Native 2FA In PfSense ?

panzerscope

Hey guys,

Is there a plan to add in a native 2FA to PfSense?

I took a look and I can see you can set one up through FreeRadius, which is an option, although lengthy. So yeah, I just wondered if it will become a native security option, I know I would welcome it and I would imagine others would make use of it as well.

Many thanks,
P

Gertjan

@panzerscope

Like FreeRadius on pfSense software for Two Factor Authentication ?

An F2A access for the 'admin' ? I'm not sure if that's a good idea.

What happens when :
The network users : "Help Internet is down"
You : "No panic, I connect to pfSense, and see what's up"
.....
You, 10 minutes later : "I can't repair the connection, F2A doesn't work, because Internet is down, I can't get in ..."
and you lost your job as a system admin.

johnpoz

Very valid point.

There is also the part where to even login to the gui, you should have to be on a secured network.. That to get on you need a box on this secure network.. So this would be your 2nd factor.

You could even lock this down to a tighter location/device, which are part of multifactor... You could have to be on a specific device on this secure "admin" network.. To get to said device, you have to get into a locked room, secured building, etc.

You would then need to login to this device, which should be a different password than the pfsense password.

Sure ok your logging into your bank website, any IP on the planet can talk to the public bank website.. They want another factor to validate you are valid user of the username/password..

But someone logging into the pfsense gui, they have to be coming from a secure location. The network that can access the web page, by definition this is a factor.. So unless you have your web gui open to the public network your already meeting 2fa..

SteveITS

Counterpoint: cyber insurance companies are increasingly requiring 2FA “on everything” and one either checks the box or can’t. Router, switch, PBX, etc. I suppose one can try to debate necessity/risk/premiums with them but…

AndyRH

Another way to look at it, 2fa for remote access, so no GUI without 2fa. Local, no 2fa because you have to be there to plug in or type on the keyboard.
Zero trust is not a defined standard, it is a standard defined by each company. At work many things require 2fa, but the critical things have a secure way to bypass 2fa when things are broken.

SteveITS

@AndyRH Good point, Duo for instance has an option for PC logins to fail open or fail closed if no Internet.

johnpoz

@SteveITS said in Native 2FA In PfSense ?:

increasingly requiring 2FA “on everything”

And you tell them you are already meeting 2fa... As explained.. To use the username/password to access the gui you have to be coming from this box.. Which is in secured room, that only IT admins can get into..

If they say that is enough they don't understand what Mfa actually is.. putting a code in from your phone is not the get all end all to mfa auth..

stephenw10

The thought of trying to explain that to some insurance minion is already making me angry....

AndyRH

It does work, at least for our insurance company, to get into our DC you have have your badge, then pass the bio reader, then enter a code. Something you have, something you are and something you know.

johnpoz

@AndyRH ^exactly.. And then not only do they need the username/password for the web gui, they most likely need a different username/password to even log into the machine that can access the pfsense web gui. After they have entered a secured building, and gotten into a secured room

NollipfSense

@SteveITS said in Native 2FA In PfSense ?:

cyber insurance companies are increasingly requiring 2FA “on everything”

Insurance is the greatest rip-off known to mankind...2FA will become 3FA, only to become 4FA...you get where this is going?
Every CEO should be capable to temporarily managing the network if the IT staff needs to be replaced.

AndyRH

@NollipfSense said in Native 2FA In PfSense ?:

Insurance is the greatest rip-off known to mankind...2FA will become 3FA, only to become 4FA...

Not unlike everyone thinking you need CAT6 to run 1gb, next they will want cat 8 then 9.

johnpoz

@NollipfSense said in Native 2FA In PfSense ?:

Insurance is the greatest rip-off known to mankind

Not sure I would go that far.. If your house burns down, your going to sure hope you have insurance ;) Now that being said they are not in the business of loosing money.. So if you dragged your fire pit in from the patio and lit it up in your living room, your prob going to not be covered.

