pfSense-based network security appliance?

AKEGEC

@stephenw10 said in pfSense-based network security appliance?:

Edit: Some posts were removed here after civility was lost!

No probs Steve, I was losing my temper there. My apologies.
Edit: I hope in the future all insulting and belittling posts will be also deleted. Thanks man.

stephenw10

It was not you specifically, no need to apologise.

This sort of thing just feeds more unnecessary comments, everyone ends up posting stuff they would not normally.

Sometimes it's better just not to post anything.

Steve

AKEGEC

@Steve, You're right.. I should not reply it. I know some of our new users lack of basic network knowledge. But I just can’t stand to see our new users being insulted and belittled.

Raffi_

I think some of the things you want to accomplish can be done, but probably not all.

pfBlockerNG-devel: can be used as DNS web filter. It is great if you spend the time to find the feeds to use and you'll likely still have to deal with false positives, but should not be too many.

Snort/Suricata: can be used as IDS/IPS but this has a VERY steep learning curve and often many false positives when starting out. If you do end up trying either, I would highly suggest running it in intrusion detection mode first so that it only alerts of potentially malicious traffic and doesn't act on it. Otherwise you will end up with a lot of users complaining about a lot of broken things. A website not loading would only be the tip of that iceberg.

Squid with ClamAV: In theory this can be used to scan traffic for viruses and such. As an example, when I last tried this on my network, only approx. 1% of my traffic (non-HTTPS) was actually being scanned. So unless you do the MITM on the https traffic it will not be very helpful. With TLS 1.3 becoming the standard it will become more and more difficult to do so without breaking something. After all, these higher security encryption standards are being put in place to make it more difficult to perform MITM. Look at some of the news articles on the topic and you'll see even governments that love to censor and inspect information are not liking these changes such as TLS 1.3. If a government is having trouble with it, just image what chance we have with performing MITM. That is why others mentioned forget antivirus on the network level. I agree. Antivirus on the clients is the best bet.

As for mail inspection, there is no such package on pfSense. I wish there was. I believe that is one of the the best ways to prevent many of today's biggest threats. Luckily, most decent email providers will do a decent job of preventing bad things from getting to your inbox. If your users have an office 365 account/mail box I would highly recommend adding the ATP
(advanced threat protection) if possible. That has saved my users from downloading viruses and clicking on malicious links in emails.

As for older users, that is by far one of the biggest IT challenges :)
I know that is definitely not easy to deal with. The only way to prevent the "microsoft" callers is to keep telling them over and over and over again not to give any info to callers and definitely not access. There is not much any device can do to prevent that which is why scammers use that method.

Good luck

stephenw10

Yes, I agree with most of that. Except wishing there was a mail proxy in pfSense I'd have to support.
There used to be packages for that but moving it off the firewall was the right move IMO.

pfSense is not a UTM and even with all the appropriate packages it will not do all things you might want. But as others have pointed out even the most complete UTM device is no substitute for end device security. You need both in most situations.

If you are running Squid you may as well enable ClamAV if you have capable hardware. It's a single check box and usually 'just works'. It probably won't catch anything, especially if you're not running full SSL interception, but usually doesn't hurt either. You still need AV on the clients.

Snort/Suricata is easy to get wrong and end up blocking all sorts of things. Be sure to run it in non-blocking mode whilst tuning the ruleset and monitoring the logs until you are confident it's not blocking needed traffic. I usually give it at least a week before enabling blocking.

Steve

johnpoz

@stephenw10 said in pfSense-based network security appliance?:

I usually give it at least a week before enabling blocking.

That would be for someone that understands IPS, and what is false and what is not.. It could take much much longer for someone that is new to the whole thing.

It can be a huge learning curve to understand what its showing you, what can be ignored and what should be investigated..

You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.

Raffi_

@johnpoz said in pfSense-based network security appliance?:

You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.

This sounds like me. I had no idea what I was doing and it sure did take me a few months to finally get it to a point where the network wasn't constantly "broken".

A Former User

I'll apologize for having a go at the OP. Should have patiently and methodically worked through the issues to his desired solution and tried to guide him to a more realistic approach. One that would have worked for his business objectives and his clients.

When not in pandemic mode I often sit near to a senior InfoSec guy for one of the most sprawling and bureaucratic international organizations. I once asked him about running Suricata on my home network (home being three locations, in this case). After some minutes of hysterical laughing he asked me what I expected to get out of that exercise. Of course I could not give him a satisfactory answer except to say I would enjoy the learning process.

johnpoz

@jwj said in pfSense-based network security appliance?:

I would enjoy the learning process.

Yup - that really is about it ;)

It really doesn't make a lot of sense on a home network to be honest.. Other than just that a learning tool.. Its sure not going to do anything to make some older peoples internet any safer in the long run..

