How important is WAN protection in this case?

conor

Just a note. If your WAN connection has a data cap say 10GB. Then you need to be careful with what ports you expose and to whom, I have seen two cases of business with less than 20GB caps get stung by leaving the ssh port open, they were using certificate authentication so figured it wasn't a risk of a brute force breaking it. Some hacker found the SSH port and started brute forcing it slowly from multiple IP addresses and over the course of the month kept going and used up about 60% of their data cap.

We got hired to check as the business owner was going nuts and wanted to know what was going on. He figured the ISP was screwing him.

So in summary what you use will depend on factors around your setup, what your running, what your speeds are etc. There is no one size fits all answer, think hard about the risks and rate them and there impact, and spend money/time accordingly.

Gertjan

@conor said in How important is WAN protection in this case?:

Just a note ......

Your example is a rare case, but very valid. I've seen an identical situation where traffic existed, so said the ISP, the quantity of traffic being used raised every day without an initial explanation.
Then I had a close look at who was "nocking on the front door" ...

When some one has to use such an ISP (concrete example : satellite connections) that you shouldn't accept any connection from the outside. No exceptions.

coffeecup25

Thank you everyone for joining in. An article somewhere in the pfSense documentation that covers this idea more concisely would be great.

This question is asked a lot and rarely answered as well as above. I researched it before asking here.

I, too, started with pfSense years ago with the intention of adding security while playing with a new toy. Now with gigabit service so common I had to think it through a little better because I didn't want my router to be the most powerful computer in the house due to all the filtering that it was doing. I'm pretty charged up with having an i5 home server. My home network is a low use system that has a lot of feature because it is my hobby. No open ports other than OpenVPN. Going through OpenVPN is the only way to access the network from outside the home. Of course, a network with lots of open ports and/or lots of users with no special concerns, such as employees or members, would have much different security needs.

Ad blocking may distress owners of websites, but sorry, not sorry. They have become so obnoxious that I feel no remorse getting rid of them with pfBlockerNG and, now, pi-hole. It's also a form of network security. A big one.

coffeecup25

@Gertjan said in How important is WAN protection in this case?:

@conor said in How important is WAN protection in this case?:

Just a note ......

Your example is a rare case, but very valid. I've seen an identical situation where traffic existed, so said the ISP, the quantity of traffic being used raised every day without an initial explanation.
Then I had a close look at who was "nocking on the front door" ...

When some one has to use such an ISP (concrete example : satellite connections) that you shouldn't accept any connection from the outside. No exceptions.

Good point. Unfortunately I suspect a lot of people find that out the hard way.

JeGr

@Gertjan said in How important is WAN protection in this case?:

@conor said in How important is WAN protection in this case?:

Just a note ......

Your example is a rare case, but very valid. I've seen an identical situation where traffic existed, so said the ISP, the quantity of traffic being used raised every day without an initial explanation.
Then I had a close look at who was "nocking on the front door" ...

When some one has to use such an ISP (concrete example : satellite connections) that you shouldn't accept any connection from the outside. No exceptions.

To add to @conor and @Gertjan: One has to also remember, that you can't change the traffic that will arrive on the WAN port. Yes you can block all, of course! But that doesn't mean a scan, tried DOS or any other repetetive connection won't cost you traffic anyway as most providers will measure what enters/leaves your interface. An open SSH port will attract more attention, that's a given. But anyway the "noise floor" of internet traffic/packages will be there be it blocked or not. So one always have to remember that.

Normally on such lines you should have a toggle or possibility to block all traffic incoming on the provider side (or blackhole that and only allow perhaps a few IPs) but no ISP will likely give you that much power ;)

It's always fascinating to install a new firewall with customers and showing them the first few minutes of blocked packages. ;)

Greets

Gertjan

@coffeecup25 said in How important is WAN protection in this case?:

This question is asked a lot and rarely answered ....

I tend to say that this question should not exist. It's 'wrong'.
pfSense, defaults to the behavior that any firewall/router shows : No incoming connections with an initial outgoing state.
This means the issue is solved for everybody - even for the rate limited ones. No one will snoop from your expensive bytes.

