pfSense-based network security appliance?



  • I’m 100% new to pfSense. Never installed, used or even seen it. But I understand the basic concept and I know there’s lots of plugins/extensions, so....
    I’m wondering if this is possible... Let me define what I mean by “Network Security Appliance”...

    This would be a device that you plug in, turn it on, and it just flat out protects every device on the network. How? What does that look like? Let me explain...

    First of all, it acts as an “anti-malware server”, scanning all incoming network traffic for known malware signatures (which are updated nightly, automatically) - regardless of platform - and potentially malicious code (code that looks like it could be a ransomware attack, web pages that “lock” the browser in full-screen mode with an “FBI WARNING”, etc.) It can also scan any/all computers/devices on the network (on a schedule, when the devices aren’t in use at say 3AM).

    Second, it blocks known malicious sites/urls, protects against malicious redirects, spoofed sites, scripts, etc. (Something like e2guardian, etc.)

    Third, it acts as a middleman for downloads. All scanning all files automatically using the command line version of VirusTotal. It then notifies the initiating computer whether the file is safe or not and (if it is safe) transfers it to that computer.

    Fourth, it detects and clamps down on remote control traffic, displaying a warning message about the dangers of allowing strangers from Bangladesh remotely control your computer. (No, they’re NOT really from Microsoft!)

    Fifth - - suggestions?

    Does anything like this already exist? Does pfSense have the necessary add-one/plugins/extensions to create something like this? Should I be barking up a different tree? (If so, any recommendations?)

    Thanks for your time and consideration.





  • @NOCling Hmmm. Maybe. That looks like some kind of six-figure service aimed at corporations, though. I’m just looking for something similar and affordable that the average homeowner can just play and play. Or (better still) a DIY version of that.



  • @ErniePantuso said in pfSense-based network security appliance?:

    @NOCling Hmmm. Maybe. That looks like some kind of six-figure service aimed at corporations, though. I’m just looking for something similar and affordable that the average homeowner can just play and play. Or (better still) a DIY version of that.

    That was my initial question whether you're using it for a home environment. With that answered, pfSense, along with packages, such as Snort, or Suricata, pfBlockerNG-Devel, and Squid's antivirus, you will be able to accomplish your network security needs. I must warn that the learn curve is steep; however, since you have indicated having the basic concept, you should be okay initially, but still have some learn to do, especially for intrusion detection and prevention. I would suggest spending sometime on the forum in hardware if you intent DIY approach. Also, to look at what Netgate has to offer like the SG-3100 and SG-1100 as earlier suggested since you did not indicate in your original post the user environment.


  • LAYER 8 Global Moderator

    @ErniePantuso said in pfSense-based network security appliance?:

    This would be a device that you plug in, turn it on, and it just flat out protects every device on the network.

    No such device - no matter how much money spend ;)

    All devices that would perform any sort of security function would require setup, configuration. And big one maintenance.

    Also any sort of security is going to come at a cost to ease of use and user happiness.. Once you put in any sort of security anything - users will complain, and more often then not look to ways to circumvent it ;)

    Pfsense can do many of the things you would want on your network, firewall sure IPS/IDS, web filtering. DNS filtering. Reverse proxy, etc. But it not going to come without considerable investment.. If not from money aspect, from a time spent in configuration and management aspect of it.

    Do be honest your typical home network has little use of a IPS.. Are you hosting services to the public internet? Are devices on your local network services not under your control?

    The problem with IPS is not that it doesn't work the problem is most home users have no desire to actual set it up correctly, and spend the time in maint of the rules.. And follow up on the multi and many false positives that will always show up.. More likely than not its going to cause you more grief and complaints from your home user in this doesn't work, that doesn't work.. Then any possible benefit in your overall security stance..

    Your point of being a man in the middle and filtering all downloads.. Yeah good luck with that.. Since most everything is https these days, means you actually have to do a mitm sort of setup on your own network.. Which is another whole can of worms to open up, and not really clicky clicky to get working.. Its simpler to be honest if your worried about users downloading bad shit to just manage the security software on their machines to do any scanning or prevention of exe code on their local devices vs trying to do such services on a network device.

    If you think you can just click install on it - and be done.. You are mistaken..


