pfSense and UFW
-
New to pfSense and currently running v2.6 with Snort.
I'm currently running Linux Mint and Ubuntu Server on several machines with UFW enabled.
All machines are behind the pfSense server.
Is there a reason to continue to have UFW enabled on the Linux machines in addition to the protection provided by pfSense? -
That depends ....
Do you believe things originating from the internet is the only threat on your network ?What if one of your PC's get ransomware or ... a RAT
If it's not a hassle to maintain the UFW rules, then id' leave them enabled.
/Bingo
-
Mmm, like all these things it comes down to security vs convenience.
Any firewall on end hosts will see things that pfSense cannot. And can block that traffic as @bingo600 says.
-
Thanks guys! Very helpful feedback!
-
Having your network protection only on the firewall has two rather serious drawbacks.
First, pretty much every bit of network traffic these days is encrypted end-to-end. That means an IDS/IPS running on the firewall can't examine the packet payloads. The best it can do with encrypted traffic is examine some headers and related metadata (SNI, for example). But as the world moves to more and better encryption, even that small window into the network traffic flow is going to disappear.
Second, the firewall is not privy to host-to-host communication on the same subnet because devices there talk directly to each other and bypass the firewall. So, if someone on your LAN manages to introduce malware via some non-network means (for instance, via a USB memory device), then that malware can spread from host to host on your LAN and the IDS/IPS on the firewall might never see the traffic. The solution here is HIDS (Host-based Intrusion Detection System).
A comprehensive network security profile will utilize both a perimeter firewall and HIDS. An enterprise network (think Fortune 500 corporation) will likely use MITM (man-in-the-middle) technology to break the encryption chain via a proxy that can then send over a copy of the cleartext network traffic to an IDS/IPS for analysis.
-
@bmeeks said in pfSense and UFW:
HIDS
Great information bmeeks! What package do you suggest for HIDS?
-
@cannondale said in pfSense and UFW:
@bmeeks said in pfSense and UFW:
HIDS
Great information bmeeks! What package do you suggest for HIDS?
That is definitely an operating system specific thing. Obviously an anti-virus client is at the top of the list. There are both free and paid versions, but I tend to stick with the free ones. For example, on Windows I use the built-in Microsoft provided products. For Linux and other systems, you have ClamAV.
The next step would be log scraping applications that examine the various host system logs for suspicious activity. Most of the clients I am familar with are paid versions with fairly hefty "corporate level" price tags. Tripwire is one example of a popular HIDS. There may be some freeware/open source alternatives, though. I've been out of that space (HIDS support) for quite a number of years, so I am sure things have changed there.
Lastly, you can utilize application control on host endpoints. There are paid versions of this and also likely freeware variations. Application control refers to system-level drivers/applications that physically prevent unauthorized binary code from executing on the host. AppLocker is an example from the Microsoft world. These can be highly effective anti-malware tools, but they are a major pain to administer on a network.
-
Many thanks for the detailed options and pointing me in the right direction bmeeks! You have definitely given me some good areas to research further.
