LAN Security Best Practices (within LAN)
-
Hello everyone, i'm creating this post to address best practices and suggestions for securing the LAN within LAN Clients. (Didn't find anything related yet).
Is common that pf filtering (firewall rules) are evaluated and applied only when the packet transits between interfaces, so we can't really do anything with firewall rules. But what we can really do on the LAN itself ? For example get some protection when a bad actor plug a LAN Ethernet cable on his laptop.
So i have check the mac address filtering and dhcp leases, and found that we can assign specific IP paired with a MAC Address (or block mac address) and limit the dhcp range for security reasons. (But we can't have zero DHCP addresses, limit to 1 and we can't disable the dhcp server completely because the static dhcp lease is not working then).
It seems that there is no protection if someone use static IP. Some commercial firewalls have specific MAC binding for devices and then they virtually reserve the available IP's so an intruder can't be assigned by DHCP or use static.
I'm looking for any suggestions from more experienced people , so we can draft here some best practice points for everyone to follow for the LAN settings. Any comments and suggestions appreciated.
-
@Bambos said in LAN Security Best Practices (within LAN):
Is common that pf filtering ....
You can even shut down pfSense, remove it from the main switch that handles your LAN.
Traffic between LAN clients isn't handled by pfSense, isn't seen by pfSense.
Btw : scrap pfSense here, put the word 'every firewall avaible on planet earth' for a better description.edit : ok, true, DHCP won't work anymore so when DHCP leases time out, devices will loose their IP etc and the "networking" comes to a halt.
So, how to protect devices from each other on a LAN ?
First, the human aspect enters into play : a network admin should not accept any devices on its LAN that he doesn't trust a little bit. Devices are grouped in classes, and every user or device belongs to a class, or dedicated LAN interface that belongs to the type of device (user).
Simple example : I use pfSense for a hotel.
My own PCs, printers NAS and what so ever are on the LAN. I handle and trust these device. If there is an issue, I know who uses the device, and I have a chat with the user, if needed.
The hotel users all want a wifi access ... so I created another LAN (OPTx), activated the captive portal on it, and now they have their own Internet access without being any thread to my own devices on my LAN.Btw : now you know why every device, a pad, a phone, a PC, whatever also has its own firewall.
@Bambos said in LAN Security Best Practices (within LAN):
So i have check the mac address filtering and dhcp lease
Maybe useful.
As soon as you understand that MAC addresses can be changed with a click you'll know what that's worth ^^@Bambos said in LAN Security Best Practices (within LAN):
Some commercial firewalls have specific MAC binding for devices
And all devices have a random MAC generator ... check you own phone to see it ^^
When you dig into the technology used in our networks today, you'll discover that it is 'ancient' technology that evolved very little over the last x decades and that only one person can make the difference : the network admin, you.
By, for example, separating devices over multiple LANs, and defining firewall rules for every LAN.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
As mentioned by @Gertjan if you don't want devices talking to each other put them on different vlans.. For example its common for guest network for guests you have coming over.
You could setup a NAC to prevent devices from just plugging in.
https://www.packetfence.org/ for a free one.
Depending on your switch you could setup a private vlan.. Or setup specific ACLs on the network via the switch, I block multicast and such on my interfaces on multiple vlans.
But pfsense is the router firewall to get off a specific network, it has no involvement in traffic between devices on the same network. You would do those sort of controls on your switch.
Even if you don't go full NAC (network access control) depending on your switch you should be able to port control where only specific mac can connect to a port.. So a bad actor can't just unplug a device and plug in and be on that network, unless the mac is the same as the device they unplugged.
-
Thanks everyone for the comments.
I need to dig in more on special switches, Vlans, and NAC as it seems.
For the time i just gave all the users static dhcp lease according the mac address of each device and narrow down the dhcp server to 1 available IP (which is the minimum allowed) for example : 192.168.1.180-192.168.1.180 and then i have assigned this IP as a virtual IP alias on the pfsense device to indirectly disable the IP assignment.
So the known dhcp static leases are working through the dhcp server and static lease that is still enabled, but the dhcp server cannot actually assign more IP's to clients. -
@Gertjan said in LAN Security Best Practices (within LAN):
edit : ok, true, DHCP won't work anymore so when DHCP leases time out, devices will loose their IP etc and the "networking" comes to a halt.
Hello, i run on this option of DHCP Server , it seems that static dhcp entries will be assigned, even if the dhcp is disabled.
What is your comment?
-
Static ARP entries are added. DHCP will still be disabled so clients won't pull a lease. All clients would need to be statically configured.
