Conditional Connection Daemon {Now $400}

  • The current problem:

    Some nowadays protocols are widely WAN deployed despite a lot of them being insecure because of obsolescence or poor coding. How to make such connections a bit more secure without the need of a VPN or SSL VPN?

    How would that work?

    The question: What is that, a conditional connection daemon?

    The idea is to have an https server on the firewall linked with an authentication mechanism that would act as a Captive Portal on the WAN side. The authenticated user through this mechanism will either: access a personal web page that contains buttons on the services (administrator defined of course) he wants to grant himself (IP he’s currently connected from) for the next condition {period of time | connection attempts | other ideas?}, or have automatically granted the services for his user login based on a preset policy. This will open preset ports on the firewall and allow the connection based on the condition and wait for a connection from the same IP as the https connection. If the during the time the condition is awaiting to be true, the https connection is lost, the handshake is broken and the ports are immediately closed.

    In order to add another layer of security, the firewall should store an email address where to send a request like: “You have requested to access unsecured/unencrypted services through the CCD from IP at 10:23pm GMT. If you requested these services, simply send an empty reply to this email”. The email option is not mandatory, if people are not too worried about security.

    Summary of the connection:

    Client  https  pfSense
    -If authenticated
    Execute policy: open ports and wait for connection attempt based on condition

    -If not authenticated

    The danger!

    Allowing truly unknown users to open ports on a firewall by authenticating through an SSL/TLS connection can sound dangerous. But not as much as using software using clear text password to authenticate or some other poorly designed authentication system.

    The benefit!

    Conditional connections can temporarily allow unsecured/unencrypted software to be used by adding a slight layer of control on incoming connections. Not only they require the users, an authentication on the firewall prior to attempting to connect using their regular software, but, moreover, the firewall will have all the needed information to create on the fly NAT and packet filtering rules based on a predictable event happening from a know source, kept alive on another port. If one of the conditions is not true anymore, the dynamically opened ports are immediately closed for security purposes. Although it should be possible to disable this rule if needed for some applications. Users identified by this mechanism could have only the ports they have been assigned by their admin opened. Or the reverse; the firewall receiving a connection on the default port used by a software could route traffic to the correct LAN host while connections from other hosts on the Internet using the same default port are routed on another LAN host, all that based on the policy executed when they authenticated on the firewall.

  • What is this thinking with loud voice on a public place and wrong section?

  • Are you looking for someone to take up your bounty and make a package with what you propose?
    If yes: you kind of forgot to put a price on the bounty.

  • Well I didn't set a price because I wanted to see if this feature would be of any interest first. If not, the post can then be removed.

  • I kind of dont see the sense in such a complicated setup that doesnt add more security.
    If it's about the authentication you could do that on the webserver directly.
    Or if you really WANT to authenticate on the firewall why not just use a reverse captive portal?

    –> That might be a better bounty:
    "add the functionality of a reverse captive portal to the current captive portal"

    Or can you elaborate what the benefit of your text above is over existing systems that do the same but a lot easier?

  • What headhunter was describing is what many call SSL VPN, and it get's more and more popular, b/c it simply easy to setup and use.
    So you have my vote for this feature.

  • You are aware that pfSense already includes an SSL VPN solution, in the form of OpenVPN?  What he described was most definitely not a VPN.

  • I believe what this bounty is describing is a replication of the SSL VPN tool that Cisco has in their ASA devices.  If anyone has ever played with it before, its very easy to use and a nice substitute for installing clients on all remote user machines.  Its complicated, but very useful.  That said, this would be a considerable bounty project assuming that someone hasn't already written many of the tools for FreeBSD.

  • User space I assume then, like SSLexplorer?  Not a brilliant solution IMO, but better than nothing.

  • Right submicron,
    I know it from Zyxel and some other Redbox, where I don't remember the name right now.
    They definitely call it SSL-VPN.  ;D

  • @Cry:

    User space I assume then, like SSLexplorer?  Not a brilliant solution IMO, but better than nothing.

    Yep, pretty much exactly like that.  We ran into a company that was interested in installing pfSense (and buying support) a while ago but they ultimately went with Cisco ASAs instead specifically because they were sold on this feature.  I agree with you, its not a brilliant solution, but its convenient and relatively pain free to deploy.

    All of this is regardless of the point which is that unless someone is willing to pony up some bounty money and a proper specification for the work, this thread should go away or be moved to Packages where speculation and hyperbole can run rampant.

  • I think it's worth at least $300, maybe the developers (and some others) find some interest in this.

  • Are you actually offering to pay the $300 or just offering your opinion of what the work is worth?

  • Yes, that's an actual offer. I don't know how this normally works. Can you update me, what are the procedures ?

  • It would be a good idea to post exactly what you are willing to pay for.  Then a potential developer can decide if they are willing to do the work for the money offered.  If someone accepts the bounty you are responsible for ensuring that the work is done and paid for.

  • IF i am understanding this the way every one else is….

    Does the OpenVPN Access Server fit this picture? (although i am not sure if this program is completely open source)

    Also, SSL Explorer (Adito) was mentioned. Just an FYI the project is now being worked on by the OpenVPN team (and the Devs that forked SSL Explorer to Adito). Now called OpenVPN Application Layer Software (ALS)

    From the site:
    OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. OpenVPN-AS features include:

          A simple, Web-based Admin UI for configuration and management.
          An easy-to-use, GUI-based OpenVPN Client software package for Windows.
          A Client Web Server that automatically generates a client configuration and a pre-configured Windows VPN Client software installer for the user upon successful login.
          Integration with existing authentication systems using RADIUS, LDAP, and PAM

    OpenVPN-AS gives you the broad support and robust security of the OpenVPN open-source software project, coupled with the configuration and management tools needed to deploy the VPN solution easily and quickly.

  • I also think this is a great feature to have. I do currently use it through a Juniper firewall and it has saved us tremendously in managing vpn access. I am willing to put in another $100.00

  • Yep, I'll do so, as soon as I caught up with my work after my vacation.
    I should be similar what Watchguard or Zyxel call SSL VPN.

  • Just saw that I missed the second page of this thread and want to ask if headhunter_unit23 had a chance to test it.
    Myself will try to find sometime this or next week to set this up.

    Or anybody else tried OpenVPN in the described way ?

Log in to reply