So recommendations for baseline security I get.. The problem is most of the auditors they send out our just checking off a box on some sheet that they barely understand the requirement.. If you showed them hey you have to put in this code from your phone to login they would be fine.. If they only knew the qr code to get the code on your phone is posted in the lobby..

Paying people that understand security cost more.. Which would hit their bottom line.. So they send out billy bob, where the example training showed hey they need 2fa (code on their phone).. No code on your phone - no checkmark for you.

Explaining to them that your setup is way more secure than just a code on the phone is the hard part.. They might have needed to show 2 forms of id to get into the building, gave a blood sample, a full body cavity search. And then escorted to the secured room in the building where they went through it all again. The IT guy then had to put in a 26 digit passcode into the door to get into the server room, then use a retina scanner to open the safe where the machine is located that can access the webgui of pfsense. Then to log into this machine he needed username/password and fingerprint.

But if then hit the pfsense web gui from this machine, and he didn't see a verify code box pop up where you could put in a 6 digit pin you got via sms or auth app on your phone..

Sorry dude you don't seem to have Mfa enabled - your going to fail the audit..

NollipfSense

@johnpoz said in Native 2FA In PfSense ?:

If your house burns down, your going to sure hope you have insurance ;

Self-insured is the key, especially now that network tools such as home-assist/home-automation is available.

JKnott

@johnpoz said in Native 2FA In PfSense ?:

You could even lock this down to a tighter location/device, which are part of multifactor... You could have to be on a specific device on this secure "admin" network.. To get to said device, you have to get into a locked room, secured building, etc.

Maybe they could build a SCIF.

JKnott

@AndyRH said in Native 2FA In PfSense ?:

Another way to look at it, 2fa for remote access, so no GUI without 2fa. Local, no 2fa because you have to be there to plug in or type on the keyboard.

Just use a VPN to connect.

AndyRH

@JKnott said in Native 2FA In PfSense ?:

Just use a VPN to connect.

Remote access can be sitting next to the system and using the network to access the system. Local access is using a short range connection, such as a keyboard or serial cable.
A VPN is remote access, distance is not a factor.
The assumption is to get local access other security measures must be met.

JKnott

@AndyRH

As someone who works in telecom, I was running into this sort of thing long before anyone heard of 2FA, going back almost 50 years. I have been escorted by a guard in a NORAD radar station, weighed coming & going in data centres, finger printed, palm scan, retina scan, etc.. I have also been finger printed several times for my security clearances. Security is real fun!

johnpoz

@JKnott said in Native 2FA In PfSense ?:

weighed coming & going in data centre

That is one I have never run into.. Do you recall where that was at.. Its actually a slick sort of way nothing is being removed I would guess. But if not paired with a strip search would be easy enough to fool.. Just bring in something that weighs the same as what your wanting to bring out ;)

Wonder what happens if you like took a no 2 while in the DC, and weight a pound or so less when leaving than when you entered ;)

Indiana Jones comes to mind..

JKnott

@johnpoz said in Native 2FA In PfSense ?:

Do you recall where that was at..

It was at a Royal Bank of Canada data centre, on Front St. W. in Toronto, over 30 years ago. That was just the first time. There have been other occasions in other data centres. I have also done some work in a prison, where it's fun getting in. No cell phone, pager, camera, pocket knife, etc. Take in only the tools you need for the job. Pass through a metal detector. Everything inventoried coming and going, including parts used & removed. Escorted by a guard and locked in the room where the work is.

One system I worked on many years ago was called CPIC, for Canadian Police Information Centre, which was operated by the RCMP. They had Silent 700 terminals at the various police departments, which had an answer back board. That board used a diode matrix to contain the terminal ID. When replacing that board, we had to cut some more diodes to obscure the ID. Of course, if one wanted to be sneaky, one could hold the cutters one way, when installing the board and the other way, when removing it. That way you could look at the ends of the wires, to determine the original vs new diode cuts.