You seem to be under the impression that the management UI is on a public network. Ideally locked down to certain vlans.
The UI controls setting up the network and other services. Please explain how to do this without root access. (Write another process which runs as root and controls the settings and is talked to over a Unix socket actually isn't a bad idea, however, it is not void of its problems either.)
Also "most commonly exploited languages" is a bit of hyperbole, no? First, C probably takes that slot. Second, being one of the most common languages for web development makes it a target. Third, most php exploits are bad code, which, while easy to write in php (and c!), can be and is done in all languages.
Isn't the administrator interface on _any_ router essentially root access on said router? Do you complain that juniper or Cisco equipment is insecure because you can login?
BMCs (Baseboard management controllers) are something with very ... questionable ... security, yet network segregation is used to ensure its use securely. Given that many HIPAA complaint organizations such as AWS and GCP (Google Cloud Platform) I find it hard to believe that a management interface would disqualify something from HIPAA compliance.
Which part of the HIPAA audit did pfsense fail? Was it simply an abundance of caution" on your part? If so, what did you replace it with that didn't have a management or has a management interface with no bugs (hint: even Cisco and juniper have CVEs for the management interface)?
The UI controls setting up the network and other services. Please explain how to do this without root access. (Write another process which runs as root and controls the settings and is talked to over a Unix socket actually isn't a bad idea, however, it is not void of its problems either.)
Also "most commonly exploited languages" is a bit of hyperbole, no? First, C probably takes that slot. Second, being one of the most common languages for web development makes it a target. Third, most php exploits are bad code, which, while easy to write in php (and c!), can be and is done in all languages.
Isn't the administrator interface on _any_ router essentially root access on said router? Do you complain that juniper or Cisco equipment is insecure because you can login?
BMCs (Baseboard management controllers) are something with very ... questionable ... security, yet network segregation is used to ensure its use securely. Given that many HIPAA complaint organizations such as AWS and GCP (Google Cloud Platform) I find it hard to believe that a management interface would disqualify something from HIPAA compliance.
Which part of the HIPAA audit did pfsense fail? Was it simply an abundance of caution" on your part? If so, what did you replace it with that didn't have a management or has a management interface with no bugs (hint: even Cisco and juniper have CVEs for the management interface)?