4 questions (Network segmentation, VPN Routing, Tor and Security in general)
-
You can use pfBlocker to pull and update lists and convert them into alises you can use in firewall rules. I've never tried but I'm sure there is a Tor list you could use there.
The only way you will get traffic between the interfaces is if the firewall is misconfigured or it is somehow compromised via some yet unknown method.
Separate interfaces is maybe marginally more secure than VLANs. It doesn't reply on the switch operating as expected (or not having exploits).
Otherwise get a second ISP connection and a second firewall and have zero physical connection between them. But I think we all agree that is extreme!
Steve
-
I think maybe he should just airgap his machines, running on their own isolated power sources.. Connecting to the power grid is a "risk" hehehe Should prob do this all inside a inside a Faraday Cage to be "extra" secure ;) And then just sneaker net anything he wants on encrypted disks to be extra secure.. Then after each transfer destroy the disks..
Make sure you do this in your basement (your bomb shelter prob a good choice here) so they can not bounce any lasers off your windows and pick up keystrokes or audio, etc.
Here is what I am talking about with a tor bridge..
https://www.torproject.org/docs/bridges.html.en#BridgeIntroductionexample here is 3 bridges I found from the bridges DB
50.39.170.81:443 1B39EA619A2514BD1DBEB75836610E1D5CED13FC
45.55.52.78:8443 F0E2B678833F42E92F9C1F8E697FCD862463E85E
73.245.116.148:443 8A4541FB62E7B2ACE14270E42513C605C06BDDD3Setup those IPs to be allowed, block all others. Make sure your tor client is setup to use those bridge IPs only and ports say 443. At pfsense block all other traffic..
-
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
You can get the $30 dumb switch if your going to physically separate the networks..
As to vlan hoping... So you think some elite ninja hackers are going to have physical access to your machine on vlan A, and they might hop over to vlan B? I mean really - maybe you need to loosen the tin foil hat atleast 1 notch ;) The blood flow is prob starting to suffer at this point to be honest..
You get multiple nics and plug in dumb switch to nic A, and put network 192.168.1/24 on it lets say and then you plug dumb switch B into nic B that you put network 192.168.2/24 on it..
You only allow access to bridges in your tor - you can pull a list once you connect. And just block everything else - its a click in the firewall rules to be honest..
I love how people that don't work in security... Think that they need DOD facility level security - do you have 20 million in bitcoin sitting on your machine or something? Lets get real here ;)
Think about it this way, your house/car/business probably isn't going to get robbed but that's no reason not to want the best security. I can't see a problem with DOD levels of security if I'm the only one on the network and don't mind the usability trade-off imo.
So, a couple more stupid questions: 1) VLAN hopping can only happen on Virtual LAN's right? so having physically separated networks would 100% mitigate this problem? and 2) Where my ISP sends the cable in and I attach it to a router, would I then at that point connect the cable from that router to the switch and the pfSense devices as the only 2 connections? would that separate them 100%? (flow would look like this):
[ISP Cable --> Basic Modem --> Switch --> pfSense Device 1 (Seperate network 1) --> pfSense box 2 (Seperate network 2)]
@stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
You can use pfBlocker to pull and update lists and convert them into alises you can use in firewall rules. I've never tried but I'm sure there is a Tor list you could use there.
The only way you will get traffic between the interfaces is if the firewall is misconfigured or it is somehow compromised via some yet unknown method.
Separate interfaces is maybe marginally more secure than VLANs. It doesn't reply on the switch operating as expected (or not having exploits).
Otherwise get a second ISP connection and a second firewall and have zero physical connection between them. But I think we all agree that is extreme!
Steve
Yeah, I would do that however there's no lines available where I live and it would cost loads more per month. Using pfBlocker is probably what I'll do as it seems like the path of least resistance. I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
I think maybe he should just airgap his machines, running on their own isolated power sources.. Connecting to the power grid is a "risk" hehehe Should prob do this all inside a inside a Faraday Cage to be "extra" secure ;) And then just sneaker net anything he wants on encrypted disks to be extra secure.. Then after each transfer destroy the disks..
Make sure you do this in your basement (your bomb shelter prob a good choice here) so they can not bounce any lasers off your windows and pick up keystrokes or audio, etc.