Now, when people decide to "open up some ports for incoming connections - connections initiated from the out side" then they should know that there is much more involved then just a "NATting a port in their router and done".
Every aspect of live, technical, or not, should be questioned. If you don't, chances are good (read : guaranteed in this case) you pay the price.

"NATting a port" is asking for incoming connection. Very close to incoming troubles ^^
Up to the admin to ask himself : from who ? From where ? When ? Etc.
Not asking these questions - and not considering that consequences might exist (this last part is what makes the difference between us and other animals) is a common pitfall. It's a "learning" thing.

blank

Sorry to bump an old thread, but reading through it, kinda opened up some questions..

I have 2 port forwarding rules plus openvpn, so 3 ports open to the internet.

For the SSH, it's protected by a key file.
openvpn: keyfile and username/password
but I also have my home control software running an HTTPS service, and will also run MQTT at some point.
(I do understand that keyfiles and secure passwords won't make everything 100% secure)

Now, I moved from UniFi to PFsense, as I actually wanted to use GEOIP blocking and Suricata.
But reading through this thread sounds like that really wont help!
But then what are the benefits of PFsense for me, and they seem to be non existent?

I export the syslog to Splunk, and I have between 5-15.000 incoming connections to my port forwarding rules.
now, only about 100 of those connections is coming from my country.
I know that it only takes 1 "good" attack, but considering everything, shouldn't PFBlocker country pass and Suricata help the attack scope?

What is more "correct" ways to protect yourself?

coffeecup25

Openvpn is probably ok. My security is similar to yours excepting each user has its own certificate and the user id corresponds to the device and certificate. Also, I use non standard ports for openvpn (3 servers) and days go by without them being scanned.

I don't use SSH and if I did it would be over a LAN. Never the WAN.

Geoblocking is iffy but probably not bad. Shut down all countries except the US from inbound WAN. Then you only need to worry about VPNs and malicious US residents. In theory, you don't need it. In practice, it's belt and suspenders. You're using it to protect open ports. Openvpn should be safe as described. If you forward ports, then you have something to protect.

I can't speak to home automation. When I start to use it I plan to put it on a separate VLAN with no regular network device access. I also plan to never use anything that calls home or requires a port forward. I think ZWave is local to the LAN. WiFi might also be the same.

Suricata will help with open ports. I used to use Snort but uninstalled it as I have no open ports except for openvpn. All access to everything remotely is via LAN after connecting with openvpn.

BBcan177

@blank said in How important is WAN protection in this case?:

Now, I moved from UniFi to PFsense, as I actually wanted to use GEOIP blocking and Suricata.
But reading through this thread sounds like that really wont help!
But then what are the benefits of PFsense for me, and they seem to be non existent?
I export the syslog to Splunk, and I have between 5-15.000 incoming connections to my port forwarding rules.
now, only about 100 of those connections is coming from my country.
I know that it only takes 1 "good" attack, but considering everything, shouldn't PFBlocker country pass and Suricata help the attack scope?
What is more "correct" ways to protect yourself?

Each piece is a layer of security. To limit the open WAN ports you can define an alias with the IPs which are allowed to connect. If that is unmanageable, then add a GeoIP alias for only the countries that should be allowed to connect to those ports. Its not recommended to "Block the world" approach. GeoIP can lessen the hits on the open Ports. Next would be to add IP Blacklist(s) of known malicious IPs to be blocked. Following that, you could enable an IPS to block anything else. Check out pfBlockerNG-devel which has an Integrated Feeds tab to help find suitable IP/DNSBL Blocklists.

pfSense is going to block all unsolicited inbound traffic, and only let open ports thru.... However, that does nothing to help protect the Outbound which is by default wide open. So IP/DNSBL blocklists can block the known bad for Outbound traffic... GeoIP can be hit/miss but all depends on what you want to accomplish and how conservative/aggressive you want to be with your network.

chrcoluk

By all means keep the custom openvpn port, I find that practice as reasonable, bots and what not scanning services causes spam, the problem is tho if you get used to seeing that spam, then the one day you have a legit attempt at your security you likely to ignore it as you just used to seeing daily spam. Which is why I use custom ports for non public services a lot of the time.

On the question of things like snort, I wouldnt bother in a situation where the one and only listening service is a private VPN server.