m0n0wall is almost certifiable. The only problems I got were:
- Console protection (patch I have already did)
- Hability to disable remote administratios tool (already patched too)
- Register unsucessfull and sucessfull logins ( I working on it, and I
having problemsto register the webGui logins. Console ones are ok).
- Register modification (what time, and who did) of significat security
parameters (firewall rules) (not did, but very easy to do, is just
implement a logging function and call it inside the firewall webGui pages).
Probably there are a few more, but with out this I can't even start our
internal tests for certification.
Peter Curran wrote:
> I had a quick look at the ICSA docs on your site, but there is too much for me
> to look at the detail at the moment. In your opinion, apart from the console
> lock-down issue, what else would have to be done to make m0n0 ICSA-compliant?
>>With the console open, it would fail this specific ICSA objective:
>>ST1 – Administrative Access Testing – The Candidate Firewall Product
>>must demonstrate through testing that no unauthorized control of its
>>Administrative Functions can be obtained.
>>m0n0wall would be the only non-commercial ICSA certified firewall if
>>the project that's considering paying for it worked out. I think it
>>would be great for the project, give it some 3rd party credibility.
>>It's not cheap though, at about $25K USD per year to maintain