Here is what I am talking about with a tor bridge..
https://www.torproject.org/docs/bridges.html.en#BridgeIntroductionexample here is 3 bridges I found from the bridges DB
50.39.170.81:443 1B39EA619A2514BD1DBEB75836610E1D5CED13FC
45.55.52.78:8443 F0E2B678833F42E92F9C1F8E697FCD862463E85E
73.245.116.148:443 8A4541FB62E7B2ACE14270E42513C605C06BDDD3Setup those IPs to be allowed, block all others. Make sure your tor client is setup to use those bridge IPs only and ports say 443. At pfsense block all other traffic..
Are you sure that would work? wouldn't that block the nodes on Tor or would I have to allow all traffic coming from both sources that are involved with that IP? In other words wouldn't it also block every website or connection visited if the ONLY traffic that can pass through are bridges? or would it all look (to pfSense at least) that all the traffic is coming through those bridges? A little confused to be honest.
(if that's how it works, could I do the same with the VPN connection I'm running my network through if I have an alias of the IP's that the VPN connects to?)
Thanks to all who reply and answer my inane questions, still learning.
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.
The only way you could do that would be to use VLANs back to the ISP somehow. But then they'd probably want to change you twice.
You can use two pfSense firewalls exactly as you've outlined there. It will work fine.
It's unnecessary IMO and it makes creating connections between the subnets far hardware if you ever have to. I have worked with a few people who had exactly that setup end ended up with all sort of crazy ports forwards etc...
But there is some merit in it. If you have an internal machine compromised the attack surface against the LAN is that much bigger than the WAN of the other firewall.Yes with tunneled traffic like that destination IP of the tunnel traffic itself is always the other tunnel end point so you can allow that only.
Steve
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
Are you sure that would work? wouldn't that block the nodes on Tor
Yeah I am sure it will work - I have been doing this for 30+ years.. Doesn't matter what hops you hit after.. Before you get all worked up about security.. Its normally a good idea to understand the basics before how to secure it ;)
What exactly is your tinfoil hat worried about here? Your worried about something phoning home? Your worried about your ISP seeing your what traffic?
Your firewall is at the edge, if you only allow ip address to go to IP xyz on port abc - this ALL that will be allowed no matter what you do on the client..
Blocking outbound is not something you normally have to worry about.. IF your box is compromised it already too late!! You should be more worried about what code you exe on your box vs what ports it can go outbound on...
Maybe its time to stop watching Mr Robot, and smoking that stuff that makes you paranoid ;)
Isolating devices from talking to each other on your local lan is simple as decent switch and private vlans.. Or run host firewalls on each device, or just simple isolate your trusted devices from your untrusted device on different vlans. For example my iot devices are NOT on the same vlan as my nas and PC... They can NOT create unsolicited traffic to any other network locally.. And I log everything they do outbound - so I Know if they start phoning home to china for example.
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
- The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.
It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.
And the final VPN is most likely the first target, as this is the one visible to your peers.
-
@stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.
The only way you could do that would be to use VLANs back to the ISP somehow. But then they'd probably want to change you twice.
You can use two pfSense firewalls exactly as you've outlined there. It will work fine.
It's unnecessary IMO and it makes creating connections between the subnets far hardware if you ever have to. I have worked with a few people who had exactly that setup end ended up with all sort of crazy ports forwards etc...
But there is some merit in it. If you have an internal machine compromised the attack surface against the LAN is that much bigger than the WAN of the other firewall.Yes with tunneled traffic like that destination IP of the tunnel traffic itself is always the other tunnel end point so you can allow that only.
Steve
Yeah, I'm probably going to use the same network cable to modem but then have that cable connected to a switch and have 2 seperate pfSense firewalls running off it, one for Tor only and one for regular browsing. Both locked down as hard as I can.
I don't see myself ever needing to communicate between the subnets at all so I'm not that concerned, But would one of the machines on pfSense device one be able to see a machine or the firewall of pfSense device 2? If so that wrecks my plans.
Also when I have my current OpenVPN connecton (which all network traffic is currently running through) I can see that my machine is connecting to IPs that come from everywhere and loads of websites, why doesn't it just show endless connections between my OVPN connection and my machine? How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
Are you sure that would work? wouldn't that block the nodes on Tor
Yeah I am sure it will work - I have been doing this for 30+ years.. Doesn't matter what hops you hit after.. Before you get all worked up about security.. Its normally a good idea to understand the basics before how to secure it ;)
What exactly is your tinfoil hat worried about here? Your worried about something phoning home? Your worried about your ISP seeing your what traffic?
Your firewall is at the edge, if you only allow ip address to go to IP xyz on port abc - this ALL that will be allowed no matter what you do on the client..
