4 questions (Network segmentation, VPN Routing, Tor and Security in general)
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.
The only way you could do that would be to use VLANs back to the ISP somehow. But then they'd probably want to change you twice.
You can use two pfSense firewalls exactly as you've outlined there. It will work fine.
It's unnecessary IMO and it makes creating connections between the subnets far hardware if you ever have to. I have worked with a few people who had exactly that setup end ended up with all sort of crazy ports forwards etc...
But there is some merit in it. If you have an internal machine compromised the attack surface against the LAN is that much bigger than the WAN of the other firewall.Yes with tunneled traffic like that destination IP of the tunnel traffic itself is always the other tunnel end point so you can allow that only.
Steve
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
Are you sure that would work? wouldn't that block the nodes on Tor
Yeah I am sure it will work - I have been doing this for 30+ years.. Doesn't matter what hops you hit after.. Before you get all worked up about security.. Its normally a good idea to understand the basics before how to secure it ;)
What exactly is your tinfoil hat worried about here? Your worried about something phoning home? Your worried about your ISP seeing your what traffic?
Your firewall is at the edge, if you only allow ip address to go to IP xyz on port abc - this ALL that will be allowed no matter what you do on the client..
Blocking outbound is not something you normally have to worry about.. IF your box is compromised it already too late!! You should be more worried about what code you exe on your box vs what ports it can go outbound on...
Maybe its time to stop watching Mr Robot, and smoking that stuff that makes you paranoid ;)
Isolating devices from talking to each other on your local lan is simple as decent switch and private vlans.. Or run host firewalls on each device, or just simple isolate your trusted devices from your untrusted device on different vlans. For example my iot devices are NOT on the same vlan as my nas and PC... They can NOT create unsolicited traffic to any other network locally.. And I log everything they do outbound - so I Know if they start phoning home to china for example.
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
- The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.
It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.
And the final VPN is most likely the first target, as this is the one visible to your peers.
-
@stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.
The only way you could do that would be to use VLANs back to the ISP somehow. But then they'd probably want to change you twice.
You can use two pfSense firewalls exactly as you've outlined there. It will work fine.
It's unnecessary IMO and it makes creating connections between the subnets far hardware if you ever have to. I have worked with a few people who had exactly that setup end ended up with all sort of crazy ports forwards etc...
But there is some merit in it. If you have an internal machine compromised the attack surface against the LAN is that much bigger than the WAN of the other firewall.Yes with tunneled traffic like that destination IP of the tunnel traffic itself is always the other tunnel end point so you can allow that only.
Steve
Yeah, I'm probably going to use the same network cable to modem but then have that cable connected to a switch and have 2 seperate pfSense firewalls running off it, one for Tor only and one for regular browsing. Both locked down as hard as I can.
I don't see myself ever needing to communicate between the subnets at all so I'm not that concerned, But would one of the machines on pfSense device one be able to see a machine or the firewall of pfSense device 2? If so that wrecks my plans.
Also when I have my current OpenVPN connecton (which all network traffic is currently running through) I can see that my machine is connecting to IPs that come from everywhere and loads of websites, why doesn't it just show endless connections between my OVPN connection and my machine? How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
Are you sure that would work? wouldn't that block the nodes on Tor
Yeah I am sure it will work - I have been doing this for 30+ years.. Doesn't matter what hops you hit after.. Before you get all worked up about security.. Its normally a good idea to understand the basics before how to secure it ;)
What exactly is your tinfoil hat worried about here? Your worried about something phoning home? Your worried about your ISP seeing your what traffic?
Your firewall is at the edge, if you only allow ip address to go to IP xyz on port abc - this ALL that will be allowed no matter what you do on the client..
Blocking outbound is not something you normally have to worry about.. IF your box is compromised it already too late!! You should be more worried about what code you exe on your box vs what ports it can go outbound on...
Maybe its time to stop watching Mr Robot, and smoking that stuff that makes you paranoid ;)
Isolating devices from talking to each other on your local lan is simple as decent switch and private vlans.. Or run host firewalls on each device, or just simple isolate your trusted devices from your untrusted device on different vlans. For example my iot devices are NOT on the same vlan as my nas and PC... They can NOT create unsolicited traffic to any other network locally.. And I log everything they do outbound - so I Know if they start phoning home to china for example.