If your not actively serving up services to the public.. Its pretty much going to be alot of noise.. And unless your doing man in the mitm, its not even going to see your taffic.. When user goes to xyz.tld out on the internet.

I been in the doing this for years, and I don't actively run it on my network.. And I have managed IPS/IDS for large corps in the past..

Can it be a great learning tool - sure, and can it give you interesting info to check on sure. But

device that you plug in, turn it on, and it just flat out protects every device on the network

No its not going to be that box.. Going to state it again - there is no such device.. ;) Sure there are some really fancy UTMs on the market, and sure pfsense can be used as sure a UTM if you want to use that term... But there is going to be a ton of work to get that to happen, and in a home setup with some older people as the users - makes no sense at all to be honest.

Now your a guy that is just busting at the chops to play with some new technology - hey what is the IPS thing I hear so much about.. Then yeah its a great learning tool, and in the right hands could and can be very valuable tool for those companies that can not afford to drop 100K on some shiny new tool from Company XYZ, etc..

A Former User

@johnpoz and the couple hundred k$ a year good infosec people earn.

johnpoz

Exactly.. The guy that would use pfsense in the right way with IPS package, is normally going to be making a bit more than entry level ;)

I am all for playing with it on "your" network - and be glad to help for sure in getting it up and running.. But in the way I am reading this OP.. No its not the solution..

Would pfsense be a great firewall/router for someone to setup for family member friend that they want you to mange their network.. Yeah damn straight!!! But running IPS on such an network just doesn't make a lot of sense - even if that is what you do for a living.. If I don't run it on my own network, and again I have gotten paid to do just that.. Why and hell would I run it on someone elses network for free ;) For it to do its thing, it has to be monitored and managed.. Its not just click it and forget it and your protected..

And I think someone mentioned - it can lead to a false sense of security... Oh I clicked install on the IPS package, I'm good - which is no where close to being the case.

Especially if your new to the whole IPS/IDS arena.

edit: Sure could could catch maybe some traffic from users PC to their NAS, if the traffic was routed through pfsense and the IPS.. If the users PC was infected with something - but more likely than not its going to scream at you that user moving his file kicked up some signature that is just noise anyway.. And is this other network even going to be segmented so that traffic is routed through pfsense where the IPS could even see the traffic?

Another scenario - where it could make sense.. Your hosting some webservice to the public off your home connection. And you have say haproxy doing the ssl offload, so all the traffic from pfsense to the web server box is only http.. Then sure you could have your IPS looking at that traffic.. That could be of use - but I don't that is the case in this thread ;)

ErniePantuso

@Raffi_ said in pfSense-based network security appliance?:

I think some of the things you want to accomplish can be done, but probably not all.

Thank you Raffi!

pfBlockerNG-devel: can be used as DNS web filter. It is great if you spend the time to find the feeds to use and you'll likely still have to deal with false positives, but should not be too many.

Cloudflare offers quite a bit of DNS filtering; all you have to do is set your primary DNS to 1.1.1.2. I haven’t seen any reports on how effective it is but I’ve been configuring my own and all my clients’ routers to use 1.1.1.2 since the “1.1.1.1 for Families” announcement in April. If anyone has direct knowledge that this is insufficient protection, please chime in.

Snort/Suricata: can be used as IDS/IPS but this has a VERY steep learning curve and often many false positives when starting out.

I think I’ll skip over IDS/IPS. With my clients, the problem isn’t intruders sneaking in the back door; my users let them in the front door! In close to 10 years, I’ve never had a (valid) call from a client who had (actually) experienced an intrusion. But I’ve cleaned up plenty of root kits, keyloggers, botnet clients, and other malware that started with a phone call or a webpage “from Microsoft”. I even went so far as to hire a developer (from one of those freelancer type sites) to write me a program to detect remote control connections, close the port(s), and display an advisory message about not letting anyone (whom you don’t know personally and don’t trust implicitly) to remotely control your computer. (Ultimately, he couldn’t get it done and refunded my money.)

This is such a problem for my clients. I am so adamant about this and try so hard to reinforce this message that when I install TeamViewer on their machines, I actually configure it for “View Only” so that even I cannot remotely control their machine. I just view their screen and guide them on where to click, what to type, etc., explaining as I go.

I’d still really like to come up with a program that can detect incoming remote control traffic and clamp those ports and display that message. I’m told that that kind of traffic isn’t easily detected, therefore there’s no simple way to do it but that doesn’t make sense to me. I’m more inclined to believe that the people who have told me that just don’t have the necessary knowledge level.