Blocking outbound is not something you normally have to worry about.. IF your box is compromised it already too late!! You should be more worried about what code you exe on your box vs what ports it can go outbound on...
Maybe its time to stop watching Mr Robot, and smoking that stuff that makes you paranoid ;)
Isolating devices from talking to each other on your local lan is simple as decent switch and private vlans.. Or run host firewalls on each device, or just simple isolate your trusted devices from your untrusted device on different vlans. For example my iot devices are NOT on the same vlan as my nas and PC... They can NOT create unsolicited traffic to any other network locally.. And I log everything they do outbound - so I Know if they start phoning home to china for example.
Well as passive-aggressive as that "know the basics" comment was I agree completely. I'm not going to pretend to be better than I am, I don't have anywhere near the experience that you and most other members of the forum have but I am trying to learn. I don't understand everything yet, I'm trying but sometimes when you're stuck with a certain concept you just need to go over it again and again until it clicks, topics like these have always been a "weak spot" for me. If you have any resources that I could learn from (other than the 2 Certs mentioned above) then I would be grateful to look through them, googling "networking fundamentals" casts a wide net and I just don't have the time currently.
I'm trying to learn a few things (such as networking, pen testing, malware analysis, forensics etc) but I can't do that unless I know I'm secure. Over the next few months I'm planning to learn (and eventually take) the CCNP and CISSP as side-projects to understand more of the fundamentals of these topics but for now I'll have to rely on the knowledge of people such as yourself and Steve to help me while I learn.
It's not a tinfoil hat so much as I just want to learn how to secure something to the highest degree, it will also be useful from an educational standpoint. If I have one network that only needs to use Tor I'm not sure why I shouldn't do everything I can to protect it, same goes for the "normal" network. I'm not worried about the ISP very much (the end-to-end encryption of the VPN handles that if I believe correctly) however phoning home and people being able to scan and compromise a machine on my network is what I'm worried about.
About only specific ports it was my understanding that applications, services and connections use a random port each time (my device has connections on random ports, like 5999 or 8264 etc) How would I know what ports would be ok to use and what ones should be blocked. Also don't the majority of malware operate on port 80 as it's the most common port anyway? rendering blocking ports more-or-less useless?
I don't do drugs but I have watched most of Mr Robot and while I did love the show it did scare me a bit.
I think I've already isolated them from communicating (I have a custom Suricata rule that denies all traffic going anywhere in the internal network from any direction). I just want a more absolute way of ensuring that.
Lastly, I'm sure this comes with as much experience as you have but I'm a little stuck on how to analyse the traffic going out of my pfSense device, I can do IP lockups to see where it's going to however I often have no idea if that's a server owned by the service provider, software company or if it's been compromised and it's calling home. Is there any course or materials directed at understanding network traffic analysis more? I would love to learn more about it.
@grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
- The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.
It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.
And the final VPN is most likely the first target, as this is the one visible to your peers.
This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?
Take the example of Tor being used with 2 VPN's vs 1 VPN:
1 VPN Connection:
-> Honeypot server -> They break Tor somehow or get malware onto the machine -> VPN IP -> My IP2 VPN connections:
-> Honeypot server -> They break Tor or exploit the machine -> 2nd VPN connection IP -> They have the VPN provider logs -> 1st VPN connection -> My IPIsn't having more VPN's more secure than only 1 because if they were to own the 1st VPN country wouldn't the IP appear as the IP of another VPN country? creating another obstacle for them to overcome?
(The data being sent through the tunnel should be encrypted regardless so only me, the 1st connection and the endpoint should be able to see its contents) but it's not that sensative, more need it to be anonymous than secret.)
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?
Yes. But you are also a customer of that VPN provider and they have, at least, some payment information from you.
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?
Tor security issues aside.... that is a whole other subject!
Where are you 'looking' at that traffic? What traffic are you seeing?
If it's anything other than OpenVPN UDP traffic on the port specified and you're seeing that on the WAN side of the firewall then that is traffic outside the VPN which you probably don't want.
Steve
-
@grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?
Yes. But you are also a customer of that VPN provider and they have, at least, some payment information from you.
Yeah, the financial side doesn't link back to me, thanks.
@stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?
Tor security issues aside.... that is a whole other subject!
Where are you 'looking' at that traffic? What traffic are you seeing?
If it's anything other than OpenVPN UDP traffic on the port specified and you're seeing that on the WAN side of the firewall then that is traffic outside the VPN which you probably don't want.
