pfSense-based network security appliance?
-
I have too often seen a false sense of security demonstrated around UTM systems. There is no such thing as 100% secure. Complacency becomes the risk.
For the typical home network UTM may be overkill. Why would anyone be interested in your network when they can exploit millions by going after the large service providers. Stay up to date and don't do anything crazy with your firewall rules.
-
@NollipfSense said in pfSense-based network security appliance?:
That was my initial question whether you're using it for a home environment. With that answered, pfSense, along with packages, such as Snort, or Suricata, pfBlockerNG-Devel, and Squid's antivirus, you will be able to accomplish your network security needs. I must warn that the learn curve is steep; however, since you have indicated having the basic concept, you should be okay initially, but still have some learn to do, especially for intrusion detection and prevention.
Thank you! That’s helpful. I’ll look into the packages you’ve named. If you think of any others, please let me know.
-
@stephenw10 said in pfSense-based network security appliance?:
Yeah, you are basically describing a UTM device. pfSense is a firewall and router with pluggins that give it some UTM features. There are somethings that are not available at all, a mail filter/scanner for example.
Steve
Thanks for putting a name to this for me, Steve. Maybe I could employ Docker containers for things like mail filtering/scanning that pfSense can’t/won’t address. Maybe even for some of the things that it CAN do — but maybe they’re more easily employed/managed as containerized services.
-
@johnpoz said in pfSense-based network security appliance?:
@ErniePantuso said in pfSense-based network security appliance?:
This would be a device that you plug in, turn it on, and it just flat out protects every device on the network.
No such device - no matter how much money spend ;)
That’s true of most things - until someone decides to build it.
Also any sort of security is going to come at a cost to ease of use and user happiness.. Once you put in any sort of security anything - users will complain, and more often then not look to ways to circumvent it ;)
That’s true if your background is in IT and you have a large user base. I’m coming from a very different perspective/situation.
Pfsense can do many of the things you would want on your network, firewall sure IPS/IDS, web filtering. DNS filtering. Reverse proxy, etc. But it not going to come without considerable investment.. If not from money aspect, from a time spent in configuration and management aspect of it.
Then maybe it’s not the right tool for the job for me. Maybe I just want to use pfSense as a firewall. As I said above, if containerized services are a better approach, fine — I just need some advice on what those services are - how and where to look for them. If all you were trying to accomplish was DNS filtering, what would be your go-to choice? If all you were trying to do was web filtering, what would you use? Someone mentioned that there’s a package for Squid antivirus... Maybe there’s a Docker container for it. Or maybe there’s something even better?
Do be honest your typical home network has little use of a IPS.. Are you hosting services to the public internet? Are devices on your local network services not under your control?
None of these devices will be under my control. I’m not looking into this for personal use (although, if I can make this happen, I’ll certainly use it in my home/on my network). This is intended as a solution for my clients - hundreds of retirees who are extremely unsophisticated users and therefore at a much higher risk. Some of these users have actually fallen for the “We’re from Microsoft” scam more than once.
The problem with IPS is not that it doesn't work the problem is most home users have no desire to actual set it up correctly, and spend the time in maint of the rules.. And follow up on the multi and many false positives that will always show up.. More likely than not its going to cause you more grief and complaints from your home user in this doesn't work, that doesn't work.. Then any possible benefit in your overall security stance..
The benefits would be huge for my customer base but clearly I’ll need to find a way to simplify/minimize the administration.
Your point of being a man in the middle and filtering all downloads.. Yeah good luck with that.. Since most everything is https these days, means you actually have to do a mitm sort of setup on your own network.. Which is another whole can of worms to open up, and not really clicky clicky to get working..
There’s an e2guardian Docker container with MITM built right in and ready to go.
If you think you can just click install on it - and be done.. You are mistaken..
Anything is possible.
-
@jwj said in pfSense-based network security appliance?:
I have too often seen a false sense of security demonstrated around UTM systems. There is no such thing as 100% secure. Complacency becomes the risk.
My users are already complacent. And fairly clueless. I don’t need 100% secure - but even getting to 80% would be a HUGE improvement.
For the typical home network UTM may be overkill. Why would anyone be interested in your network when they can exploit millions by going after the large service providers.
