pfSense-based network security appliance?

NOCling

Looks like you searching like this:
https://mediacenter.ibm.com/media/The+IBM+Security+Immune+System/1_eub008s1

ErniePantuso

@NOCling Hmmm. Maybe. That looks like some kind of six-figure service aimed at corporations, though. I’m just looking for something similar and affordable that the average homeowner can just play and play. Or (better still) a DIY version of that.

NollipfSense

@ErniePantuso said in pfSense-based network security appliance?:

@NOCling Hmmm. Maybe. That looks like some kind of six-figure service aimed at corporations, though. I’m just looking for something similar and affordable that the average homeowner can just play and play. Or (better still) a DIY version of that.

That was my initial question whether you're using it for a home environment. With that answered, pfSense, along with packages, such as Snort, or Suricata, pfBlockerNG-Devel, and Squid's antivirus, you will be able to accomplish your network security needs. I must warn that the learn curve is steep; however, since you have indicated having the basic concept, you should be okay initially, but still have some learn to do, especially for intrusion detection and prevention. I would suggest spending sometime on the forum in hardware if you intent DIY approach. Also, to look at what Netgate has to offer like the SG-3100 and SG-1100 as earlier suggested since you did not indicate in your original post the user environment.

johnpoz

@ErniePantuso said in pfSense-based network security appliance?:

This would be a device that you plug in, turn it on, and it just flat out protects every device on the network.

No such device - no matter how much money spend ;)

All devices that would perform any sort of security function would require setup, configuration. And big one maintenance.

Also any sort of security is going to come at a cost to ease of use and user happiness.. Once you put in any sort of security anything - users will complain, and more often then not look to ways to circumvent it ;)

Pfsense can do many of the things you would want on your network, firewall sure IPS/IDS, web filtering. DNS filtering. Reverse proxy, etc. But it not going to come without considerable investment.. If not from money aspect, from a time spent in configuration and management aspect of it.

Do be honest your typical home network has little use of a IPS.. Are you hosting services to the public internet? Are devices on your local network services not under your control?

The problem with IPS is not that it doesn't work the problem is most home users have no desire to actual set it up correctly, and spend the time in maint of the rules.. And follow up on the multi and many false positives that will always show up.. More likely than not its going to cause you more grief and complaints from your home user in this doesn't work, that doesn't work.. Then any possible benefit in your overall security stance..

Your point of being a man in the middle and filtering all downloads.. Yeah good luck with that.. Since most everything is https these days, means you actually have to do a mitm sort of setup on your own network.. Which is another whole can of worms to open up, and not really clicky clicky to get working.. Its simpler to be honest if your worried about users downloading bad shit to just manage the security software on their machines to do any scanning or prevention of exe code on their local devices vs trying to do such services on a network device.

If you think you can just click install on it - and be done.. You are mistaken..

stephenw10

Yeah, you are basically describing a UTM device. pfSense is a firewall and router with pluggins that give it some UTM features. There are somethings that are not available at all, a mail filter/scanner for example.

Steve

A Former User

I have too often seen a false sense of security demonstrated around UTM systems. There is no such thing as 100% secure. Complacency becomes the risk.

For the typical home network UTM may be overkill. Why would anyone be interested in your network when they can exploit millions by going after the large service providers. Stay up to date and don't do anything crazy with your firewall rules.

ErniePantuso

@NollipfSense said in pfSense-based network security appliance?:

That was my initial question whether you're using it for a home environment. With that answered, pfSense, along with packages, such as Snort, or Suricata, pfBlockerNG-Devel, and Squid's antivirus, you will be able to accomplish your network security needs. I must warn that the learn curve is steep; however, since you have indicated having the basic concept, you should be okay initially, but still have some learn to do, especially for intrusion detection and prevention.

Thank you! That’s helpful. I’ll look into the packages you’ve named. If you think of any others, please let me know.

ErniePantuso

@stephenw10 said in pfSense-based network security appliance?:

Yeah, you are basically describing a UTM device. pfSense is a firewall and router with pluggins that give it some UTM features. There are somethings that are not available at all, a mail filter/scanner for example.

Steve

Thanks for putting a name to this for me, Steve. Maybe I could employ Docker containers for things like mail filtering/scanning that pfSense can’t/won’t address. Maybe even for some of the things that it CAN do — but maybe they’re more easily employed/managed as containerized services.

ErniePantuso

@johnpoz said in pfSense-based network security appliance?:

@ErniePantuso said in pfSense-based network security appliance?:

This would be a device that you plug in, turn it on, and it just flat out protects every device on the network.