Steve
Yeah, don't want to get scared by that just yet. I want to sleep well for a bit at least :)
The traffic that I'm looking at is on the index of pfSense itself. It will say something like 192.168.1.200 -> random IP (not NordVPN). How is it seeing that? Also about ports specified. I'm not sure that I can do that as it seems to be using random ports, like applications and while I still use windows there's no way I could micro-manage that to the level that I feel comfortable.
All the traffic is on LAN going through the OVPN interface, WAN is 100% blocked. I set up the "internet kill switch" with the help of NordVPN support.
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
It will say something like 192.168.1.200 -> random IP (not NordVPN).
So your looking at pfsense state table.. Yeah if your client is going to google, ie its dest IP is 8.8.8.8 for example... Then yeah that is what the statetable in pfsense would show.. How pfsense gets traffic to 8.8.8.8 is the part your not looking at.. Normally pfsense would drop that traffic on its wan, to its gateway. In the case of vpn.. it throws it out its vpn interface..
-
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
It will say something like 192.168.1.200 -> random IP (not NordVPN).
So your looking at pfsense state table.. Yeah if your client is going to google, ie its dest IP is 8.8.8.8 for example... Then yeah that is what the statetable in pfsense would show.. How pfsense gets traffic to 8.8.8.8 is the part your not looking at.. Normally pfsense would drop that traffic on its wan, to its gateway. In the case of vpn.. it throws it out its vpn interface..
So it's still encrypting it through the VPN connection right?
Also I'm wondering if I can restrict access to the pfSense login screen to a specific IP? I could change the password but I only really want to access it from a secure computer.
Also if I used a switch after my modem and had 2 separate pfSense devices would that essentially create 2 different networks? Could they still attack eachother?
-
Yes it would be encrypting it.. If you want to see what is leaving your wan - just do a package capture on your wan interface.. That will show you ALL traffic pfsense is getting from or putting on the wire..
You want to restrict access to the web gui from where? From the lan you would need to disable the antilock out rule.. And then put in appropriate rules to allow from where you want and block from everywhere else.
Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.
There would be a common transit network between your pfsense boxes and your modem... But no devices from behind pfsense 1 could not talk to devices behind pfsense 2... You seem to lack basics of understanding between layer 2 and layer 3.. For something to talk to devices behind other pfsense it would be no different then them wanting to talk to say devices behind my pfsense.. You would have to know my public IP.. And I would of had to forward the traffic to my device behind pfsense.
-
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
Yes it would be encrypting it.. If you want to see what is leaving your wan - just do a package capture on your wan interface.. That will show you ALL traffic pfsense is getting from or putting on the wire..
You want to restrict access to the web gui from where? From the lan you would need to disable the antilock out rule.. And then put in appropriate rules to allow from where you want and block from everywhere else.
Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.
There would be a common transit network between your pfsense boxes and your modem... But no devices from behind pfsense 1 could not talk to devices behind pfsense 2... You seem to lack basics of understanding between layer 2 and layer 3.. For something to talk to devices behind other pfsense it would be no different then them wanting to talk to say devices behind my pfsense.. You would have to know my public IP.. And I would of had to forward the traffic to my device behind pfsense.
So just saying, you could have said "look into the OSI model more; specifically layer 2 and 3" instead of "you seem to lack the basic understanding", there's no need to belittle me.
Apart from that I think everything's done for now. I'll make another thread if I have any more problems with the actual application of these plans. Thanks everyone for the help.
-
@grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
- The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.
It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.
And the final VPN is most likely the first target, as this is the one visible to your peers.
^^---This. You are only as secure as your weakest point. Once it leaves your network, assume it's insecure. You can do your best to put a nice thick wrapper around it, but as noted, it must be unwrapped at some point.
Read the history of how the FBI tracked down the Silk Road admin. Tor isn't a safe silver bullet. Many people who set up Tor nodes have no idea what they're doing, and they are not any kind of system/network admin. All you need is one horribly configured exit node and you're screwed. And there are a lot of them out there.
-
Couldn't agree more. At its core Tor is just a couple of proxies; a couple of ISP's to "strong-arm" and they've got you.
I'm attempting to implement some security practices that make it a lot harder. More specifically 2 end-to-end encryption tunnels (via 2 different "reputable" VPN's and hopefully one of the Raspberry PI devices that turn a tor connection into a network connection, essentially meaning that I will have 8 hops rather than 3.
The data itself is rarely ever sensitive in nature.