Infection happened - what now?

Sessa45

Hi! I have a basic question:

PfSense offers a few ways to ward off dangers. So far so good. But what happens when a PC / LAN is infected? Whichever way. How would I remember something? What measures can be taken with pfSense? Do you have some tips for me? :)

Thank you and best regards :)

stephenw10

Keep a backup of the config file locally. Use the Auto Config Backup to make sure you always have the latest config backed up.
https://docs.netgate.com/pfsense/en/latest/backup/index.html#

Keep a copy of the install media. You can write it out onto a USB drive and put a config on there so that re-installing, should you ever need to, is far easier.
https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html

If your firewall is ever taken down by a hardware failure or a failed update or even just a bad config recovery from that situation will be far easier with those things to hand.

Steve

Gertjan

Hi,

@Sessa45 said in Infection happened - what now?:

But what happens when a PC / LAN is infected?

Have a talk with the person that works with this PC. Using a PC "on the Internet" is something that should be learned.
Check all other devices that are connected to the same LAN segment.
Consider putting this device (PC, whatever) on a separate network so damage can't spread.

@Sessa45 said in Infection happened - what now?:

What measures can be taken with pfSense?

Close to nothing.
Most http stream are https. So, you, on pfSense , can't really see what some one on the LAN is downloading.
Mails : same thing.
pfBlockerNG-devel can help you blocking the access t some known dangerous sites.

@Sessa45 said in Infection happened - what now?:

How would I remember something?

Dono. Start taking notes - write things down.

Btw : Your pfSense isn't at risk.
Also : the LAN network should be used by devices that you trust.
All other devices should be on some other LAN (OPTx interface) - this interface should have a firewall rule that blocks all pfSense access (ports 22 - 80 and 443).

JKnott

@Sessa45

One thing to remember is pfSense is based on FreeBSD and viruses tend to be written for Windows. Also, I would expect that BSD, like Linux, has no viable viruses, due to the way things are done. That doesn't rule out all malware however, just viruses. Also, Windows users tend to run with Admin privileges, which is stupid, as it leaves the system wide open for malware. Running a computer as a mere mortal will prevent a lot of malware from infecting the computer.

johnpoz

Are you asking how if anything pfsense could be used to prevent such an infection, or what pfsense could do to alert you to an infected pc, or how you could then isolate it from the rest of your network if you find an infected pc?

Pfsense is a network firewall/router - it has really no control over what a user does with the client OS..

stephenw10

You can use ClamAV in Squid but unless you're doing full SSL intercept it's close to worthless at this point IMO.

You can run Snort or Suricata and that can detect and block traffic to/from malware. No guarantees though.

Steve

bmeeks

As others have stated, nothing can be guaranteed in the world of computer security. That's especially true of client PCs. Users can be incredibly naive about such things. Some will double-click on everything everywhere! And any warning dialogs asking "are you sure" should always be answered with "hell yeah!" ... .

The best protection is keeping all your client devices up to date with security hotfixes and also, where possible, limiting users ability to shoot themselves in the foot by not granting them administrator or root-equivalent permissions on the machine.

Tools such as anti-virus scanners on clients and IDS/IPS platforms like Snort or Suricata on the network pathway can help, but they are not foolproof. And tools such as Snort and Suricata require highly skilled administrators to correctly configure them and monitor the alerts they generate.

Raffi_

Come up with a layered approach to security. pfSense is perfect for that.

• The firewall rules should be restrictive but not counterproductive.
• IDS/IPS is another layer that'll help block malicious traffic.
• As mentioned, ClamAV could be another layer, but you'd have to intercept HTTPS and essentially break encryption just for that purpose. Not personally a fan of this.
• PfBlocker is another layer and in my opinion is almost a must. Being able to block Ads and known malicious sites is a huge plus. Ads are sometimes trying to take your users to faked sites. That is a major avenue of attack for viruses and phishing.