  • Netgate Administrator

    Yeah, you are basically describing a UTM device. pfSense is a firewall and router with pluggins that give it some UTM features. There are somethings that are not available at all, a mail filter/scanner for example.

    Steve



  • I have too often seen a false sense of security demonstrated around UTM systems. There is no such thing as 100% secure. Complacency becomes the risk.

    For the typical home network UTM may be overkill. Why would anyone be interested in your network when they can exploit millions by going after the large service providers. Stay up to date and don't do anything crazy with your firewall rules.



  • @NollipfSense said in pfSense-based network security appliance?:

    That was my initial question whether you're using it for a home environment. With that answered, pfSense, along with packages, such as Snort, or Suricata, pfBlockerNG-Devel, and Squid's antivirus, you will be able to accomplish your network security needs. I must warn that the learn curve is steep; however, since you have indicated having the basic concept, you should be okay initially, but still have some learn to do, especially for intrusion detection and prevention.

    Thank you! That’s helpful. I’ll look into the packages you’ve named. If you think of any others, please let me know.



  • @stephenw10 said in pfSense-based network security appliance?:

    Yeah, you are basically describing a UTM device. pfSense is a firewall and router with pluggins that give it some UTM features. There are somethings that are not available at all, a mail filter/scanner for example.

    Steve

    Thanks for putting a name to this for me, Steve. Maybe I could employ Docker containers for things like mail filtering/scanning that pfSense can’t/won’t address. Maybe even for some of the things that it CAN do — but maybe they’re more easily employed/managed as containerized services.



  • @johnpoz said in pfSense-based network security appliance?:

    @ErniePantuso said in pfSense-based network security appliance?:

    This would be a device that you plug in, turn it on, and it just flat out protects every device on the network.

    No such device - no matter how much money spend ;)

    That’s true of most things - until someone decides to build it.

    Also any sort of security is going to come at a cost to ease of use and user happiness.. Once you put in any sort of security anything - users will complain, and more often then not look to ways to circumvent it ;)

    That’s true if your background is in IT and you have a large user base. I’m coming from a very different perspective/situation.

    Pfsense can do many of the things you would want on your network, firewall sure IPS/IDS, web filtering. DNS filtering. Reverse proxy, etc. But it not going to come without considerable investment.. If not from money aspect, from a time spent in configuration and management aspect of it.

    Then maybe it’s not the right tool for the job for me. Maybe I just want to use pfSense as a firewall. As I said above, if containerized services are a better approach, fine — I just need some advice on what those services are - how and where to look for them. If all you were trying to accomplish was DNS filtering, what would be your go-to choice? If all you were trying to do was web filtering, what would you use? Someone mentioned that there’s a package for Squid antivirus... Maybe there’s a Docker container for it. Or maybe there’s something even better?

    Do be honest your typical home network has little use of a IPS.. Are you hosting services to the public internet? Are devices on your local network services not under your control?

    None of these devices will be under my control. I’m not looking into this for personal use (although, if I can make this happen, I’ll certainly use it in my home/on my network). This is intended as a solution for my clients - hundreds of retirees who are extremely unsophisticated users and therefore at a much higher risk. Some of these users have actually fallen for the “We’re from Microsoft” scam more than once.

    The problem with IPS is not that it doesn't work the problem is most home users have no desire to actual set it up correctly, and spend the time in maint of the rules.. And follow up on the multi and many false positives that will always show up.. More likely than not its going to cause you more grief and complaints from your home user in this doesn't work, that doesn't work.. Then any possible benefit in your overall security stance..

    The benefits would be huge for my customer base but clearly I’ll need to find a way to simplify/minimize the administration.

    Your point of being a man in the middle and filtering all downloads.. Yeah good luck with that.. Since most everything is https these days, means you actually have to do a mitm sort of setup on your own network.. Which is another whole can of worms to open up, and not really clicky clicky to get working..

    There’s an e2guardian Docker container with MITM built right in and ready to go.

    If you think you can just click install on it - and be done.. You are mistaken..

    Anything is possible.



  • @jwj said in pfSense-based network security appliance?:

    I have too often seen a false sense of security demonstrated around UTM systems. There is no such thing as 100% secure. Complacency becomes the risk.

