4 questions (Network segmentation, VPN Routing, Tor and Security in general)



  • Hello, first off I am cautious of this new forum as I've only been on it for a few mins and there's what looks like someone spamming the same title of Chinese characters over and over, hope this isn't reflective of the new forum :(

    I have 4 questions, some are pretty "inexperienced in nature" and some, I think, are more specialised:

    1. Network Segmentation - I've been looking into network segmentation, I want to give my 2 separate comping areas (both performing different tasks, network wise, to have 2 separate networks so that they can't reach of talk to each other. How would I go about this physically, using hardware devices in place of doing it virtually? Would I require 2 pfSense devices?

    2. I've asked this before on the old forum under another username however I can't remember the answer (I believe I got quite a few "Why would you want to do this, OP?" but no actual answer. - I want to route one OpenVPN connection from a first provider (NordVPN) through another OpenVPN connection belonging to another provider (Private Internet Access, PIA). How would I do that?

    3. Tor - I simply want to block everything going through a pfSence device that isn't run through a VPN connection and that isn't Tor traffic. Is there any way to do this in pfSense? If not then how would I do this an other way.

    4. How secure is network segmentation, is there still a way to pivot from one segmented network machine (node?) to one in another network?

    Thanks for all the response and I look forward to being a part of this forum and improving myself.

    edit:
    Damn, well there's clearly not as many people on this new forum. Sad.


  • Netgate Administrator

    Yes, we have put in more anti-spam measures but it's a delicate balance between blocking forum spam and not blocking legitimate members. We continue to tune that.

    1. You just need to add another interface to your pfSense box. Connect the second network segment to that and use appropriate firewall rules to prevent traffic between the internal interfaces. That could be two physical NICs or it could be VLAN interfaces if you have managed switches.

    2. Yes, why would you want to do that? ๐Ÿ˜‰ But you could. Assign the first OpenVPN connection as an interface. Use that interface on the second OpenVPN connection.

    3. Not easily. You can force everything except the VPN traffic itself to use the VPN but you then need a rule to identify Tor traffic and pass that directly. You could try to use an alias of Tor nodes via pfBlocker maybe but it will likely be only partially effective. Tor traffic is deliberately hard to identify like that.

    4. Very secure. If you don't have any connectivity between the segments other than through the firewall then you will not see any traffic between them other then what you allow in firewall rules.

    Steve


  • LAYER 8 Global Moderator

    Yeah the China Character Spam is new in the last few days.. Bombs hits, there was one the other day that got in 36 posts.. Before spotted and deleted.

    When you have a popular forum site - you become a bigger target for spammers. And not only the spammers that post their junk, but also just creating accounts to try and up their SEO (search engine optimization).. Since I have recently become mod I have been trying my best to keep the spam down. I caught 2 more china spammers this morning a few minutes after they created accounts.. It can be a back and forth battle for sure..

    If you see anything suspicious - please report it.

    4: If your physical sep, ie different physical switches and interfaces it pretty much impossible.. Without connecting to the other network be it wired or wireless.. With wired can run a NAC or just plan physical security to prevent someone from connecting to the network they are not suppose to be on. With wifi - use good wifi security to prevent user from connecting.

    Now there is a thing called vlan hoping.. Where it is in theory possible to jump from one vlan to another.. But unless you were say a DOD facility or something, not something you should need to worry about as long as your vlan capable switches are actually doing what they are suppose to be doing and configured correctly.

    3: To only allow tor.. If you know what "bridges" your connecting to for tor - you could limit your access to only those IPs an ports your using..



  • @stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    Yes, we have put in more anti-spam measures but it's a delicate balance between blocking forum spam and not blocking legitimate members. We continue to tune that.

    1. You just need to add another interface to your pfSense box. Connect the second network segment to that and use appropriate firewall rules to prevent traffic between the internal interfaces. That could be two physical NICs or it could be VLAN interfaces if you have managed switches.

    2. Yes, why would you want to do that? ๐Ÿ˜‰ But you could. Assign the first OpenVPN connection as an interface. Use that interface on the second OpenVPN connection.