You obviously have no idea how gullible old people can be and how often they are targeted by scammers. Many of these scams aren’t even that sophisticated. But my clients fall for it. I actually lost a client because she was tired of paying me to come to her house, run a scan - no threats found - and she still had malware. (It was much later when I realized that the reason she thought she still had malware was because various web pages/websites were telling her so!) I actually setup a webpage on my business website that popped up a message saying, “Your shoe is untied” just to try to explain to them. Seriously, try to see this from where I’m coming from — not from the perspective as an IT Security Specialist with a large corporate user base.
-
Ummm.. let's keep it civil please. Constructive suggestions if you have them.
Edit: Some posts were removed here after civility was lost!
-
@ErniePantuso said in pfSense-based network security appliance?:
That’s true of most things - until someone decides to build it.
Then this some person should break 'TLS' first. Which means that the secured access that we all benefit using https should have to be undone.
That's what you want ?
When you use a inviolable connection between your device and, let's say, your bank, would you be happy if, that, under some conditions, this connection could be broken open, and the content being inspected ?
If you could do that, everybody else, with good intentions or not, would be able to do the same.So, for example, packet inspection to see the content and act upon it : that's not an option any more. Quantum computing could accelerate decoding, sure, as would quantum encryption will harden the encryption.
pfSense works like the local post office.
It relays envelopes and other boxes, based upon what is written onto them. Not what's in them. -
@Gertjan said in pfSense-based network security appliance?:
Then this some person should break 'TLS' first. Which means that the secured access that we all benefit using https should have to be undone.
I’m sure you know more about this stuff than I do, Gertjan, but if e2guardian has MITM support and can decrypt encrypted traffic to scan and filter it, then why couldn’t pfSense (and other services) do the same?
When you use a inviolable connection between your device and, let's say, your bank, would you be happy if, that, under some conditions, this connection could be broken open, and the content being inspected ?
The MITM capabilities of e2guardian require you to setup keys and certs in order to use it. AFAIK, there’s little or no potential for abuse/misuse unless someone is either IN your home or has penetrated your firewall (in which case you have bigger problems than this). But even if there was, my online banking information (and my email, and shopping, and...) is still protected by a good, strong password.
If there’s something I’m missing, here, please let me know.
-
@stephenw10 said in pfSense-based network security appliance?:
Edit: Some posts were removed here after civility was lost!
No probs Steve, I was losing my temper there. My apologies.
Edit: I hope in the future all insulting and belittling posts will be also deleted. Thanks man. -
It was not you specifically, no need to apologise.
This sort of thing just feeds more unnecessary comments, everyone ends up posting stuff they would not normally.
Sometimes it's better just not to post anything.
Steve
-
@Steve, You're right.. I should not reply it. I know some of our new users lack of basic network knowledge. But I just can’t stand to see our new users being insulted and belittled.
-
I think some of the things you want to accomplish can be done, but probably not all.
pfBlockerNG-devel: can be used as DNS web filter. It is great if you spend the time to find the feeds to use and you'll likely still have to deal with false positives, but should not be too many.
Snort/Suricata: can be used as IDS/IPS but this has a VERY steep learning curve and often many false positives when starting out. If you do end up trying either, I would highly suggest running it in intrusion detection mode first so that it only alerts of potentially malicious traffic and doesn't act on it. Otherwise you will end up with a lot of users complaining about a lot of broken things. A website not loading would only be the tip of that iceberg.
Squid with ClamAV: In theory this can be used to scan traffic for viruses and such. As an example, when I last tried this on my network, only approx. 1% of my traffic (non-HTTPS) was actually being scanned. So unless you do the MITM on the https traffic it will not be very helpful. With TLS 1.3 becoming the standard it will become more and more difficult to do so without breaking something. After all, these higher security encryption standards are being put in place to make it more difficult to perform MITM. Look at some of the news articles on the topic and you'll see even governments that love to censor and inspect information are not liking these changes such as TLS 1.3. If a government is having trouble with it, just image what chance we have with performing MITM. That is why others mentioned forget antivirus on the network level. I agree. Antivirus on the clients is the best bet.
As for mail inspection, there is no such package on pfSense. I wish there was. I believe that is one of the the best ways to prevent many of today's biggest threats. Luckily, most decent email providers will do a decent job of preventing bad things from getting to your inbox. If your users have an office 365 account/mail box I would highly recommend adding the ATP
(advanced threat protection) if possible. That has saved my users from downloading viruses and clicking on malicious links in emails.As for older users, that is by far one of the biggest IT challenges :)
I know that is definitely not easy to deal with. The only way to prevent the "microsoft" callers is to keep telling them over and over and over again not to give any info to callers and definitely not access. There is not much any device can do to prevent that which is why scammers use that method.Good luck
-
Yes, I agree with most of that. Except wishing there was a mail proxy in pfSense I'd have to support.
