Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Drive Encryption

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 6 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      "WDE on the firewall seems like a solution in search of a problem."

      Well said… And agree..

      I am curious if any major players support it though.. Have never looked into it.. Since have never had to worry about physical security of such devices.  They are either locked in an IDF/MDF of some remote location or in a DC with normally over the top physical biometric access only, etc. Then even in that DC in a locked rack, and sometimes cage with different locks, etc.

      The firewall is normally never like just sitting on someones desk in a open cube ;)

      So now that that your concerns of certs is removed from this non physical secure firewall - what else is on the device that your concerned with that you would desire WDE and all he pains that come with that?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott
        last edited by

        The firewall is normally never like just sitting on someones desk in a open cube ;)

        That's where it was in an office I used to work in.  However, there wasn't much option.  The office was a single room in a building where offices and even just mail boxes were rented out to small companies.  Unlike most of the other tenants, we had our own Internet access, connected to an Adtran router/switch.  There were only 2 people working there, me and the sales guy.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • SammyWooS Offline
          SammyWoo
          last edited by

          @Gil:

          Is it possible to have an encrypted drive to prevent someone from removing the SD card and reading it directly?

          Well, me Mr. Obvious says if security is a concern, PHYSICAL SECURITY, FW box is in a controlled access location, to begin with.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Rule #1 of security:

            If you don't have physical security you don't have shit ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • GilG Offline
              Gil Rebel Alliance
              last edited by

              @johnpoz:

              If your worried about the user certs do not store them on the appliance after they have been created.  Same goes for the CA.. You can store the private key of the CA off.. It only is needed to create new certs from that CA..  So that sort of stuff can be removed if your worried about someone getting that off the firewall.

              I cannot remove all sensitive data.
              A router setup with an OpenVPN client will require a combination of:
              CA.cert, a VPN.cert and VPN.key, plus (possibly) a tls-auth.key, user name and password.
              Certainly no need to store the CA.key. - I keep a separate system for key generation anyway
              Revoking certificates is an answer to a compromised router, - once you have identified the compromise.

              I don't disagree with the comments made, but can you always guarantee that all of your client devices are physically secured?
              Inherent to my situation; I cannot.

              Just looking for possibilities that may exist past my current knowledge.

              11 cheers for binary

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                In what scenario would you be worried about a router that connects to a vpn services user cert to the vpn?  The users at that location would have access to the vpn already..

                Please describe the scenario of your compromise… What exactly is a person that has physical access to your router going to steal or get access to that your trying to prevent.. That they already do not have access to anyway from just being in the location and on your local network.

                Be happy to walk thru any scenario you can describe that is actually something that anyone should be worried about..

                Yes your firewall in some location should always be secured.. If you do not have physical security you do not have shit... Where WDE comes into play is a scenario where you loose your device..  Ie your work laptop that you leave in your car - and someone throws a brick through your window and takes the thing.  To decrypt the disk they would need your smart card - which you have in you wallet.  And or at min your password to boot the machine, etc.

                whole disk encryption only protects against loss of the device.  When would a router be lost?  If its in a building under your control... If someone does break into the building and steal it - what is on there that could not just be revoked?

                You need to walk through a scenario - if you want to walk through the steps to mitigate that scenario..

                Just asking for WDE seems pointless for something like a firewall.  Even if the router is sitting in a open cube in your office.  What is on the device that someone in the office would want?  That you would be worried about them getting access too?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  It's not a feature that will likely be added anyway.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • GilG Offline
                    Gil Rebel Alliance
                    last edited by

                    Not all VPNs are for human users, most of my remote clients are network devices - Remote over WAN, multiple locations.

                    The equipment boxes can be locked, but physical security cannot be guaranteed.

                    I set Alarms for security alerts whenever I can.

                    I appreciate this is somewhat specific to this scenario, but I'm sure I'm not the only user who faces this problem.

                    11 cheers for binary

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well use a different firewall solution that provides it.. Like I said none of them do that I know of..  But you want the one you get for FREE too ;)

                      I would suggest you get a PC to run it on, and use WDE/FDE in the bios.. Or run it on some SED, there are some SSDs out there for sure.. Now you just need someone to put in the password every time you reboot the thing…

                      Which better make sure these people do not learn that want these top secret vpn user certs. And or that they do not evil maid you since the device is not secure..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • GilG Offline
                        Gil Rebel Alliance
                        last edited by

                        Okay, thanks for your time. Particularly johnpoz.
                        Like Derelict says - it ain't gonna happen.
                        I totally get why, - no harm in asking though.

                        11 cheers for binary

                        1 Reply Last reply Reply Quote 0
                        • H Offline
                          Harvy66
                          last edited by

                          I read a blog on the topic of WDE for remote devices where physical security could not be trusted. It was full of all kinds of holes. There is no solution and the closest you can get to a solution is more of security through obscurity. It comes down to the fundamental issue that a secret must be provided. If the secret is local, then anyone with physical access can get the secret. If the secret is remote, then you need a way for the device to remote back to get the secret, but in order to do that, it must have the ability to boot and connect back. An attacker could just clone this part, run it in a VM and eavesdrop. Now they got the secret. The only benefit you give is you can control when the secret gets sent instead of having it accessible at any time by storing it locally.

                          In short, it can't be done without proprietary hardware. The only way to make this happen is to have a way to store the secret locally in a physically safe way and where the device knows it's in a trusted state. You can keep whittling down which parts must be secure, but in the end you MUST have some amount of physical security.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            ^ great points Harvy66

                            So yeah it all boils down to if you ain't got physical security you ain't got shit ;) hehehehe

                            Even a small ma an pop shop should have some sort of closet it could be locked up in.  Even in the example where it sat in a cube.. You still have physical security to the point only people that work in the office would have access.. And ok the cleaning crew, and the building security and management ;)

                            But not like its sitting on a table in starbucks ;)

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.