    My users are already complacent. And fairly clueless. I don’t need 100% secure - but even getting to 80% would be a HUGE improvement.

    For the typical home network UTM may be overkill. Why would anyone be interested in your network when they can exploit millions by going after the large service providers.

    You obviously have no idea how gullible old people can be and how often they are targeted by scammers. Many of these scams aren’t even that sophisticated. But my clients fall for it. I actually lost a client because she was tired of paying me to come to her house, run a scan - no threats found - and she still had malware. (It was much later when I realized that the reason she thought she still had malware was because various web pages/websites were telling her so!) I actually setup a webpage on my business website that popped up a message saying, “Your shoe is untied” just to try to explain to them. Seriously, try to see this from where I’m coming from — not from the perspective as an IT Security Specialist with a large corporate user base.


  • Netgate Administrator

    Ummm.. let's keep it civil please. Constructive suggestions if you have them. 😕

    Edit: Some posts were removed here after civility was lost!



  • @ErniePantuso said in pfSense-based network security appliance?:

    That’s true of most things - until someone decides to build it.

    Then this some person should break 'TLS' first. Which means that the secured access that we all benefit using https should have to be undone.
    That's what you want ?
    When you use a inviolable connection between your device and, let's say, your bank, would you be happy if, that, under some conditions, this connection could be broken open, and the content being inspected ?
    If you could do that, everybody else, with good intentions or not, would be able to do the same.

    So, for example, packet inspection to see the content and act upon it : that's not an option any more. Quantum computing could accelerate decoding, sure, as would quantum encryption will harden the encryption.

    pfSense works like the local post office.
    It relays envelopes and other boxes, based upon what is written onto them. Not what's in them.



  • @Gertjan said in pfSense-based network security appliance?:

    Then this some person should break 'TLS' first. Which means that the secured access that we all benefit using https should have to be undone.

    I’m sure you know more about this stuff than I do, Gertjan, but if e2guardian has MITM support and can decrypt encrypted traffic to scan and filter it, then why couldn’t pfSense (and other services) do the same?

    When you use a inviolable connection between your device and, let's say, your bank, would you be happy if, that, under some conditions, this connection could be broken open, and the content being inspected ?

    The MITM capabilities of e2guardian require you to setup keys and certs in order to use it. AFAIK, there’s little or no potential for abuse/misuse unless someone is either IN your home or has penetrated your firewall (in which case you have bigger problems than this). But even if there was, my online banking information (and my email, and shopping, and...) is still protected by a good, strong password.

    If there’s something I’m missing, here, please let me know.



  • @stephenw10 said in pfSense-based network security appliance?:

    Edit: Some posts were removed here after civility was lost!

    No probs Steve, I was losing my temper there. My apologies.
    Edit: I hope in the future all insulting and belittling posts will be also deleted. Thanks man.


  • Netgate Administrator

    It was not you specifically, no need to apologise. ☺

    This sort of thing just feeds more unnecessary comments, everyone ends up posting stuff they would not normally.

    Sometimes it's better just not to post anything.

    Steve



  • @Steve, You're right.. I should not reply it. I know some of our new users lack of basic network knowledge. But I just can’t stand to see our new users being insulted and belittled.



  • I think some of the things you want to accomplish can be done, but probably not all.

    pfBlockerNG-devel: can be used as DNS web filter. It is great if you spend the time to find the feeds to use and you'll likely still have to deal with false positives, but should not be too many.

    Snort/Suricata: can be used as IDS/IPS but this has a VERY steep learning curve and often many false positives when starting out. If you do end up trying either, I would highly suggest running it in intrusion detection mode first so that it only alerts of potentially malicious traffic and doesn't act on it. Otherwise you will end up with a lot of users complaining about a lot of broken things. A website not loading would only be the tip of that iceberg.

    Squid with ClamAV: In theory this can be used to scan traffic for viruses and such. As an example, when I last tried this on my network, only approx. 1% of my traffic (non-HTTPS) was actually being scanned. So unless you do the MITM on the https traffic it will not be very helpful. With TLS 1.3 becoming the standard it will become more and more difficult to do so without breaking something. After all, these higher security encryption standards are being put in place to make it more difficult to perform MITM. Look at some of the news articles on the topic and you'll see even governments that love to censor and inspect information are not liking these changes such as TLS 1.3. If a government is having trouble with it, just image what chance we have with performing MITM. That is why others mentioned forget antivirus on the network level. I agree. Antivirus on the clients is the best bet.