    3. Not easily. You can force everything except the VPN traffic itself to use the VPN but you then need a rule to identify Tor traffic and pass that directly. You could try to use an alias of Tor nodes via pfBlocker maybe but it will likely be only partially effective. Tor traffic is deliberately hard to identify like that.

    4. Very secure. If you don't have any connectivity between the segments other than through the firewall then you will not see any traffic between them other then what you allow in firewall rules.

    Steve

    1. Yeah, I was hoping for more of a physical separation with 2 switches and pfSense device, something about having the same pfSense device just feels less secure to me, probably just being paranoid.

    2. The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.

    3. Yeah, looking like that's the way I'll have to do it, I think there are lists available that detail Tor exit nodes (or how would Suricata and Snort be able to pick them up). The only problems are that:

    • A) I would need to find some way of blocking all connections that aren't Tor however that does seem very hard to due because of how Tor works.

    • B) I would need to update the lists as more nodes and bridges get added.

    • C) I would, somehow, need to block unsolicited traffic and only allow the bare-minimum needed to browse Tor because of the attacks that are perpetrated using the network itself.

    1. Yeah, like I said above I was aiming for a more "concrete" separation method (physical) because I still don't trust that someone with access to my network machines (if they were/are compromised) couldn't mess with pfSense and break the security. Any tips / requirements or resources on what I would need and how to go about network segmentation so that they have NO access to each other at all?

    @johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    Yeah the China Character Spam is new in the last few days.. Bombs hits, there was one the other day that got in 36 posts.. Before spotted and deleted.

    When you have a popular forum site - you become a bigger target for spammers. And not only the spammers that post their junk, but also just creating accounts to try and up their SEO (search engine optimization).. Since I have recently become mod I have been trying my best to keep the spam down. I caught 2 more china spammers this morning a few minutes after they created accounts.. It can be a back and forth battle for sure..

    If you see anything suspicious - please report it.

    4: If your physical sep, ie different physical switches and interfaces it pretty much impossible.. Without connecting to the other network be it wired or wireless.. With wired can run a NAC or just plan physical security to prevent someone from connecting to the network they are not suppose to be on. With wifi - use good wifi security to prevent user from connecting.

    Now there is a thing called vlan hoping.. Where it is in theory possible to jump from one vlan to another.. But unless you were say a DOD facility or something, not something you should need to worry about as long as your vlan capable switches are actually doing what they are suppose to be doing and configured correctly.

    3: To only allow tor.. If you know what "bridges" your connecting to for tor - you could limit your access to only those IPs an ports your using..

    I honestly don't understand what they stand to gain by spamming a forum like this, just to say they can?

    About network security - I only have a handful of machines on my network (around 2 or 3 and 1 more that I want to be on a separate network entirely) and it's ALL wired, too many security risks otherwise. Would just having physical security locked down be enough of a NAC in my case? (I'm the only one who uses said computers).

    VLAN Hopping - So would VLAN hopping still be a problem if I were to physically split the networks? (preferably using a device if such exists) and from what research I did a while back there's not really much I can do to mitigate this risk, is there?

    If such a device does exist, could you possibly link me one (and any others that I might need to 100% segment my network?), money doesn't really matter in this situation as there isn't much I won't pay for peace of mind and security but obviously nothing like $1000 please :)


  • LAYER 8 Global Moderator

    You can get the $30 dumb switch if your going to physically separate the networks..

    As to vlan hoping... So you think some elite ninja hackers are going to have physical access to your machine on vlan A, and they might hop over to vlan B? I mean really - maybe you need to loosen the tin foil hat atleast 1 notch ;) The blood flow is prob starting to suffer at this point to be honest..

    You get multiple nics and plug in dumb switch to nic A, and put network 192.168.1/24 on it lets say and then you plug dumb switch B into nic B that you put network 192.168.2/24 on it..

    You only allow access to bridges in your tor - you can pull a list once you connect. And just block everything else - its a click in the firewall rules to be honest..