-
@Bambos who exactly is going to be plugging into your network in the first place? Is this a work setup with ports under cubes that you have enabled? unused ports in a work setup should be disabled, and if your worried about someone coming in and unplugging a machine and plugging in, port security would keep them from connecting - unless they knew the mac of the machine they unplugged.
You asked for best practices - what your doing is not best practice.. What is best practice if your concerned with unwanted devices connecting to your network via a wire - run a nac.
-
@johnpoz yes , thank you. best practices with the existing setup (without nac - just having a pfSense).
-
@Bambos again who is going to access your wired network.. Offices are normally secure with only employees working there.. A home - who is in your house that you don't want plugging into your network.
You seem to be wanting a solution to a problem that does not exist..
What is the scenario your concerned with exactly... There is nothing pfsense can do to stop someone from plugging into a switch port on your network.. Even if they don't get an IP, or even if pfsense has static arp and won't talk to them on any IP in your network. Even if just create a dupe IP on your network.. The would still be able to talk to anything else on the network.
If you want to control who has access to the physical network.. Pfsense is not the answer, this is done at the switch ports, or something like a nac that control access to the switch ports. Now pfsense could run the radius server that is involved in your 802.1x portion of your NAC used to access your network.
Even cheap entry level smart switches support the ability to turn off unused port, you might need something a bit more advanced that allows for port security or ability to be used in a nac.
If you want it to make it a bit more difficult you could require tags on all the ports, where the device has to use a vlan tag to talk on that network. They would then need to know what tag to use, and their device would have to have the ability to set the tag, etc.
Please explain the exact scenario your concerned about, and we can discuss the best way to mitigate that scenario - or even if there is a way. But pfsense has no control over some switch port on your network.
-
@johnpoz Hello Sir, and thanks for taking the time to put some thinking to this.
The scenario is office network, (usually secured as you said) , but with an open door to the public and visitors come and go. i agree with you that any firewall / router cannot function on layer2. My target is not to achieve NAC with pfSense, is just to not have everything wide open and easy accessible if someone decides to plug a device and scan things. at least to buy some time. so disable dhcp is something i consider together with ARP entries.
I have enabled for test the static ARP entries, and seems that only the static DHCP leases (with MAC Address) was able to stay on then LAN. The devices without static dhcp lease and normal static ip settings, loose the connection. So something might be helpful there... i will repeat the test with the dhcp server enabled and disabled with the static ARP and see what's going on.
Another idea is to leave the dhcp server with a range of just one IP and with another app, scan this IP and email the admin in case of any host or ping detection. (like honeypot).
Thanks again for the comments and any possible suggestion will be tested !
-
@Bambos The most common sense thing to do would be to just disable ports your not using.. And depending on what switch(es) you have another simple thing to do would be port security.. This would prevent your exact scenario.. With zero need to do anything with static arp or dhcp..
Your static arp or lack of dhcp doesn't prevent someone from scanning.. Its simple enough to plug into a port and scan.. You don't really even need to to know what the IP range is.. And would only take seconds seeing any broadcast or arp traffic to understand what IP range is being used.
Port security would prevent anyone from unplugging an existing device and connecting.. Unless they also knew the mac address of the device they unplugged.
your static arp or lack of dhcp does nothing but cause you work - and would not prevent anyone from plugging into any port be it they unplug something first or just the port is open and scanning.
I would disable any unused ports, even the cheapest of smart switches support this. And if you have switches that can do port security, set that up.. This is going to be far less work in the long run then dealing with dhcp and static arps which doesn't actually prevent the thing your worried about anyway.
https://www.pynetlabs.com/port-security-in-computer-network/
Depending on what your switch(es) support you could also leverage 802.1x and freeradius on pfsense where the client has to auth.. Lets call it a poor mans nac, even if not fully blown sort of nac.
Another thing you could look into - if your switches support it is private vlans.. This can be setup to prevent only ports to talk to other specific ports.. So like everyone could say talk to the server or the gateway, say a printer - but they couldn't talk to themselves. This is a good thing to do because it limits other devices from talking to other devices on the network they shouldn't be talking to - this can help slow down or prevent the spread of worms or ransomware, etc.
-
@johnpoz thank you very much for the valuable information and directions. At the moment is a small office with no special smart switches. Just unmanaged switches.
But i liked the idea of poor mans nac with freeradius. maybe i will try that.
-
@Bambos your switch needs to support that. If you just have dumb switch its not going to work. Pretty much any 40$ smart switch turn off a port not in use. But to do something like port security that is just mac based, or using 802.1x you need a slightly better switch.
If your goal is locking down your physical access, you need a switch that provides some methods to do that. Not providing IP sure isn't going to stop them from scanning other devices once they have a physical connection.
