Administrative host for multi-site pfSense implementation



  • I have three sites that will soon be using pfSense firewalls. I plan to create a management VLAN for each site that provides administrative access to the web configurators for each managed device (ie. Switches, AP's etc).

    My question relates to best practices for creating a single, secure, administrative host that can access the three management VLANs (one per site). I will likely have a hub and spoke VPN with head office serving as the NOC.

    Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks.


  • Banned

    One computer to access all three locations management VLANs securely?

    If I understand correctly.

    • Put the administrative computer behind a firewall that does not allow access to anything that isn't necessary - don't use this computer for anything else.

    • Key + Pass VPN to each location.

    • HTTP/S only access to the WebGUI with a strong password (don't use port 443 for your VPN)

    • You could even use RADIUS to further restrict authentication for the management VLAN



  • Thanks pfBasic.
    I wear quite a few hats that require regular non-administrative use of all subnets (one is subject to PCI) in our environment. To avoid having to keep half of a dozen towers by my desk, would VMs on maybe two desktops be advised/ secure with dedicated NICs per VM? Would a host-based hypervisor suffice, or should it be bare metal?

    Thanks.


  • Banned

    All of those questions are honestly beyond me. I'm not in IT or anything related to that professionally.

    Isolating the admin computer to only pfSense management functions is the most secure but by no means a requirement.

    I would say just isolate the management device as much as practical. Security will always have to make a compromise with convenience, so it's just up to you where you find that compromise.

    I'm sure bare metal is technically more secure in some ways, but for real world use I doubt that it will matter at all.



  • @SR190:

    Thanks pfBasic.
    I wear quite a few hats that require regular non-administrative use of all subnets (one is subject to PCI) in our environment. To avoid having to keep half of a dozen towers by my desk, would VMs on maybe two desktops be advised/ secure with dedicated NICs per VM? Would a host-based hypervisor suffice, or should it be bare metal?

    Thanks.

    VMWare or Hypervisor would work.



  • Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks.

    The pfSense team is likes I am remembering me right working on a solution likes that, but I can´t fairly nothing say about the
    stage of that work and other things, there is not to much information about. If you want to get a fair answer I personally would
    work at each side with Aten serial console switches, they have some interesting solutions and different models, for real serial,
    USB and LAN Port console switches, so on each side all models can be connected to that LVM switches and over VPN you will be
    the able to connect to them for configuring all your devices and pfSense on top. VPN might be secure to realize that action.