There used to be packages for that but moving it off the firewall was the right move IMO.pfSense is not a UTM and even with all the appropriate packages it will not do all things you might want. But as others have pointed out even the most complete UTM device is no substitute for end device security. You need both in most situations.
If you are running Squid you may as well enable ClamAV if you have capable hardware. It's a single check box and usually 'just works'. It probably won't catch anything, especially if you're not running full SSL interception, but usually doesn't hurt either. You still need AV on the clients.
Snort/Suricata is easy to get wrong and end up blocking all sorts of things. Be sure to run it in non-blocking mode whilst tuning the ruleset and monitoring the logs until you are confident it's not blocking needed traffic. I usually give it at least a week before enabling blocking.
Steve
-
@stephenw10 said in pfSense-based network security appliance?:
I usually give it at least a week before enabling blocking.
That would be for someone that understands IPS, and what is false and what is not.. It could take much much longer for someone that is new to the whole thing.
It can be a huge learning curve to understand what its showing you, what can be ignored and what should be investigated..
You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.
-
@johnpoz said in pfSense-based network security appliance?:
You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.
This sounds like me. I had no idea what I was doing and it sure did take me a few months to finally get it to a point where the network wasn't constantly "broken".
-
I'll apologize for having a go at the OP. Should have patiently and methodically worked through the issues to his desired solution and tried to guide him to a more realistic approach. One that would have worked for his business objectives and his clients.
When not in pandemic mode I often sit near to a senior InfoSec guy for one of the most sprawling and bureaucratic international organizations. I once asked him about running Suricata on my home network (home being three locations, in this case). After some minutes of hysterical laughing he asked me what I expected to get out of that exercise. Of course I could not give him a satisfactory answer except to say I would enjoy the learning process.
-
@jwj said in pfSense-based network security appliance?:
I would enjoy the learning process.
Yup - that really is about it ;)
It really doesn't make a lot of sense on a home network to be honest.. Other than just that a learning tool.. Its sure not going to do anything to make some older peoples internet any safer in the long run..
If your not actively serving up services to the public.. Its pretty much going to be alot of noise.. And unless your doing man in the mitm, its not even going to see your taffic.. When user goes to xyz.tld out on the internet.
I been in the doing this for years, and I don't actively run it on my network.. And I have managed IPS/IDS for large corps in the past..
Can it be a great learning tool - sure, and can it give you interesting info to check on sure. But
device that you plug in, turn it on, and it just flat out protects every device on the network
No its not going to be that box.. Going to state it again - there is no such device.. ;) Sure there are some really fancy UTMs on the market, and sure pfsense can be used as sure a UTM if you want to use that term... But there is going to be a ton of work to get that to happen, and in a home setup with some older people as the users - makes no sense at all to be honest.
Now your a guy that is just busting at the chops to play with some new technology - hey what is the IPS thing I hear so much about.. Then yeah its a great learning tool, and in the right hands could and can be very valuable tool for those companies that can not afford to drop 100K on some shiny new tool from Company XYZ, etc..
-
@johnpoz and the couple hundred k$ a year good infosec people earn.
-
Exactly.. The guy that would use pfsense in the right way with IPS package, is normally going to be making a bit more than entry level ;)
I am all for playing with it on "your" network - and be glad to help for sure in getting it up and running.. But in the way I am reading this OP.. No its not the solution..
Would pfsense be a great firewall/router for someone to setup for family member friend that they want you to mange their network.. Yeah damn straight!!! But running IPS on such an network just doesn't make a lot of sense - even if that is what you do for a living.. If I don't run it on my own network, and again I have gotten paid to do just that.. Why and hell would I run it on someone elses network for free ;) For it to do its thing, it has to be monitored and managed.. Its not just click it and forget it and your protected..
And I think someone mentioned - it can lead to a false sense of security... Oh I clicked install on the IPS package, I'm good - which is no where close to being the case.
Especially if your new to the whole IPS/IDS arena.
edit: Sure could could catch maybe some traffic from users PC to their NAS, if the traffic was routed through pfsense and the IPS.. If the users PC was infected with something - but more likely than not its going to scream at you that user moving his file kicked up some signature that is just noise anyway.. And is this other network even going to be segmented so that traffic is routed through pfsense where the IPS could even see the traffic?