    I love how people that don't work in security... Think that they need DOD facility level security - do you have 20 million in bitcoin sitting on your machine or something? Lets get real here ;)


  • Netgate Administrator

    You can use pfBlocker to pull and update lists and convert them into alises you can use in firewall rules. I've never tried but I'm sure there is a Tor list you could use there.

    The only way you will get traffic between the interfaces is if the firewall is misconfigured or it is somehow compromised via some yet unknown method.

    Separate interfaces is maybe marginally more secure than VLANs. It doesn't reply on the switch operating as expected (or not having exploits).

    Otherwise get a second ISP connection and a second firewall and have zero physical connection between them. But I think we all agree that is extreme! ๐Ÿ˜‰

    Steve


  • LAYER 8 Global Moderator

    I think maybe he should just airgap his machines, running on their own isolated power sources.. Connecting to the power grid is a "risk" hehehe Should prob do this all inside a inside a Faraday Cage to be "extra" secure ;) And then just sneaker net anything he wants on encrypted disks to be extra secure.. Then after each transfer destroy the disks..

    Make sure you do this in your basement (your bomb shelter prob a good choice here) so they can not bounce any lasers off your windows and pick up keystrokes or audio, etc.

    Here is what I am talking about with a tor bridge..
    https://www.torproject.org/docs/bridges.html.en#BridgeIntroduction

    example here is 3 bridges I found from the bridges DB

    50.39.170.81:443 1B39EA619A2514BD1DBEB75836610E1D5CED13FC
    45.55.52.78:8443 F0E2B678833F42E92F9C1F8E697FCD862463E85E
    73.245.116.148:443 8A4541FB62E7B2ACE14270E42513C605C06BDDD3

    Setup those IPs to be allowed, block all others. Make sure your tor client is setup to use those bridge IPs only and ports say 443. At pfsense block all other traffic..

    0_1535895569364_torbridge.png



  • @johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    You can get the $30 dumb switch if your going to physically separate the networks..

    As to vlan hoping... So you think some elite ninja hackers are going to have physical access to your machine on vlan A, and they might hop over to vlan B? I mean really - maybe you need to loosen the tin foil hat atleast 1 notch ;) The blood flow is prob starting to suffer at this point to be honest..

    You get multiple nics and plug in dumb switch to nic A, and put network 192.168.1/24 on it lets say and then you plug dumb switch B into nic B that you put network 192.168.2/24 on it..

    You only allow access to bridges in your tor - you can pull a list once you connect. And just block everything else - its a click in the firewall rules to be honest..

    I love how people that don't work in security... Think that they need DOD facility level security - do you have 20 million in bitcoin sitting on your machine or something? Lets get real here ;)

    Think about it this way, your house/car/business probably isn't going to get robbed but that's no reason not to want the best security. I can't see a problem with DOD levels of security if I'm the only one on the network and don't mind the usability trade-off imo.

    So, a couple more stupid questions: 1) VLAN hopping can only happen on Virtual LAN's right? so having physically separated networks would 100% mitigate this problem? and 2) Where my ISP sends the cable in and I attach it to a router, would I then at that point connect the cable from that router to the switch and the pfSense devices as the only 2 connections? would that separate them 100%? (flow would look like this):

    [ISP Cable --> Basic Modem --> Switch --> pfSense Device 1 (Seperate network 1)
                                          --> pfSense box 2 (Seperate network 2)]
    

    @stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    You can use pfBlocker to pull and update lists and convert them into alises you can use in firewall rules. I've never tried but I'm sure there is a Tor list you could use there.

    The only way you will get traffic between the interfaces is if the firewall is misconfigured or it is somehow compromised via some yet unknown method.

    Separate interfaces is maybe marginally more secure than VLANs. It doesn't reply on the switch operating as expected (or not having exploits).

    Otherwise get a second ISP connection and a second firewall and have zero physical connection between them. But I think we all agree that is extreme! ๐Ÿ˜‰

    Steve

    Yeah, I would do that however there's no lines available where I live and it would cost loads more per month. Using pfBlocker is probably what I'll do as it seems like the path of least resistance. I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.