    As for mail inspection, there is no such package on pfSense. I wish there was. I believe that is one of the the best ways to prevent many of today's biggest threats. Luckily, most decent email providers will do a decent job of preventing bad things from getting to your inbox. If your users have an office 365 account/mail box I would highly recommend adding the ATP
    (advanced threat protection) if possible. That has saved my users from downloading viruses and clicking on malicious links in emails.

    As for older users, that is by far one of the biggest IT challenges :)
    I know that is definitely not easy to deal with. The only way to prevent the "microsoft" callers is to keep telling them over and over and over again not to give any info to callers and definitely not access. There is not much any device can do to prevent that which is why scammers use that method.

    Good luck


  • Netgate Administrator

    Yes, I agree with most of that. Except wishing there was a mail proxy in pfSense I'd have to support. 😉
    There used to be packages for that but moving it off the firewall was the right move IMO.

    pfSense is not a UTM and even with all the appropriate packages it will not do all things you might want. But as others have pointed out even the most complete UTM device is no substitute for end device security. You need both in most situations.

    If you are running Squid you may as well enable ClamAV if you have capable hardware. It's a single check box and usually 'just works'. It probably won't catch anything, especially if you're not running full SSL interception, but usually doesn't hurt either. You still need AV on the clients.

    Snort/Suricata is easy to get wrong and end up blocking all sorts of things. Be sure to run it in non-blocking mode whilst tuning the ruleset and monitoring the logs until you are confident it's not blocking needed traffic. I usually give it at least a week before enabling blocking.

    Steve


  • LAYER 8 Global Moderator

    @stephenw10 said in pfSense-based network security appliance?:

    I usually give it at least a week before enabling blocking.

    That would be for someone that understands IPS, and what is false and what is not.. It could take much much longer for someone that is new to the whole thing.

    It can be a huge learning curve to understand what its showing you, what can be ignored and what should be investigated..

    You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.



  • @johnpoz said in pfSense-based network security appliance?:

    You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.

    This sounds like me. I had no idea what I was doing and it sure did take me a few months to finally get it to a point where the network wasn't constantly "broken".



  • I'll apologize for having a go at the OP. Should have patiently and methodically worked through the issues to his desired solution and tried to guide him to a more realistic approach. One that would have worked for his business objectives and his clients.

    When not in pandemic mode I often sit near to a senior InfoSec guy for one of the most sprawling and bureaucratic international organizations. I once asked him about running Suricata on my home network (home being three locations, in this case). After some minutes of hysterical laughing he asked me what I expected to get out of that exercise. Of course I could not give him a satisfactory answer except to say I would enjoy the learning process.


  • LAYER 8 Global Moderator

    @jwj said in pfSense-based network security appliance?:

    I would enjoy the learning process.

    Yup - that really is about it ;)

    It really doesn't make a lot of sense on a home network to be honest.. Other than just that a learning tool.. Its sure not going to do anything to make some older peoples internet any safer in the long run..

    If your not actively serving up services to the public.. Its pretty much going to be alot of noise.. And unless your doing man in the mitm, its not even going to see your taffic.. When user goes to xyz.tld out on the internet.

    I been in the doing this for years, and I don't actively run it on my network.. And I have managed IPS/IDS for large corps in the past..

    Can it be a great learning tool - sure, and can it give you interesting info to check on sure. But

    device that you plug in, turn it on, and it just flat out protects every device on the network

    No its not going to be that box.. Going to state it again - there is no such device.. ;) Sure there are some really fancy UTMs on the market, and sure pfsense can be used as sure a UTM if you want to use that term... But there is going to be a ton of work to get that to happen, and in a home setup with some older people as the users - makes no sense at all to be honest.

    Now your a guy that is just busting at the chops to play with some new technology - hey what is the IPS thing I hear so much about.. Then yeah its a great learning tool, and in the right hands could and can be very valuable tool for those companies that can not afford to drop 100K on some shiny new tool from Company XYZ, etc..