No such device - no matter how much money spend ;)

That’s true of most things - until someone decides to build it.

Also any sort of security is going to come at a cost to ease of use and user happiness.. Once you put in any sort of security anything - users will complain, and more often then not look to ways to circumvent it ;)

That’s true if your background is in IT and you have a large user base. I’m coming from a very different perspective/situation.

Pfsense can do many of the things you would want on your network, firewall sure IPS/IDS, web filtering. DNS filtering. Reverse proxy, etc. But it not going to come without considerable investment.. If not from money aspect, from a time spent in configuration and management aspect of it.

Then maybe it’s not the right tool for the job for me. Maybe I just want to use pfSense as a firewall. As I said above, if containerized services are a better approach, fine — I just need some advice on what those services are - how and where to look for them. If all you were trying to accomplish was DNS filtering, what would be your go-to choice? If all you were trying to do was web filtering, what would you use? Someone mentioned that there’s a package for Squid antivirus... Maybe there’s a Docker container for it. Or maybe there’s something even better?

Do be honest your typical home network has little use of a IPS.. Are you hosting services to the public internet? Are devices on your local network services not under your control?

None of these devices will be under my control. I’m not looking into this for personal use (although, if I can make this happen, I’ll certainly use it in my home/on my network). This is intended as a solution for my clients - hundreds of retirees who are extremely unsophisticated users and therefore at a much higher risk. Some of these users have actually fallen for the “We’re from Microsoft” scam more than once.

The problem with IPS is not that it doesn't work the problem is most home users have no desire to actual set it up correctly, and spend the time in maint of the rules.. And follow up on the multi and many false positives that will always show up.. More likely than not its going to cause you more grief and complaints from your home user in this doesn't work, that doesn't work.. Then any possible benefit in your overall security stance..

The benefits would be huge for my customer base but clearly I’ll need to find a way to simplify/minimize the administration.

Your point of being a man in the middle and filtering all downloads.. Yeah good luck with that.. Since most everything is https these days, means you actually have to do a mitm sort of setup on your own network.. Which is another whole can of worms to open up, and not really clicky clicky to get working..

There’s an e2guardian Docker container with MITM built right in and ready to go.

If you think you can just click install on it - and be done.. You are mistaken..

Anything is possible.

ErniePantuso

@jwj said in pfSense-based network security appliance?:

I have too often seen a false sense of security demonstrated around UTM systems. There is no such thing as 100% secure. Complacency becomes the risk.

My users are already complacent. And fairly clueless. I don’t need 100% secure - but even getting to 80% would be a HUGE improvement.

For the typical home network UTM may be overkill. Why would anyone be interested in your network when they can exploit millions by going after the large service providers.

You obviously have no idea how gullible old people can be and how often they are targeted by scammers. Many of these scams aren’t even that sophisticated. But my clients fall for it. I actually lost a client because she was tired of paying me to come to her house, run a scan - no threats found - and she still had malware. (It was much later when I realized that the reason she thought she still had malware was because various web pages/websites were telling her so!) I actually setup a webpage on my business website that popped up a message saying, “Your shoe is untied” just to try to explain to them. Seriously, try to see this from where I’m coming from — not from the perspective as an IT Security Specialist with a large corporate user base.

stephenw10

Ummm.. let's keep it civil please. Constructive suggestions if you have them.

Edit: Some posts were removed here after civility was lost!

Gertjan

@ErniePantuso said in pfSense-based network security appliance?:

That’s true of most things - until someone decides to build it.

Then this some person should break 'TLS' first. Which means that the secured access that we all benefit using https should have to be undone.
That's what you want ?
When you use a inviolable connection between your device and, let's say, your bank, would you be happy if, that, under some conditions, this connection could be broken open, and the content being inspected ?
If you could do that, everybody else, with good intentions or not, would be able to do the same.

So, for example, packet inspection to see the content and act upon it : that's not an option any more. Quantum computing could accelerate decoding, sure, as would quantum encryption will harden the encryption.

pfSense works like the local post office.
It relays envelopes and other boxes, based upon what is written onto them. Not what's in them.

ErniePantuso

@Gertjan said in pfSense-based network security appliance?:

Then this some person should break 'TLS' first. Which means that the secured access that we all benefit using https should have to be undone.

I’m sure you know more about this stuff than I do, Gertjan, but if e2guardian has MITM support and can decrypt encrypted traffic to scan and filter it, then why couldn’t pfSense (and other services) do the same?