    @johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    I think maybe he should just airgap his machines, running on their own isolated power sources.. Connecting to the power grid is a "risk" hehehe Should prob do this all inside a inside a Faraday Cage to be "extra" secure ;) And then just sneaker net anything he wants on encrypted disks to be extra secure.. Then after each transfer destroy the disks..

    Make sure you do this in your basement (your bomb shelter prob a good choice here) so they can not bounce any lasers off your windows and pick up keystrokes or audio, etc.

    Here is what I am talking about with a tor bridge..
    https://www.torproject.org/docs/bridges.html.en#BridgeIntroduction

    example here is 3 bridges I found from the bridges DB

    50.39.170.81:443 1B39EA619A2514BD1DBEB75836610E1D5CED13FC
    45.55.52.78:8443 F0E2B678833F42E92F9C1F8E697FCD862463E85E
    73.245.116.148:443 8A4541FB62E7B2ACE14270E42513C605C06BDDD3

    Setup those IPs to be allowed, block all others. Make sure your tor client is setup to use those bridge IPs only and ports say 443. At pfsense block all other traffic..

    0_1535895569364_torbridge.png

    Are you sure that would work? wouldn't that block the nodes on Tor or would I have to allow all traffic coming from both sources that are involved with that IP? In other words wouldn't it also block every website or connection visited if the ONLY traffic that can pass through are bridges? or would it all look (to pfSense at least) that all the traffic is coming through those bridges? A little confused to be honest.

    (if that's how it works, could I do the same with the VPN connection I'm running my network through if I have an alias of the IP's that the VPN connects to?)

    Thanks to all who reply and answer my inane questions, still learning.


  • Netgate Administrator

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.

    The only way you could do that would be to use VLANs back to the ISP somehow. But then they'd probably want to change you twice. ๐Ÿ˜‰

    You can use two pfSense firewalls exactly as you've outlined there. It will work fine.
    It's unnecessary IMO and it makes creating connections between the subnets far hardware if you ever have to. I have worked with a few people who had exactly that setup end ended up with all sort of crazy ports forwards etc...
    But there is some merit in it. If you have an internal machine compromised the attack surface against the LAN is that much bigger than the WAN of the other firewall.

    Yes with tunneled traffic like that destination IP of the tunnel traffic itself is always the other tunnel end point so you can allow that only.

    Steve


  • LAYER 8 Global Moderator

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    Are you sure that would work? wouldn't that block the nodes on Tor

    Yeah I am sure it will work - I have been doing this for 30+ years.. Doesn't matter what hops you hit after.. Before you get all worked up about security.. Its normally a good idea to understand the basics before how to secure it ;)

    What exactly is your tinfoil hat worried about here? Your worried about something phoning home? Your worried about your ISP seeing your what traffic?

    Your firewall is at the edge, if you only allow ip address to go to IP xyz on port abc - this ALL that will be allowed no matter what you do on the client..

    Blocking outbound is not something you normally have to worry about.. IF your box is compromised it already too late!! You should be more worried about what code you exe on your box vs what ports it can go outbound on...

    Maybe its time to stop watching Mr Robot, and smoking that stuff that makes you paranoid ;)

    Isolating devices from talking to each other on your local lan is simple as decent switch and private vlans.. Or run host firewalls on each device, or just simple isolate your trusted devices from your untrusted device on different vlans. For example my iot devices are NOT on the same vlan as my nas and PC... They can NOT create unsolicited traffic to any other network locally.. And I log everything they do outbound - so I Know if they start phoning home to china for example.


  • Banned

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    1. The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.

    It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.

    And the final VPN is most likely the first target, as this is the one visible to your peers.



  • @stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    I was hoping that there was a way I could turn the 1 cable from my ISP into 2 separate and isolated network connections.

