Setup Roadmap / Security Best Practices



  • Hi All

    I'm new to pfSense, but so far I'm impressed with the quality of the software and how nice the community is here.

    So far I've completed basic install and setup, got DHCP/DNS Resolver more or less configured, done a couple of firewall rules and leaned how to install packages.

    I'm hoping to get some ideas on suggested setup to secure a home network that I use to run a small businesses for myself and my wife. Have a half a dozen computers - mix of Win8.1/Linux/FreeNAS/Android Phones/Tablets/Laptops/a Media Player (that I don't let access the internet directly for security reasons)/and several VMs which I hope to connect to VPNs.

    Now the real work of proper setup begins. Hear are the main goals I want to accomplish:

    • Lock down as much as possible while still maintaining reasonable usability and not creating a maintenance nightmare

    • Good monitoring and display of activity so that it is easy to determine if there is something going on that shouldn't be.

    • Setup IDS/IPS - Best choice Suricata / Snort / pfBlocker / Other… or some combination-I'm hoping someone with experience can provide some guidance based on their experience.

    • To the greatest extent possible plug the privacy leaks created by Microsoft Windows 8.1 (not going to touch 10) by blocking telemetry and other objectionable "phone home" behavior.  Hence the need for good monitoring to spot such activity.

    Any suggestions would be much appreciated.  If I can come up with a good "recipe" I'll do my best to document it so others can benefit.

    Thanks.



  • I have spent quite some time lurking around here pretty well doing the same. While there is no magic bullet, the goal for me has been to have high security with low maintenance.

    I have quite a complex home network (to help emulate a corporate network for testing but also for security) and I am always looking to find ways to help secure it better.

    I have found this thread to be a pretty good starting point with some good security info; https://forum.pfsense.org/index.php?topic=78062.0

    There is also some pretty good info in the wiki such as this one for forcing your (or something like OpenDNS) DNS servers; https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    Hope some of this helps and I hope some people smarter than us chime in too! pfSense is a great platform that is improving all the time.