When you use a inviolable connection between your device and, let's say, your bank, would you be happy if, that, under some conditions, this connection could be broken open, and the content being inspected ?

The MITM capabilities of e2guardian require you to setup keys and certs in order to use it. AFAIK, there’s little or no potential for abuse/misuse unless someone is either IN your home or has penetrated your firewall (in which case you have bigger problems than this). But even if there was, my online banking information (and my email, and shopping, and...) is still protected by a good, strong password.

If there’s something I’m missing, here, please let me know.

AKEGEC

@stephenw10 said in pfSense-based network security appliance?:

Edit: Some posts were removed here after civility was lost!

No probs Steve, I was losing my temper there. My apologies.
Edit: I hope in the future all insulting and belittling posts will be also deleted. Thanks man.

stephenw10

It was not you specifically, no need to apologise.

This sort of thing just feeds more unnecessary comments, everyone ends up posting stuff they would not normally.

Sometimes it's better just not to post anything.

Steve

AKEGEC

@Steve, You're right.. I should not reply it. I know some of our new users lack of basic network knowledge. But I just can’t stand to see our new users being insulted and belittled.

Raffi_

I think some of the things you want to accomplish can be done, but probably not all.

pfBlockerNG-devel: can be used as DNS web filter. It is great if you spend the time to find the feeds to use and you'll likely still have to deal with false positives, but should not be too many.

Snort/Suricata: can be used as IDS/IPS but this has a VERY steep learning curve and often many false positives when starting out. If you do end up trying either, I would highly suggest running it in intrusion detection mode first so that it only alerts of potentially malicious traffic and doesn't act on it. Otherwise you will end up with a lot of users complaining about a lot of broken things. A website not loading would only be the tip of that iceberg.

Squid with ClamAV: In theory this can be used to scan traffic for viruses and such. As an example, when I last tried this on my network, only approx. 1% of my traffic (non-HTTPS) was actually being scanned. So unless you do the MITM on the https traffic it will not be very helpful. With TLS 1.3 becoming the standard it will become more and more difficult to do so without breaking something. After all, these higher security encryption standards are being put in place to make it more difficult to perform MITM. Look at some of the news articles on the topic and you'll see even governments that love to censor and inspect information are not liking these changes such as TLS 1.3. If a government is having trouble with it, just image what chance we have with performing MITM. That is why others mentioned forget antivirus on the network level. I agree. Antivirus on the clients is the best bet.

As for mail inspection, there is no such package on pfSense. I wish there was. I believe that is one of the the best ways to prevent many of today's biggest threats. Luckily, most decent email providers will do a decent job of preventing bad things from getting to your inbox. If your users have an office 365 account/mail box I would highly recommend adding the ATP
(advanced threat protection) if possible. That has saved my users from downloading viruses and clicking on malicious links in emails.

As for older users, that is by far one of the biggest IT challenges :)
I know that is definitely not easy to deal with. The only way to prevent the "microsoft" callers is to keep telling them over and over and over again not to give any info to callers and definitely not access. There is not much any device can do to prevent that which is why scammers use that method.

Good luck

stephenw10

Yes, I agree with most of that. Except wishing there was a mail proxy in pfSense I'd have to support.
There used to be packages for that but moving it off the firewall was the right move IMO.

pfSense is not a UTM and even with all the appropriate packages it will not do all things you might want. But as others have pointed out even the most complete UTM device is no substitute for end device security. You need both in most situations.

If you are running Squid you may as well enable ClamAV if you have capable hardware. It's a single check box and usually 'just works'. It probably won't catch anything, especially if you're not running full SSL interception, but usually doesn't hurt either. You still need AV on the clients.

Snort/Suricata is easy to get wrong and end up blocking all sorts of things. Be sure to run it in non-blocking mode whilst tuning the ruleset and monitoring the logs until you are confident it's not blocking needed traffic. I usually give it at least a week before enabling blocking.

Steve

johnpoz

@stephenw10 said in pfSense-based network security appliance?:

I usually give it at least a week before enabling blocking.

That would be for someone that understands IPS, and what is false and what is not.. It could take much much longer for someone that is new to the whole thing.

It can be a huge learning curve to understand what its showing you, what can be ignored and what should be investigated..

You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.

Raffi_

@johnpoz said in pfSense-based network security appliance?:

You might just end up leaving in monitoring mode for months as you get up to speed on what all the info it will be spewing at you means.

This sounds like me. I had no idea what I was doing and it sure did take me a few months to finally get it to a point where the network wasn't constantly "broken".