    The only way you could do that would be to use VLANs back to the ISP somehow. But then they'd probably want to change you twice. ๐Ÿ˜‰

    You can use two pfSense firewalls exactly as you've outlined there. It will work fine.
    It's unnecessary IMO and it makes creating connections between the subnets far hardware if you ever have to. I have worked with a few people who had exactly that setup end ended up with all sort of crazy ports forwards etc...
    But there is some merit in it. If you have an internal machine compromised the attack surface against the LAN is that much bigger than the WAN of the other firewall.

    Yes with tunneled traffic like that destination IP of the tunnel traffic itself is always the other tunnel end point so you can allow that only.

    Steve

    Yeah, I'm probably going to use the same network cable to modem but then have that cable connected to a switch and have 2 seperate pfSense firewalls running off it, one for Tor only and one for regular browsing. Both locked down as hard as I can.

    I don't see myself ever needing to communicate between the subnets at all so I'm not that concerned, But would one of the machines on pfSense device one be able to see a machine or the firewall of pfSense device 2? If so that wrecks my plans.

    Also when I have my current OpenVPN connecton (which all network traffic is currently running through) I can see that my machine is connecting to IPs that come from everywhere and loads of websites, why doesn't it just show endless connections between my OVPN connection and my machine? How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?

    @johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    Are you sure that would work? wouldn't that block the nodes on Tor

    Yeah I am sure it will work - I have been doing this for 30+ years.. Doesn't matter what hops you hit after.. Before you get all worked up about security.. Its normally a good idea to understand the basics before how to secure it ;)

    What exactly is your tinfoil hat worried about here? Your worried about something phoning home? Your worried about your ISP seeing your what traffic?

    Your firewall is at the edge, if you only allow ip address to go to IP xyz on port abc - this ALL that will be allowed no matter what you do on the client..

    Blocking outbound is not something you normally have to worry about.. IF your box is compromised it already too late!! You should be more worried about what code you exe on your box vs what ports it can go outbound on...

    Maybe its time to stop watching Mr Robot, and smoking that stuff that makes you paranoid ;)

    Isolating devices from talking to each other on your local lan is simple as decent switch and private vlans.. Or run host firewalls on each device, or just simple isolate your trusted devices from your untrusted device on different vlans. For example my iot devices are NOT on the same vlan as my nas and PC... They can NOT create unsolicited traffic to any other network locally.. And I log everything they do outbound - so I Know if they start phoning home to china for example.

    Well as passive-aggressive as that "know the basics" comment was I agree completely. I'm not going to pretend to be better than I am, I don't have anywhere near the experience that you and most other members of the forum have but I am trying to learn. I don't understand everything yet, I'm trying but sometimes when you're stuck with a certain concept you just need to go over it again and again until it clicks, topics like these have always been a "weak spot" for me. If you have any resources that I could learn from (other than the 2 Certs mentioned above) then I would be grateful to look through them, googling "networking fundamentals" casts a wide net and I just don't have the time currently.

    I'm trying to learn a few things (such as networking, pen testing, malware analysis, forensics etc) but I can't do that unless I know I'm secure. Over the next few months I'm planning to learn (and eventually take) the CCNP and CISSP as side-projects to understand more of the fundamentals of these topics but for now I'll have to rely on the knowledge of people such as yourself and Steve to help me while I learn.

    It's not a tinfoil hat so much as I just want to learn how to secure something to the highest degree, it will also be useful from an educational standpoint. If I have one network that only needs to use Tor I'm not sure why I shouldn't do everything I can to protect it, same goes for the "normal" network. I'm not worried about the ISP very much (the end-to-end encryption of the VPN handles that if I believe correctly) however phoning home and people being able to scan and compromise a machine on my network is what I'm worried about.

    About only specific ports it was my understanding that applications, services and connections use a random port each time (my device has connections on random ports, like 5999 or 8264 etc) How would I know what ports would be ok to use and what ones should be blocked. Also don't the majority of malware operate on port 80 as it's the most common port anyway? rendering blocking ports more-or-less useless?

    I don't do drugs but I have watched most of Mr Robot and while I did love the show it did scare me a bit.

