Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How is the out of box security?

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 10 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG Offline
      Gertjan
      last edited by

      @mattig89ch:

      Hidy ho all,

      I'm about to head out, but figured i'd ask before I left work for the day.  How is the out of box security?  Is it good enough to where I can toss out the anti virus?

      pfSense could be a router, firewall, or whatever you can make it.
      A router is like a post office: what comes in somewhere, goes out elsewhere. Sometimes, it comes in, and goes out (taking the same 'door').
      It should do less, or more.

      Virus searching on a router: this means that it should recognize 'files' in data streams, disassemble them, unpack them if needed, scan all the files ….. That would be a hell of a job were downloading the latest Windows 10 preview (several Gigas).
      But, I guess it can be done using a package, like HAVP which uses ClamAV anti-virus scanner:  your question boils down to : is ClamAV anti-virus scanner good !?! Could it replace all these anti virus programs on all your PC's ? => If security means something to you, the answer is simple: No way.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • K Offline
        kejianshi
        last edited by

        In short, no.

        Not if windows is involved.

        There is no solution that can protect windows adequately other than a virus scanner running on the windows machine its self and even that is only 70% effective or so.

        If you want alot of security get yourself a laptop / pc, install a nice linux OS on that and use it for all your important stuff like bills, banking, email etc etc…

        The linux machine will be just happy with no AV running on it behind pfsense.

        1 Reply Last reply Reply Quote 0
        • M Offline
          mattig89ch
          last edited by

          @Gertjan:

          Virus searching on a router: this means that it should recognize 'files' in data streams, disassemble them, unpack them if needed, scan all the files ….. That would be a hell of a job were downloading the latest Windows 10 preview (several Gigas).
          But, I guess it can be done using a package, like HAVP which uses ClamAV anti-virus scanner...

          This is an interesting idea.  It may not be all that great, but possible.  Are there other packages that use better av's (paid and/or free)?

          Obstacles are those frightening objects we see, when we take our eyes of the objective.

          1 Reply Last reply Reply Quote 0
          • K Offline
            kejianshi
            last edited by

            That stuff you are considering will at best provide you with a false sense of security.  But if that makes you happy, go for it.  It won't save you though.

            1 Reply Last reply Reply Quote 0
            • M Offline
              mattig89ch
              last edited by

              I'm more interested in the idea then anything.  I've heard about folks running some kind of firewall between their network and their modem, and never needing an av.

              I don't think i'll ever actually remove my av (too paranoid [just 'cause I think they're out to get me, doesn't mean they're not]), but the idea of being able to run a more secure network (if only just slightly) is an awesome one.

              Obstacles are those frightening objects we see, when we take our eyes of the objective.

              1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan
                last edited by

                In that case: the entry point will be a box like this: http://store.pfsense.org/c2758/ and I hope it will handle the load.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by

                  They are in fact out to get you (and everyone).  Paranoia is just good common sense.

                  People who run windows behind pfsense with clamav and no AV on the windows machine just have no idea what they are doing.  Its BAD.

                  clamav running in a proxy scanner simply won't get everything.

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B Offline
                    BBcan177 Moderator
                    last edited by

                    You can also install an IDS (Snort or Suricata) in pfSense and also block known malicious IPs with pfBlockerNG.

                    Other good practices are to use a separate computer for Banking etc, or atleast use Different Browsers.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      mattig89ch
                      last edited by

                      fair enough, but lets start with the first step.  Get an addon to scan and block what it can.  where can I get a hold of that clamav addon?

                      Then I can try and setup suricata (saw a thread around here, where someone was bashing snort).

                      Obstacles are those frightening objects we see, when we take our eyes of the objective.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Virii are contracted by computer users through ignorance and stupidity.  No virus scanner can fix stupid.  At least not 100% of the time.  You are better off putting in place a rigorous patching/updating policy - servers too.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          mattig89ch
                          last edited by

                          lol, too true.

                          Was that a stupid question to ask, asking about where to get that clamav addon?  because I never got a response to that question.

                          Also, gertjan, were you saying the box i'm running pfsense on would need to be as powerfull as that rack-mounting thing you linked?

                          Obstacles are those frightening objects we see, when we take our eyes of the objective.

                          1 Reply Last reply Reply Quote 0
                          • KOMK Offline
                            KOM
                            last edited by

                            I've heard about folks running some kind of firewall between their network and their modem, and never needing an av.

                            I wouldn't do that.  Security is not a product, it's a methodology.  Security is done in layers like an onion.  Having a firewall is a must, but it's not a replacement for other attack mitigation technologies like Snort on the firewall, plus local AV on the clients.  And even then you're still not fully covered because you can never be.

                            1 Reply Last reply Reply Quote 0
                            • MikeV7896M Offline
                              MikeV7896
                              last edited by

                              @mattig89ch:

                              where can I get a hold of that clamav addon?

                              System menu > Packages is where the various package add-ons are located (if I'm remembering correctly; not at home to check).