Squid with ClamAV: In theory this can be used to scan traffic for viruses and such. As an example, when I last tried this on my network, only approx. 1% of my traffic (non-HTTPS) was actually being scanned. So unless you do the MITM on the https traffic it will not be very helpful. With TLS 1.3 becoming the standard it will become more and more difficult to do so without breaking something. After all, these higher security encryption standards are being put in place to make it more difficult to perform MITM. Look at some of the news articles on the topic and you'll see even governments that love to censor and inspect information are not liking these changes such as TLS 1.3. If a government is having trouble with it, just image what chance we have with performing MITM. That is why others mentioned forget antivirus on the network level. I agree. Antivirus on the clients is the best bet.

That’s discouraging. Not having to pay (not just in money but also system overhead) for endpoint security solutions would be one of the selling points for my little appliance. Maybe I could use the MITM solution that e2guardian makes available and automatically sandbox all TLS 1.3 traffic?

As for mail inspection, there is no such package on pfSense. I wish there was. I believe that is one of the the best ways to prevent many of today's biggest threats. Luckily, most decent email providers will do a decent job of preventing bad things from getting to your inbox. If your users have an office 365 account/mail box I would highly recommend adding the ATP (advanced threat protection) if possible. That has saved my users from downloading viruses and clicking on malicious links in emails.

I can’t think of a single client who has an O365 account. Mostly Gmail, Yahoo, Hotmail/Outlook/Live.com and ISP (Cox) email accounts. I’ve been meaning to look into some sort of threat protection add-on for Thunderbird, but I know I’d get a lot of pushback. Old folks don’t tolerate change well, and the tech world forces a lot of it down their throats already.

As for older users, that is by far one of the biggest IT challenges :)
I know that is definitely not easy to deal with. The only way to prevent the "microsoft" callers is to keep telling them over and over and over again not to give any info to callers and definitely not access. There is not much any device can do to prevent that which is why scammers use that method.

Good luck

Thanks again!

stephenw10

@ErniePantuso said in pfSense-based network security appliance?:

Maybe I could use the MITM solution that e2guardian makes available and automatically sandbox all TLS 1.3 traffic?

e2guardian, like Dansguardian before it, is a filter for Squid like Squidguard is as I understand it. The MITM part is still via Squid so the same things apply. You have to install the CA certs on the client or configure them to use the proxy explicitly.
If you have not done it's worth watching this:
https://www.youtube.com/watch?v=xm_wEezrWf4

Steve

A Former User

This post is deleted!

Gertjan

@ErniePantuso :

@stephenw10 said in pfSense-based network security appliance?:

The MITM part is still via Squid so the same things apply. You have to install the CA certs on the client or configure them to use the proxy explicitly.

As you might have noticed for a long time, nearly every program has settings that enable you to set up a proxy.
When a proxy is used, your program will use it for all it's "Internet" communications, and the proxy will do the request on the programs behalf.

Normally, when your browser want to connect to "forum.netgate.com" it will resolve this host name into an IP, and connect to that IP. While requesting info (a web page) "forum.netgate.com" will reply back with a server certificate that embeds the name of the host you are connecting to. Now your browser knows it's actually communicating with "forum.netgate.com".
When you use a proxy, when your browser want to connect to "forum.netgate.com", it will connect to, for example 192.168.1.1 - where the proxy 'lives', and that one will certainly not answer with "forum.netgate.com" (that's impossible). It will probably be something like "pfsense.yourlan.tld". Your browser is informed that this is a proxy it has to use, and it is informed to accept this certificate. The proxy will go ahead and does the real request to "forum.netgate.com" for you. It will do the normal TLS verifications, and answer back to the browser with the results.
For a short moment, the data received on the proxy, is visible. It could do all kind of data inspection.

3 reasons why all this isn't as simple :

1. For all programs, all protocols, all ports, the proxy should know how to handle the traffic. Basic web browsing, ok, that will work. But web pages could contain scripts, ad they can do whatever they want, on a totally non documented way ... proxies won't work : the web page doesn't 'work' any more more.

2. Every program on a device has to be set up to use the proxy. Maybe a OS wide setting is possible, but now you should hope programs actually respect this.

3. If a server certificate announces "HSTS" your proxy won't work any more (edit : that is, the browser will not the proxy certificate as re replacement). And guess what, more and more sites use HSTS these days. Because "sites" won't to talk to the 'real' person, not some MITM guy has these sites have to guarantee the end user that the data isn't robbed, scanned, mistreated etc etc.

Btw : these are my words. Never used a proxy, squid etc. I'm just reading about it, for years, a decade or so. @jimp video's, @stephenw10 mentions them above, are very well done. Many more exist on Youtube.
True, I tend to say that the usefulness of a proxy doesn't exist any more. It something of the past. MITM has to die. It wasn't "The solution".