When you do run into a problem,

• Find the client with the problem ASAP and remove it from the network.
• Once you understand the issue with the first client, you can then figure out if any others were impacted.

In general, I find that the biggest problem for security on my network comes from dealing with the people using the computers and their emails. pfSense is not going to be as helpful with that, but could help limit chances of issues if configured well with layered security. Maybe we need a pfSense package which lets admins send out quick training seminars to the users, including me :)

provels

@bmeeks said in Infection happened - what now?:

And any warning dialogs asking "are you sure" should always be answered with "hell yeah!" ... .

Sessa45

Hi Guys! Thank you so much for your answers!

@stephenw10 said in Infection happened - what now?:

Keep a backup of the config file locally. Use the Auto Config Backup to make sure you always have the latest config backed up.

I already configured a cronjob which makes a backup of the config.xml and copy them to an server.

@JKnott said in Infection happened - what now?:

One thing to remember is pfSense is based on FreeBSD and viruses tend to be written for Windows.

Very true.

@johnpoz said in Infection happened - what now?:

Are you asking how if anything pfsense could be used to prevent such an infection, or what pfsense could do to alert you to an infected pc, or how you could then isolate it from the rest of your network if you find an infected pc?
Pfsense is a network firewall/router - it has really no control over what a user does with the client OS..

Basically, I have to know how to deal with an infected PC / network.
I have already read that I can create something like LAN segments, which I can probably then individually control. For example subdivisions into the segments "Purchasing", "Administration", "Management", etc.
So i need to know the following points:

what pfsense could do to alert you to an infected pc

how you could then isolate it from the rest of your network

@Raffi_ said in Infection happened - what now?:

When you do run into a problem,

Find the client with the problem ASAP and remove it from the network.

But how can i find the client? I think, to analyse the traffic is the only way to do this?

@Raffi_ said in Infection happened - what now?:

Maybe we need a pfSense package which lets admins send out quick training seminars to the users, including me :)

Nice idea ;)

I use a well-configured set of rules. I also use Snort as an IDS component with the Community Subscriber Edition.
The pfBlockerNG is also in use with a few lists and the geographical blockade.
Last but not least I use the DNSBL to block some more sites (like Microsoft Spyware).

stephenw10

Exporting the logs, including Snort logs, to some external analyser is useful. That can then alert you to some internal machine triggering stuff before you might otherwise find it.

Steve

Raffi_

@Sessa45 said in Infection happened - what now?:

But how can i find the client? I think, to analyse the traffic is the only way to do this?

You may have a client come to you saying my PC is doing weird things. That's one indicator :)

@stephenw10 said in Infection happened - what now?:

Exporting the logs, including Snort logs, to some external analyser is useful. That can then alert you to some internal machine triggering stuff before you might otherwise find it.

Steve

I'm interested to know what people are using to analyze and alert on log entries in terms of potential security risks. I have mine going to a syslog server, but I have to manually look through it. My eyes are not calibrated to find potential security risks in the log.

bmeeks

@Raffi_ said in Infection happened - what now?:

I'm interested to know what people are using to analyze and alert on log entries in terms of potential security risks. I have mine going to a syslog server, but I have to manually look through it. My eyes are not calibrated to find potential security risks in the log.

I'm not sure there is a free and open-source product out there that matches the capabilities of a tool such as ArcSight. That tool lets you create "use cases" which incorporate a lot of almost "artificial intelligence type" decision trees. You can have it look for and analyze patterns of log entries and then, when all of the various decision conditions are met, ArcSight itself will raise an alert to get a human's attention. The human then performs a more detailed analysis of the findings. I used ArcSight in my old job before retirement. Very capable but also quite expensive to own and operate.

Maybe there is an open-source alternative out there. The only open-source tool I have direct experience with is Snorby, and it was definitely not as powerful as ArcSight.

JKnott

@Raffi_ said in Infection happened - what now?:

Find the client with the problem ASAP and remove it them from the network.