    I think I've already isolated them from communicating (I have a custom Suricata rule that denies all traffic going anywhere in the internal network from any direction). I just want a more absolute way of ensuring that.

    Lastly, I'm sure this comes with as much experience as you have but I'm a little stuck on how to analyse the traffic going out of my pfSense device, I can do IP lockups to see where it's going to however I often have no idea if that's a server owned by the service provider, software company or if it's been compromised and it's calling home. Is there any course or materials directed at understanding network traffic analysis more? I would love to learn more about it.

    @grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    1. The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.

    It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.

    And the final VPN is most likely the first target, as this is the one visible to your peers.

    This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?

    Take the example of Tor being used with 2 VPN's vs 1 VPN:

    1 VPN Connection:
    -> Honeypot server -> They break Tor somehow or get malware onto the machine -> VPN IP -> My IP

    2 VPN connections:
    -> Honeypot server -> They break Tor or exploit the machine -> 2nd VPN connection IP -> They have the VPN provider logs -> 1st VPN connection -> My IP

    Isn't having more VPN's more secure than only 1 because if they were to own the 1st VPN country wouldn't the IP appear as the IP of another VPN country? creating another obstacle for them to overcome?

    (The data being sent through the tunnel should be encrypted regardless so only me, the 1st connection and the endpoint should be able to see its contents) but it's not that sensative, more need it to be anonymous than secret.)


  • Banned

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?

    Yes. But you are also a customer of that VPN provider and they have, at least, some payment information from you.


  • Netgate Administrator

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?

    Tor security issues aside.... that is a whole other subject! ๐Ÿ˜‰

    Where are you 'looking' at that traffic? What traffic are you seeing?

    If it's anything other than OpenVPN UDP traffic on the port specified and you're seeing that on the WAN side of the firewall then that is traffic outside the VPN which you probably don't want.

    Steve



  • @grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    This just baffles me. Once the endpoint (lets say an FBI honeypot) gets the connection of me visiting it they would just see the VPN IP correct? and if the VPN provider was to hand over logs (even full logs) if I ran it through 2 OpenVPN connections (interfaces) wouldn't they then be met with the 1st VPN's IP?

    Yes. But you are also a customer of that VPN provider and they have, at least, some payment information from you.

    Yeah, the financial side doesn't link back to me, thanks.

    @stephenw10 said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    How can it see the traffic if it's tunneled using the VPN and if so then when I'm using Tor does that mean that pfSense (and maybe my ISP) can still see the traffic?

    Tor security issues aside.... that is a whole other subject! ๐Ÿ˜‰

    Where are you 'looking' at that traffic? What traffic are you seeing?

    If it's anything other than OpenVPN UDP traffic on the port specified and you're seeing that on the WAN side of the firewall then that is traffic outside the VPN which you probably don't want.

    Steve

    Yeah, don't want to get scared by that just yet. I want to sleep well for a bit at least :)

    The traffic that I'm looking at is on the index of pfSense itself. It will say something like 192.168.1.200 -> random IP (not NordVPN). How is it seeing that? Also about ports specified. I'm not sure that I can do that as it seems to be using random ports, like applications and while I still use windows there's no way I could micro-manage that to the level that I feel comfortable.

    All the traffic is on LAN going through the OVPN interface, WAN is 100% blocked. I set up the "internet kill switch" with the help of NordVPN support.


  • LAYER 8 Global Moderator

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    It will say something like 192.168.1.200 -> random IP (not NordVPN).

    So your looking at pfsense state table.. Yeah if your client is going to google, ie its dest IP is 8.8.8.8 for example... Then yeah that is what the statetable in pfsense would show.. How pfsense gets traffic to 8.8.8.8 is the part your not looking at.. Normally pfsense would drop that traffic on its wan, to its gateway. In the case of vpn.. it throws it out its vpn interface..



  • @johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    It will say something like 192.168.1.200 -> random IP (not NordVPN).

