipfire.
Same questions about SAP ended up with the online documentation of SAP and the auditors were satisfied. Nobody asked about the configuration of SAP as a system.
For me it looks like that the men who asks for ISO 9000 certification want to be on the safe side without knowing what is really the safe side.
2 Likes
I was thinking the same. This must be how the elevator signals an unsafe condition. And it cannot failâŚ
Itâs reasonable to assume that CVE in charge of IPfire projects are the one for the IPFire âcode writtenâ, so mostly integration and GUI of the product.
Neverthless, any IPFire release contain a fair amount of necessary projects/packages/code coming from other sources, which have their own list of CVEs. Dev Team is doing effort for allowing fastest (possible) update of vulnerable and outdate package.
But compare the CVE list of Cisco (which have more than one product/project/code base active, includinge the one of merged companies) to the list of a one project is like comparing the safety car recall list of an entire parent company (like VAG, GM, Toyota) with the one of one single car model.
Someone might define that âa bit unfairâ.
And yes. Cisco has been a target for IPFire. Ish. Well, AFAIK Cisco sometimes follow customers feedback.
Hi,
sorry have read about some car comparison in another thread in here but i won´t follow/understand them (time for such discussion is less). Also, i do not see targets here, this is your interpretation, but i do compare certificated products with products which are not certified and both of them needs to do the same work â âbugs to fix and vulnerabilities to closeâ even i did not mentioned above that one takes money and the other one makes this for freeâŚ
âIâ (spoken for myself since i am not IPFire or a core developer) follow also useful customer feedback and try to make with people who are also interested to tickle the ivories a little more 
projects or in general some new stuff and if a good idea has been developed or a bug has been found to reach also out to the IPFire dev community and introduce them if i want to do so, sometimes they are accepted sometimes not and this is OK for me.
Someone might define unfairness to criticize things and forms wrong mind pictures/games that he interprets but no one said.
Best,
Erik
P.S.: Sorry for this OT but wanted to leave a short note, no kidnapping of threads according to own issues 
1 Like
@barny I wonder if the elevator company technician who is asking you for paperwork without explaining any details, is just asking for a fancy bottle ?
Thanks for that article, @pike_it
I think comparing IPFire to Cisco firewall is like comparing a glass of spring water to a bottle of expensive wine. They are both drinks, but offering finest spring water to someone who is used to fancy wine could be offensive.
I couldnât find any certifications for Cisco firewalls, I think most of their awards, white papers and reports are just marketing materials, which could be important for a lot of proposals.
I also recommend this book as a good reading for anyone targeting Cisco or other giant companies.
1 Like
Your opinion deserve respect. But Iâm not the one who aimed to Cisco, was someone else.
Understood, I was just thanking you for linking that article. 