Well as passive-aggressive as that "know the basics" comment was I agree completely. I'm not going to pretend to be better than I am, I don't have anywhere near the experience that you and most other members of the forum have but I am trying to learn. I don't understand everything yet, I'm trying but sometimes when you're stuck with a certain concept you just need to go over it again and again until it clicks, topics like these have always been a "weak spot" for me. If you have any resources that I could learn from (other than the 2 Certs mentioned above) then I would be grateful to look through them, googling "networking fundamentals" casts a wide net and I just don't have the time currently.
I'm trying to learn a few things (such as networking, pen testing, malware analysis, forensics etc) but I can't do that unless I know I'm secure. Over the next few months I'm planning to learn (and eventually take) the CCNP and CISSP as side-projects to understand more of the fundamentals of these topics but for now I'll have to rely on the knowledge of people such as yourself and Steve to help me while I learn.
It's not a tinfoil hat so much as I just want to learn how to secure something to the highest degree, it will also be useful from an educational standpoint. If I have one network that only needs to use Tor I'm not sure why I shouldn't do everything I can to protect it, same goes for the "normal" network. I'm not worried about the ISP very much (the end-to-end encryption of the VPN handles that if I believe correctly) however phoning home and people being able to scan and compromise a machine on my network is what I'm worried about.
About only specific ports it was my understanding that applications, services and connections use a random port each time (my device has connections on random ports, like 5999 or 8264 etc) How would I know what ports would be ok to use and what ones should be blocked. Also don't the majority of malware operate on port 80 as it's the most common port anyway? rendering blocking ports more-or-less useless?
I don't do drugs but I have watched most of Mr Robot and while I did love the show it did scare me a bit.
I think I've already isolated them from communicating (I have a custom Suricata rule that denies all traffic going anywhere in the internal network from any direction). I just want a more absolute way of ensuring that.
Lastly, I'm sure this comes with as much experience as you have but I'm a little stuck on how to analyse the traffic going out of my pfSense device, I can do IP lockups to see where it's going to however I often have no idea if that's a server owned by the service provider, software company or if it's been compromised and it's calling home. Is there any course or materials directed at understanding network traffic analysis more? I would love to learn more about it.
@grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
- The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.
It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.
And the final VPN is most likely the first target, as this is the one visible to your peers.
This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?
Take the example of Tor being used with 2 VPN's vs 1 VPN:
1 VPN Connection:
-> Honeypot server -> They break Tor somehow or get malware onto the machine -> VPN IP -> My IP2 VPN connections:
-> Honeypot server -> They break Tor or exploit the machine -> 2nd VPN connection IP -> They have the VPN provider logs -> 1st VPN connection -> My IPIsn't having more VPN's more secure than only 1 because if they were to own the 1st VPN country wouldn't the IP appear as the IP of another VPN country? creating another obstacle for them to overcome?
(The data being sent through the tunnel should be encrypted regardless so only me, the 1st connection and the endpoint should be able to see its contents) but it's not that sensative, more need it to be anonymous than secret.)
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?
Yes. But you are also a customer of that VPN provider and they have, at least, some payment information from you.
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?
Tor security issues aside.... that is a whole other subject!
Where are you 'looking' at that traffic? What traffic are you seeing?
If it's anything other than OpenVPN UDP traffic on the port specified and you're seeing that on the WAN side of the firewall then that is traffic outside the VPN which you probably don't want.
Steve
-
@grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?
Yes. But you are also a customer of that VPN provider and they have, at least, some payment information from you.
Yeah, the financial side doesn't link back to me, thanks.
@stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?
Tor security issues aside.... that is a whole other subject!
Where are you 'looking' at that traffic? What traffic are you seeing?
If it's anything other than OpenVPN UDP traffic on the port specified and you're seeing that on the WAN side of the firewall then that is traffic outside the VPN which you probably don't want.
Steve
Yeah, don't want to get scared by that just yet. I want to sleep well for a bit at least :)
The traffic that I'm looking at is on the index of pfSense itself. It will say something like 192.168.1.200 -> random IP (not NordVPN). How is it seeing that? Also about ports specified. I'm not sure that I can do that as it seems to be using random ports, like applications and while I still use windows there's no way I could micro-manage that to the level that I feel comfortable.