  • @johnpoz and the couple hundred k$ a year good infosec people earn.


  • LAYER 8 Global Moderator

    Exactly.. The guy that would use pfsense in the right way with IPS package, is normally going to be making a bit more than entry level ;)

    I am all for playing with it on "your" network - and be glad to help for sure in getting it up and running.. But in the way I am reading this OP.. No its not the solution..

    Would pfsense be a great firewall/router for someone to setup for family member friend that they want you to mange their network.. Yeah damn straight!!! But running IPS on such an network just doesn't make a lot of sense - even if that is what you do for a living.. If I don't run it on my own network, and again I have gotten paid to do just that.. Why and hell would I run it on someone elses network for free ;) For it to do its thing, it has to be monitored and managed.. Its not just click it and forget it and your protected..

    And I think someone mentioned - it can lead to a false sense of security... Oh I clicked install on the IPS package, I'm good - which is no where close to being the case.

    Especially if your new to the whole IPS/IDS arena.

    edit: Sure could could catch maybe some traffic from users PC to their NAS, if the traffic was routed through pfsense and the IPS.. If the users PC was infected with something - but more likely than not its going to scream at you that user moving his file kicked up some signature that is just noise anyway.. And is this other network even going to be segmented so that traffic is routed through pfsense where the IPS could even see the traffic?

    Another scenario - where it could make sense.. Your hosting some webservice to the public off your home connection. And you have say haproxy doing the ssl offload, so all the traffic from pfsense to the web server box is only http.. Then sure you could have your IPS looking at that traffic.. That could be of use - but I don't that is the case in this thread ;)



  • @Raffi_ said in pfSense-based network security appliance?:

    I think some of the things you want to accomplish can be done, but probably not all.

    Thank you Raffi!

    pfBlockerNG-devel: can be used as DNS web filter. It is great if you spend the time to find the feeds to use and you'll likely still have to deal with false positives, but should not be too many.

    Cloudflare offers quite a bit of DNS filtering; all you have to do is set your primary DNS to 1.1.1.2. I haven’t seen any reports on how effective it is but I’ve been configuring my own and all my clients’ routers to use 1.1.1.2 since the “1.1.1.1 for Families” announcement in April. If anyone has direct knowledge that this is insufficient protection, please chime in.

    Snort/Suricata: can be used as IDS/IPS but this has a VERY steep learning curve and often many false positives when starting out.

    I think I’ll skip over IDS/IPS. With my clients, the problem isn’t intruders sneaking in the back door; my users let them in the front door! In close to 10 years, I’ve never had a (valid) call from a client who had (actually) experienced an intrusion. But I’ve cleaned up plenty of root kits, keyloggers, botnet clients, and other malware that started with a phone call or a webpage “from Microsoft”. I even went so far as to hire a developer (from one of those freelancer type sites) to write me a program to detect remote control connections, close the port(s), and display an advisory message about not letting anyone (whom you don’t know personally and don’t trust implicitly) to remotely control your computer. (Ultimately, he couldn’t get it done and refunded my money.)

    This is such a problem for my clients. I am so adamant about this and try so hard to reinforce this message that when I install TeamViewer on their machines, I actually configure it for “View Only” so that even I cannot remotely control their machine. I just view their screen and guide them on where to click, what to type, etc., explaining as I go.

    I’d still really like to come up with a program that can detect incoming remote control traffic and clamp those ports and display that message. I’m told that that kind of traffic isn’t easily detected, therefore there’s no simple way to do it but that doesn’t make sense to me. I’m more inclined to believe that the people who have told me that just don’t have the necessary knowledge level.

    Squid with ClamAV: In theory this can be used to scan traffic for viruses and such. As an example, when I last tried this on my network, only approx. 1% of my traffic (non-HTTPS) was actually being scanned. So unless you do the MITM on the https traffic it will not be very helpful. With TLS 1.3 becoming the standard it will become more and more difficult to do so without breaking something. After all, these higher security encryption standards are being put in place to make it more difficult to perform MITM. Look at some of the news articles on the topic and you'll see even governments that love to censor and inspect information are not liking these changes such as TLS 1.3. If a government is having trouble with it, just image what chance we have with performing MITM. That is why others mentioned forget antivirus on the network level. I agree. Antivirus on the clients is the best bet.