    So your looking at pfsense state table.. Yeah if your client is going to google, ie its dest IP is 8.8.8.8 for example... Then yeah that is what the statetable in pfsense would show.. How pfsense gets traffic to 8.8.8.8 is the part your not looking at.. Normally pfsense would drop that traffic on its wan, to its gateway. In the case of vpn.. it throws it out its vpn interface..

    So it's still encrypting it through the VPN connection right?

    Also I'm wondering if I can restrict access to the pfSense login screen to a specific IP? I could change the password but I only really want to access it from a secure computer.

    Also if I used a switch after my modem and had 2 separate pfSense devices would that essentially create 2 different networks? Could they still attack eachother?


  • LAYER 8 Global Moderator

    Yes it would be encrypting it.. If you want to see what is leaving your wan - just do a package capture on your wan interface.. That will show you ALL traffic pfsense is getting from or putting on the wire..

    You want to restrict access to the web gui from where? From the lan you would need to disable the antilock out rule.. And then put in appropriate rules to allow from where you want and block from everywhere else.

    Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.

    There would be a common transit network between your pfsense boxes and your modem... But no devices from behind pfsense 1 could not talk to devices behind pfsense 2... You seem to lack basics of understanding between layer 2 and layer 3.. For something to talk to devices behind other pfsense it would be no different then them wanting to talk to say devices behind my pfsense.. You would have to know my public IP.. And I would of had to forward the traffic to my device behind pfsense.



  • @johnpoz said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    Yes it would be encrypting it.. If you want to see what is leaving your wan - just do a package capture on your wan interface.. That will show you ALL traffic pfsense is getting from or putting on the wire..

    You want to restrict access to the web gui from where? From the lan you would need to disable the antilock out rule.. And then put in appropriate rules to allow from where you want and block from everywhere else.

    Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.

    There would be a common transit network between your pfsense boxes and your modem... But no devices from behind pfsense 1 could not talk to devices behind pfsense 2... You seem to lack basics of understanding between layer 2 and layer 3.. For something to talk to devices behind other pfsense it would be no different then them wanting to talk to say devices behind my pfsense.. You would have to know my public IP.. And I would of had to forward the traffic to my device behind pfsense.

    So just saying, you could have said "look into the OSI model more; specifically layer 2 and 3" instead of "you seem to lack the basic understanding", there's no need to belittle me.

    Apart from that I think everything's done for now. I'll make another thread if I have any more problems with the actual application of these plans. Thanks everyone for the help.



  • @grimson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    @mrpeterson said in 4 questions (Network segmentation, VPN Routing, Tor and Security in general):

    1. The same reason that criminals mix their Bitcoin through multiple "coin mixers", if one is compromised (and turns out of be logging) then you're still anonymous thanks to the other "mixer" (VPN connection); at least that's my method of thinking. I'll do this when I next have time and report back if I have any problems, thanks.

    It doesn't work that way. You can route your final VPN through as many other VPNs as you want, it's endpoint still has to decrypt the traffic and send it out to it's actual target. If the server of that final VPN is compromised (or the provider just lies in his ads) and does log the activity it will get the actual data, no matter how many times it has been encrypted on the way there.

    And the final VPN is most likely the first target, as this is the one visible to your peers.

    ^^---This. You are only as secure as your weakest point. Once it leaves your network, assume it's insecure. You can do your best to put a nice thick wrapper around it, but as noted, it must be unwrapped at some point.

    Read the history of how the FBI tracked down the Silk Road admin. Tor isn't a safe silver bullet. Many people who set up Tor nodes have no idea what they're doing, and they are not any kind of system/network admin. All you need is one horribly configured exit node and you're screwed. And there are a lot of them out there.



  • @tim-mcmanus

    Couldn't agree more. At its core Tor is just a couple of proxies; a couple of ISP's to "strong-arm" and they've got you.

    I'm attempting to implement some security practices that make it a lot harder. More specifically 2 end-to-end encryption tunnels (via 2 different "reputable" VPN's and hopefully one of the Raspberry PI devices that turn a tor connection into a network connection, essentially meaning that I will have 8 hops rather than 3.

    The data itself is rarely ever sensitive in nature.


Log in to reply