All the traffic is on LAN going through the OVPN interface, WAN is 100% blocked. I set up the "internet kill switch" with the help of NordVPN support.
-
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
It will say something like 192.168.1.200 -> random IP (not NordVPN).
So your looking at pfsense state table.. Yeah if your client is going to google, ie its dest IP is 8.8.8.8 for example... Then yeah that is what the statetable in pfsense would show.. How pfsense gets traffic to 8.8.8.8 is the part your not looking at.. Normally pfsense would drop that traffic on its wan, to its gateway. In the case of vpn.. it throws it out its vpn interface..
-
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
It will say something like 192.168.1.200 -> random IP (not NordVPN).
So your looking at pfsense state table.. Yeah if your client is going to google, ie its dest IP is 8.8.8.8 for example... Then yeah that is what the statetable in pfsense would show.. How pfsense gets traffic to 8.8.8.8 is the part your not looking at.. Normally pfsense would drop that traffic on its wan, to its gateway. In the case of vpn.. it throws it out its vpn interface..
So it's still encrypting it through the VPN connection right?
Also I'm wondering if I can restrict access to the pfSense login screen to a specific IP? I could change the password but I only really want to access it from a secure computer.
Also if I used a switch after my modem and had 2 separate pfSense devices would that essentially create 2 different networks? Could they still attack eachother?
-
Yes it would be encrypting it.. If you want to see what is leaving your wan - just do a package capture on your wan interface.. That will show you ALL traffic pfsense is getting from or putting on the wire..
You want to restrict access to the web gui from where? From the lan you would need to disable the antilock out rule.. And then put in appropriate rules to allow from where you want and block from everywhere else.
Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.
There would be a common transit network between your pfsense boxes and your modem... But no devices from behind pfsense 1 could not talk to devices behind pfsense 2... You seem to lack basics of understanding between layer 2 and layer 3.. For something to talk to devices behind other pfsense it would be no different then them wanting to talk to say devices behind my pfsense.. You would have to know my public IP.. And I would of had to forward the traffic to my device behind pfsense.
-
@johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
Yes it would be encrypting it.. If you want to see what is leaving your wan - just do a package capture on your wan interface.. That will show you ALL traffic pfsense is getting from or putting on the wire..
You want to restrict access to the web gui from where? From the lan you would need to disable the antilock out rule.. And then put in appropriate rules to allow from where you want and block from everywhere else.
Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.
There would be a common transit network between your pfsense boxes and your modem... But no devices from behind pfsense 1 could not talk to devices behind pfsense 2... You seem to lack basics of understanding between layer 2 and layer 3.. For something to talk to devices behind other pfsense it would be no different then them wanting to talk to say devices behind my pfsense.. You would have to know my public IP.. And I would of had to forward the traffic to my device behind pfsense.
So just saying, you could have said "look into the OSI model more; specifically layer 2 and 3" instead of "you seem to lack the basic understanding", there's no need to belittle me.
Apart from that I think everything's done for now. I'll make another thread if I have any more problems with the actual application of these plans. Thanks everyone for the help.
-
@grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
@mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):
- The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.
It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.
And the final VPN is most likely the first target, as this is the one visible to your peers.
^^---This. You are only as secure as your weakest point. Once it leaves your network, assume it's insecure. You can do your best to put a nice thick wrapper around it, but as noted, it must be unwrapped at some point.
Read the history of how the FBI tracked down the Silk Road admin. Tor isn't a safe silver bullet. Many people who set up Tor nodes have no idea what they're doing, and they are not any kind of system/network admin. All you need is one horribly configured exit node and you're screwed. And there are a lot of them out there.
-
Couldn't agree more. At its core Tor is just a couple of proxies; a couple of ISP's to "strong-arm" and they've got you.
I'm attempting to implement some security practices that make it a lot harder. More specifically 2 end-to-end encryption tunnels (via 2 different "reputable" VPN's and hopefully one of the Raspberry PI devices that turn a tor connection into a network connection, essentially meaning that I will have 8 hops rather than 3.
The data itself is rarely ever sensitive in nature.