PfSense as a Proxy POP->POPs, IMAP->IMAP/S, SMTP->SMTP/S, FTP->FTP/s

guardian

I am wondering if there is a way that I can set up pfSense to translate insecure protocols to secure protocols before sending them out to the Internet?

I have IOT devices that only use FTP/POP/IMAP/SMTP,  instead of secure authentication.

Unless I have the internet turned off, the pfSense box will always be running even if all the home PCs are off (for example, extended absence), so it makes sense to put the proxy in pfSense.

I would not be expecting the proxy to accept any unsolicited connections, so I wouldn't think this should represent a huge security risk - or am I missing something?

Suggestions? / Comments please - Thanks in advance for any assistance or hints.

KOM

You cannot use pfSense to just redirect traffic from known ports to other ports and expect those listening servers to be able to handle that traffic if the underlying protocol is different.  Sure, you can direct all tcp/80 traffic to tcp/443, but that doesn't mean that SSL handshakes will magically start happening and an HTTP session will suddenly be HTTPS.  It doesn't work that way.

No IoT devices should ever be directly exposed to the Internet.  You should even be paranoid about their outbound traffic as I've read a bit about these devices phoning home, etc.  Instead, a much better option is to configure OpenVPN and then connect to your network that way to access your devices.  Configure your LAN firewall rules to deny Internet access except as required.

guardian

Thanks for the reply KOM

@KOM:

You cannot use pfSense to just redirect traffic from known ports to other ports and expect those listening servers to be able to handle that traffic if the underlying protocol is different.  Sure, you can direct all tcp/80 traffic to tcp/443, but that doesn't mean that SSL handshakes will magically start happening and an HTTP session will suddenly be HTTPS.  It doesn't work that way.

I understand that… I was wondering if there was a package that could be set up (I know I'm going to have to install it myself, but I was hoping somebody could elaborate) would act as a proxy and do the translation.

For example, I've seen a package called stunnel (not sure how good it is, or what systems it has been ported to, how well it works, etc.), that I believe can do that (maybe I'm wrong-please correct me if I am)

@KOM:

No IoT devices should ever be directly exposed to the Internet.  You should even be paranoid about their outbound traffic as I've read a bit about these devices phoning home, etc.  Instead, a much better option is to configure OpenVPN and then connect to your network that way to access your devices.  Configure your LAN firewall rules to deny Internet access except as required.

Good points…. 100% agreement.... can you point me to recipe for setting that type of thing up? I'm not there yes, but it's in the todo list. 
I would like to run a private web sever for my own use, access home monitoring,  and VPN my cell phone internet traffic for added security (protect against WiFi & Cell Skimmers), and also to monitor as much of the traffic as I can.

Who knows what these cell phones are doing behind our backs, but unless you can monitor and decrypt the RF, you will never know.  I can at least have some control/surveillance of the android apps running on my device, maybe block ads, etc.

Aside: Years ago, on my first phone I decided just on a hunch to put a logger on the the WiFi and leave it running at home.  Found the #$@ talking to some IP in China... never really figured out it was doing.... phone was running Android 2.2 at the time, and a 4.0 upgrade was available, so I just wiped everything and started fresh which solved the problem.  Now I hardly install anything on my phone.

AND.... that was not the question/use case.

I'm talking about OUTBOUND ONLY traffic (and yes, I plan to set up rules to only allow access to the IPs/services I want it talking to!!!!) - these devices need to upload images to my hosted web server, send alert emails, etc..  I don't want my email/ftp creds getting scooped of the wire between me and the server.  How can I handle this problem?

Also, it's a shared server, so I don't want a VPN tunnel running connecting my system to the sever at all times - I just want to do occasional info posts/alert emails.

KOM

I don't know anything about stunnel.  ALso, disregard what I said about VPN.  That only applies to incoming access.

How can I handle this problem?

Put rules on LAN that allows those devices to only talk to addresses you allow like your server, and block all others for those devices.

guardian

@KOM:

How can I handle this problem?

Put rules on LAN that allows those devices to only talk to addresses you allow like your server, and block all others for those devices.

That's great for incoming - It's the OUTGOING problem-I'm worried about the creds for the outside server getting scooped when the device posts info or sends email.

KOM

That's great for incoming - It's the OUTGOING problem

Well no, putting rules on LAN isn't great for inbound traffic.  Rules apply to traffic entering the interface.  WAN rules control inbound traffic from the Internet.  Putting rules on LAN controls outgoing traffic to the Internet or other networks.

guardian

@KOM:

That's great for incoming - It's the OUTGOING problem

Well no, putting rules on LAN isn't great for inbound traffic.  Rules apply to traffic entering the interface.  WAN rules control inbound traffic from the Internet.  Putting rules on LAN controls outgoing traffic to the Internet or other networks.

Thanks…. got that part.... this thread isn't about fire walls.  I appreciate the comments about security/phoning home-very valid and noted, and good for others who may not have thought about this to see.

**I am  trying to solve the problem of the IOT devices being able to securely communicate with an external server (email/ftp) when these devices don't have any encryption capability and only provide support for insecure protocols.

AFAIK that means some type of proxy to add the encryption, talk to the secure server, and then reverse the process.

I am hoping that someone can offer some insight that might help me with this issue.**

Derelict

Take your IoT devices that do not support secure protocols and return them to the place of purchase. Problem solved.

guardian

@Derelict:

Take your IoT devices that do not support secure protocols and return them to the place of purchase. Problem solved.

Unfortunately NOT an option in this case.  This is NOT an enterprise environment, and with a VLAN, proxy and decently hardened firewall rules there shouldn't be any real issues either.

Unfortunately the general public either doesn't know or doesn't care about security, so obtaining well engineered devices often isn't an option (at least not without spending $$$$$!!).

As KOM said most of this stuff isn't to be trusted (for that matter neither is Windows or MacOS these days either), so the only option is to put it in a cage (firewall) and watch it (log monitoring/IPS).

Derelict

Good luck.