Vulnerability assessment?

  • I've just placed an order for SG-2220, have a question in the meanwhile. What do you guys use to assess vulnerability of your home network? What scanner or service? I am running Nessus for now (free/ home version). Any other/ better product suggestions? Would be great to see what impact firewall has on my security, and in general how vulnerable my network appears to the outside world.

  • LAYER 8 Global Moderator

    impact on your security from what point of view.  Ports would still be open from internet if you have them open.  If not from the internet there is nothing open inbound.  So no real change in security there.

    Now if you isolate different devices on to different vlan/segments and then firewall and only allow specific ports.  This could be a huge change in your security from one device to another device.

    But those types of scanners are scanning for vuln in applications/services you are allowing access to.  So if the access is still allowed through the firewall there would be no change in your overall security stance.

    nessus or tenable is great for assessing what application/services need to be patched or altered to make them more secure.  But pfsense is not an application firewall, while it can do ips with addons.  Generally speaking its just allowing or blocking access to ports.  If you allow access to a application/service that has known exploits then the firewall does not really help unless you reduce what actually has access to those vuln services.

    For example if ssh some httpd is open to the public internet, the firewall (pfsense) is not going to make that httpd more secure.  You would have to do that at the httpd service itself.  Now if you limited access to that httpd to only your known IPs vs the whole internet then you have reduced the exposure but not actually fixed the problem of having a httpd running that is open to exploit, etc.

    The fact using say pfsense vs some home router is not in itself going to make your network more secure.  If you use the features of pfsense to limit or remove things that were exposed before then sure it can help.  But don't just think simple 1 to 1 replacement of of your soho router is going to magically make you more secure.

    Now if you use pfsense to segment your network and isolate devices that are more prone to issues from your other devices then sure you could greatly increase the overall security of your network.  For example if you know isolate your iot devices from talking to your other devices.  If that device becomes compromised it does not have free access to the rest of your devices.

  • Very thoughtful and intelligent reply. Makes sense. Thank you!

  • Rebel Alliance Developer Netgate

    You might also consider spinning up a Kali VM and use OpenVAS in place of Nessus if it's for personal use.

Log in to reply