Another scenario - where it could make sense.. Your hosting some webservice to the public off your home connection. And you have say haproxy doing the ssl offload, so all the traffic from pfsense to the web server box is only http.. Then sure you could have your IPS looking at that traffic.. That could be of use - but I don't that is the case in this thread ;)
-
@Raffi_ said in pfSense-based network security appliance?:
I think some of the things you want to accomplish can be done, but probably not all.
Thank you Raffi!
pfBlockerNG-devel: can be used as DNS web filter. It is great if you spend the time to find the feeds to use and you'll likely still have to deal with false positives, but should not be too many.
Cloudflare offers quite a bit of DNS filtering; all you have to do is set your primary DNS to 1.1.1.2. I haven’t seen any reports on how effective it is but I’ve been configuring my own and all my clients’ routers to use 1.1.1.2 since the “1.1.1.1 for Families” announcement in April. If anyone has direct knowledge that this is insufficient protection, please chime in.
Snort/Suricata: can be used as IDS/IPS but this has a VERY steep learning curve and often many false positives when starting out.
I think I’ll skip over IDS/IPS. With my clients, the problem isn’t intruders sneaking in the back door; my users let them in the front door! In close to 10 years, I’ve never had a (valid) call from a client who had (actually) experienced an intrusion. But I’ve cleaned up plenty of root kits, keyloggers, botnet clients, and other malware that started with a phone call or a webpage “from Microsoft”. I even went so far as to hire a developer (from one of those freelancer type sites) to write me a program to detect remote control connections, close the port(s), and display an advisory message about not letting anyone (whom you don’t know personally and don’t trust implicitly) to remotely control your computer. (Ultimately, he couldn’t get it done and refunded my money.)
This is such a problem for my clients. I am so adamant about this and try so hard to reinforce this message that when I install TeamViewer on their machines, I actually configure it for “View Only” so that even I cannot remotely control their machine. I just view their screen and guide them on where to click, what to type, etc., explaining as I go.
I’d still really like to come up with a program that can detect incoming remote control traffic and clamp those ports and display that message. I’m told that that kind of traffic isn’t easily detected, therefore there’s no simple way to do it but that doesn’t make sense to me. I’m more inclined to believe that the people who have told me that just don’t have the necessary knowledge level.
Squid with ClamAV: In theory this can be used to scan traffic for viruses and such. As an example, when I last tried this on my network, only approx. 1% of my traffic (non-HTTPS) was actually being scanned. So unless you do the MITM on the https traffic it will not be very helpful. With TLS 1.3 becoming the standard it will become more and more difficult to do so without breaking something. After all, these higher security encryption standards are being put in place to make it more difficult to perform MITM. Look at some of the news articles on the topic and you'll see even governments that love to censor and inspect information are not liking these changes such as TLS 1.3. If a government is having trouble with it, just image what chance we have with performing MITM. That is why others mentioned forget antivirus on the network level. I agree. Antivirus on the clients is the best bet.
That’s discouraging. Not having to pay (not just in money but also system overhead) for endpoint security solutions would be one of the selling points for my little appliance. Maybe I could use the MITM solution that e2guardian makes available and automatically sandbox all TLS 1.3 traffic?
As for mail inspection, there is no such package on pfSense. I wish there was. I believe that is one of the the best ways to prevent many of today's biggest threats. Luckily, most decent email providers will do a decent job of preventing bad things from getting to your inbox. If your users have an office 365 account/mail box I would highly recommend adding the ATP (advanced threat protection) if possible. That has saved my users from downloading viruses and clicking on malicious links in emails.
I can’t think of a single client who has an O365 account. Mostly Gmail, Yahoo, Hotmail/Outlook/Live.com and ISP (Cox) email accounts. I’ve been meaning to look into some sort of threat protection add-on for Thunderbird, but I know I’d get a lot of pushback. Old folks don’t tolerate change well, and the tech world forces a lot of it down their throats already.
As for older users, that is by far one of the biggest IT challenges :)
I know that is definitely not easy to deal with. The only way to prevent the "microsoft" callers is to keep telling them over and over and over again not to give any info to callers and definitely not access. There is not much any device can do to prevent that which is why scammers use that method.Good luck
Thanks again!