                              Personally? Windows without some kind of malware detection on the computer is just not smart. I will always have at least some kind of free malware detection installed, if not something better.

                              There are plenty of other ways malware can get onto a computer than over the internet. USB flash drive? memory card from a friend's camera (did you remember that there used to be malware that took advantage of JPEG exploits?)? How about someone's computer connected to your WiFi? That wouldn't go THROUGH the router, because it would be within your own network (unless you set up a separate network for wireless access).

                              Even if it's Microsoft Security Essentials/Windows Defender - which is about as basic as you can get for Windows malware scanning - you should still have some kind of malware detection on your computer.

                              The S in IOT stands for Security

                              1 Reply Last reply Reply Quote 0
                              • H Offline
                                Harvy66
                                last edited by

                                Out of the box, PFSense has great remote security. It can protect you from the outside world trying to get into your network, but it won't stop your network from trying to get to the outside world.

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  surething
                                  last edited by

                                  The way that I have been trained to look at it is security in layers.  Even though you can beef up your security on pfSense and make it a proxy/IDS/Firewall, host based firewalls are a must for zero day exploits, take in point the SCADA exploit which was aimed at the spooler service. If the computer is not sharing a printer, then block that port at the host. While there are services like snort that covers the network traffic, physical access is not covered, anything like a USB drive to a file that got through pfSense could wreak havoc.  Now if you are wondering what kind of protection you need after pfSense this is what I recommend.  If you have pfSense running squid to filter out malicious ads, the firewall configured to lock down traffic, and SNORT on the WAN with balls to the wall security enabled then Windows firewall correctly configured is perfect. Now if the units are leaving your managed network(laptops), that is where you would consider an intrusion detection and firewall combo. Antivirus is a must regardless or firewall. Remember, if you are patching and updating your AntiVirus other things on the top of the pyramid are nice but not required. Everything helps security it starts with basic though.

                                  1 Reply Last reply Reply Quote 0
                                  • F Offline
                                    firewalluser
                                    last edited by

                                    Some thoughts.

                                    Anything capable of running software of sorts, beit your computer, firewall, mobile phone, printer, photocopier, TV's, vehicles's etc with the ability to update it with new versions of software has the potential to be hacked.

                                    With that in mind, the next question is how easy is it to update? TV's can be updated over the air, some vehicles & phones similarly; now in the case of computer networks, you need to isolate everything otherwise something like stuxnet & other rogue software can be hiding in your network printers or photocopiers or switches.

                                    One way is to isolate everything into its own unique sole vlan with firewalls blocking everything thats not permitted.

                                    Permission should only be granted when you want to, like for example allowing access to update sources during dates & times of your choosing, none of this allowing anything to touch base unneccesarily like windows desktops phoning home to MS in the US when you log on for example, same for switches.

                                    Bear in mind all isp routers and firewalls all have a default allow out to the net rule including pfsense, what an easy way to walk out with your data.

                                    Audit all PC's where possible so you know what the contents of your computers hd's are frequently becuase the flaw with AV software is simply this, the AV companies need to find the virus first before they can add it to their signature database of known viruses. In other words your AV software can not protect you unless the AV company has found the virus.

                                    For point of reference, AV companies can spot variations of the same virus automatically in most cases which are the updates we receive hourly, daily weekly etc, its the new viruses that can take weeks, months, years to reverse engineer before they consider something a virus or not and thats before we get into polymorphic software.

                                    Bear in mind its entirely possible for app stores including MS updates to serve unique files just for you if you want to be really paranoid and how do you know that dll coming down the wire is what it says it is?

                                    Bear in mind its also possible to hide software in the less used parts of spin disks which no longer get formatted when reinstalling your windows OS as it does a quick NTFS format which just resets the FAT (disk index) not blank the contents (the chapters of the book).

                                    Log all traffic data in and out and have something to analyse the data so it flags up anomalies or unaccountable network traffic. Get to know the data patterns by day, week, month & year much like you would know when your car is not running quite right.

                                    In some cases block ssl traffic out of your machine as you dont know what data is being lifted/sent that could incriminate you, even your windows os tracks the files like what you send to the recycle bin and that is part of the forensics built into windows.

                                    Be careful of Google, its very machiavellian and will serve you data which can land you in court, be careful of websites you visit as some dont allow you to report questionable data, again setting you up for a fall if the authorities so desire.

                                    Work on the basis if you can think it so can they, but they will have beaten you to it in ways to access that data, and remember a request from one country to another is not always immediately illegal except where the conspiracy to commit a crime is punishable like here in the UK, which means every request GCHQ sent abroad to foreign spooks is commiting a crime even though they like to portray they dont break the law, dontcha believe it. They will even employ phishing techniques in major online news media via comments and other websites to find out the information they want to know like how easy it is to evade their detection. ;D

                                    FWIW.

                                    Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                    Asch Conformity, mainly the blind leading the blind.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.