How to test your pfsense firewall for vulnerabilities

dgall

What are some good ways to test your firewall for vulnerabilities?  I had to set up pfsense to be able to access my security cameras at work and when I did I now have a few ports that are not stealth anymore I want to be able to see see what a hacker could see if he probed my firewall. I am not too worried about my security camera after a few tries it locks you out I just want to make sure no one can see anymore then that and please do not tell me shields up at GRC

chpalmer

The more secure thing would be to put your cameras (or anything else you have ports forwarded to) on their own subnet and segregate them.

I generally use AngryIP for most of my testing. I set it up with several dozen ports.  Im not a fan of GRC either but it is a tool that can be used if understood.

my 2 pennies.  :)

divsys

The more secure thing would be to put your cameras (or anything else you have ports forwarded to) on their own subnet and segregate them.

Absolutely agree with that comment especially where cameras are concerned.

The other thing to seriously consider is dropping the entire Port-Forward concept and implement OpenVPN.
It's stable and pretty easy to setup these days on anything from desktops to phones to tablets, etc.

Well worth the added layer of security in my mind.

cmb

It's not the intentional functionality you need to be concerned with. Security cameras have awful track records of being insecure by design, having back doors, and having serious vulnerabilities that they tend to not be quick to fix if they ever fix them. I wouldn't open any camera to the Internet. VPN is the way to get to the cameras remotely.

marvosa

Well, your original question was:

What are some good ways to test your firewall for vulnerabilities?

Did you want good or cheap?  Because typically the two choices are mutually exclusive.  A "good" way is to have a security firm scan and assess your entire network both internally and externally.  The firm we hired used Nessus (http://www.tenable.com/products/nessus-vulnerability-scanner) I believe, which looks like it starts @ $2200/year.  They found hundreds of vulnerabilities throughout the network which turned into a security project that took 6 months to remediate.

dgall

I set up my camera  for port forwarding I have 1 port open I have been doing my research and scanning it with NMAP and it looks like I have everything locked up pretty tight.
I am also pretty happy with snort also any kind of port scan and snort blocks the ip address of where I am scanning from and when I do access the camera 3 wrong passwords and I am locked out and I have the default password disabled if someone did hack my camera all they can see is the outside of my shop my biggest concern is someone being able to access the rest of the network.
The next thing I am going to mess with is Kali Linux https://www.kali.org/ to probe my system

dgall

@cmb:

It's not the intentional functionality you need to be concerned with. Security cameras have awful track records of being insecure by design, having back doors, and having serious vulnerabilities that they tend to not be quick to fix if they ever fix them. I wouldn't open any camera to the Internet. VPN is the way to get to the cameras remotely.

Learning how to use the vpn for my camera is my next learning lesson

dgall

@marvosa:

Well, your original question was:

What are some good ways to test your firewall for vulnerabilities?

Did you want good or cheap?  Because typically the two choices are mutually exclusive.  A "good" way is to have a security firm scan and assess your entire network both internally and externally.  The firm we hired used Nessus (http://www.tenable.com/products/nessus-vulnerability-scanner) I believe, which looks like it starts @ $2200/year.  They found hundreds of vulnerabilities throughout the network which turned into a security project that took 6 months to remediate.

I'm going to mess with this first marvosa https://www.kali.org/

cmb

Vulnerability scanners do a decent job of finding vulnerabilities known to exist today. That's important, but offers no help against what comes out tomorrow. You're probably not constantly watching all the various sources for vulnerability disclosures, and new holes in cameras especially come out all the time. With search engines like Shodan making it easy to find vulnerable devices immediately upon vulnerability disclosure, you could be safe today, and hacked within hours of a new vulnerability before you have any idea it even exists, and often for that type of device before a fix is available. That's why it's never a good idea to open devices like that with horrid security track records to the Internet.

dgall

@cmb:

Vulnerability scanners do a decent job of finding vulnerabilities known to exist today. That's important, but offers no help against what comes out tomorrow. You're probably not constantly watching all the various sources for vulnerability disclosures, and new holes in cameras especially come out all the time. With search engines like Shodan making it easy to find vulnerable devices immediately upon vulnerability disclosure, you could be safe today, and hacked within hours of a new vulnerability before you have any idea it even exists, and often for that type of device before a fix is available. That's why it's never a good idea to open devices like that with horrid security track records to the Internet.