    That’s discouraging. Not having to pay (not just in money but also system overhead) for endpoint security solutions would be one of the selling points for my little appliance. Maybe I could use the MITM solution that e2guardian makes available and automatically sandbox all TLS 1.3 traffic?

    As for mail inspection, there is no such package on pfSense. I wish there was. I believe that is one of the the best ways to prevent many of today's biggest threats. Luckily, most decent email providers will do a decent job of preventing bad things from getting to your inbox. If your users have an office 365 account/mail box I would highly recommend adding the ATP (advanced threat protection) if possible. That has saved my users from downloading viruses and clicking on malicious links in emails.

    I can’t think of a single client who has an O365 account. Mostly Gmail, Yahoo, Hotmail/Outlook/Live.com and ISP (Cox) email accounts. I’ve been meaning to look into some sort of threat protection add-on for Thunderbird, but I know I’d get a lot of pushback. Old folks don’t tolerate change well, and the tech world forces a lot of it down their throats already.

    As for older users, that is by far one of the biggest IT challenges :)
    I know that is definitely not easy to deal with. The only way to prevent the "microsoft" callers is to keep telling them over and over and over again not to give any info to callers and definitely not access. There is not much any device can do to prevent that which is why scammers use that method.

    Good luck

    Thanks again!


  • Netgate Administrator

    @ErniePantuso said in pfSense-based network security appliance?:

    Maybe I could use the MITM solution that e2guardian makes available and automatically sandbox all TLS 1.3 traffic?

    e2guardian, like Dansguardian before it, is a filter for Squid like Squidguard is as I understand it. The MITM part is still via Squid so the same things apply. You have to install the CA certs on the client or configure them to use the proxy explicitly.
    If you have not done it's worth watching this:
    Youtube Video

    Steve



  • This post is deleted!


  • @ErniePantuso :

    @stephenw10 said in pfSense-based network security appliance?:

    The MITM part is still via Squid so the same things apply. You have to install the CA certs on the client or configure them to use the proxy explicitly.

    As you might have noticed for a long time, nearly every program has settings that enable you to set up a proxy.
    When a proxy is used, your program will use it for all it's "Internet" communications, and the proxy will do the request on the programs behalf.

    Normally, when your browser want to connect to "forum.netgate.com" it will resolve this host name into an IP, and connect to that IP. While requesting info (a web page) "forum.netgate.com" will reply back with a server certificate that embeds the name of the host you are connecting to. Now your browser knows it's actually communicating with "forum.netgate.com".
    When you use a proxy, when your browser want to connect to "forum.netgate.com", it will connect to, for example 192.168.1.1 - where the proxy 'lives', and that one will certainly not answer with "forum.netgate.com" (that's impossible). It will probably be something like "pfsense.yourlan.tld". Your browser is informed that this is a proxy it has to use, and it is informed to accept this certificate. The proxy will go ahead and does the real request to "forum.netgate.com" for you. It will do the normal TLS verifications, and answer back to the browser with the results.
    For a short moment, the data received on the proxy, is visible. It could do all kind of data inspection.

    3 reasons why all this isn't as simple :

    1. For all programs, all protocols, all ports, the proxy should know how to handle the traffic. Basic web browsing, ok, that will work. But web pages could contain scripts, ad they can do whatever they want, on a totally non documented way ... proxies won't work : the web page doesn't 'work' any more more.

    2. Every program on a device has to be set up to use the proxy. Maybe a OS wide setting is possible, but now you should hope programs actually respect this.

    3. If a server certificate announces "HSTS" your proxy won't work any more (edit : that is, the browser will not the proxy certificate as re replacement). And guess what, more and more sites use HSTS these days. Because "sites" won't to talk to the 'real' person, not some MITM guy has these sites have to guarantee the end user that the data isn't robbed, scanned, mistreated etc etc.

    Btw : these are my words. Never used a proxy, squid etc. I'm just reading about it, for years, a decade or so. @jimp video's, @stephenw10 mentions them above, are very well done. Many more exist on Youtube.
    True, I tend to say that the usefulness of a proxy doesn't exist any more. It something of the past. MITM has to die. It wasn't "The solution".


Log in to reply