I have it locked up pretty tight now my question is of someone hacks in can they get into my network thru the camera system ? My cameras are only pointing at the outside of my building if someone hacked only the cameras to look at my parking lot I could care less and if they did My browser home page is pfsense I look at the bandwidth logs all the time it wouldn't be very long before I shut them down.

divsys

The problem with IP cameras is that they need a server internally to process and present video data to the outside world.
The software and protocols are evolving and improving (at least ONVIF is trying to be a "standard") but they've still got a long way to go.
Most of the internal systems run some variant of Linux that's been beaten into shape by the manufacturer.
They also invariably have a Web server of some kind to make control and access easier.
As to whether or not they are/were worried about securing their little Linux box against outsiders taking control, the answer is unfortunately "not so much".

I agree with all of cmb's comments.
Save yourself some grief, either now or in the future someone will come knocking on your camera to try and zombie it or worse get a backdoor into your network.

OpenVPN is easy in the end.
I happen to know a great resource spot for all the help you'll need (hint:it's right here).

Just ask, we'll help  ;)

NOYB

@divsys:

… implement OpenVPN.

That's what I was going to say.

@dgall:

… if someone did hack my camera all they can see is the outside of my shop ...

If you're lucky.  If not they have access your entire network.

@dgall:

… my biggest concern is someone being able to access the rest of the network.

Yup.  Go with OpenVPN.  And do it now.

Guest

I have it locked up pretty tight now my question is of someone hacks in can they get into my network thru the camera system ?

Are this LAN cameras or WLAN cameras? And if this are WiFi cameras are they able to hold a radius server
certificate likes the Axis cameras will do? Is the WiFi then also encrypted? And when yes with what?

This would be the first thing I would clear up to be on the safe side.

My cameras are only pointing at the outside of my building if someone hacked only the cameras to look at my parking lot I could care less and if they did My browser home page is pfsense I look at the bandwidth logs all the time it wouldn't be very long before I shut them down.

If a door or windows is open not only you will be able to join! And if this cameras are "talking" to much to his
vendors servers someone could capture that data flow and try out connecting to your network the cameras are in.

I would suggest the following in that case;
LAN cameras

• close all ports that are open now!
• set up a DMZ and put them (cameras) all inside of this DMZ
• set up an VPN tunnel from your Laptop or PC to connect securely to your network
• Or set up a VPN site-to-side VPN connection from your home to the pfSense with the cameras in the DMZ

WLAN (WiFI) cameras:

• set up a radius server
• provide to any camera a certificate
• encrypt the WLAN WiFi connection
• set up a VPN from your Laptop to the pfSense

As a testing method the angry IPScanner and netmap or zenmap will be a nice point to start
but this might be not really solving the problem if someone is disconnecting a camera and installs
his own device instead or between the camera and your network, then he is also inside of this network
without your knowledge. But some cameras comes beside with a theft prevention or alarm, alternatively
you could monitor your network with PRTG and let this monitoring program give an alarm, it works great
together with APC UPS and also Kentix sensors that are giving alarm over SMS & eMail if you want and willing.

OpenLDAP and/or Radius servers are very effective things you could think about to let them join your security
concept in that case here. Snort could be also a nice add on to sniff inside the data flow of your DMZ or the
whole network that will close then ports if something is detected or found. Security is mostly a combination
of more then one single point but more many things that are working flawless together.

dgall

Thanks guys this weekend when the internet at work is not in use I will try OPENVPN