How to securely manage pfSense in times of increased Cyber Threats?
-
@johnpoz That makes sense. Chromebooks and entry-level Intel notebooks are actually quiet affordable nowadays and don't break the bank. Not sure if Chrome OS is a great choice. Don't remember where I read it but on some models you can physically prevent the board from being flashed with a jumper to prevent remote rootkit installations on your device. This used to be a common feature but nowadays you won't find a mainboard with jumper protection except expensive server boards. The advantage of a budget Intel laptop would be that you can choose your own OS. I think Chromebook hardware is less flexible when you try to install a different OS. Not sure what the best choice would be to be honest.
@bPsdTZpW yep, it's unbelievable with how much bloat many OS are being shipped. I personally prefer a system that comes without any pre-installed software and I simply install what I actually need. An internet-facing account should always be non-root. I think pfSense offers scanning packages to check clients in the network for malware and rootkits, right? It's hopeless trying to scan directly from a system that might already be infected.
@nimrod correct, the user in a network is probably the biggest risk factor and responsible behaviour is the key. However, there are very sophisticated attacks nowadays that are difficult to spot. But most attacks require some sort of assistance from the system user to succeed.
@stephenw10 yes, Mac spoofing is trivial on Linux. Following your explanation, it does not make practical sense then to use an additional USB ethernet adapter for the pfSense router. However, my pfSense box has 1 PCI express slot that I could use to install 1 additional ethernet card and use it exclusively to manage the webgui access. Does thst make sense or is it better to create a separate VLAN on the switch for that purpose?
-
@telmap85 why would you need another OS? You need a browser, and ssh at most.. You said its going to be used to admin pfsense.. ChromeOS would be fine here.
I would get the cheapest entry level chromebook that has an ethernet port. Don't even need a big screen.. 11 inch should be fine - your not watching movies on the thing ;)
For that matter doesn't even need ethernet - since you could just use a usb to ethernet dongle.
Also by default everything is run in a sandbox keeping websites and applications isolated, and does verified boot, etc.
But again - you said it was for admin of pfsense - so it should have exactly 1 site loaded - the pfsense gui..
-
@johnpoz correct, a browser and ssh access would be the only requirements to manage pfSense. I have never used ChromeOS before, so I am not sure where the limitations are. Can it be used offline? I guess it would just have to be updated from time to time to have the latest browser version.
-
@telmap85 yes it can be used offline.. They don't normally have a lot of storage - cheap on sale one I got my wife came with 32gb storage, 4GB of ram..
It would seem like a perfect solution for your "admin" device for your pfsense install..
-
@telmap85 said in How to securely manage pfSense in times of increased Cyber Threats?:
how do you keep your pfSense box and other clients in your network safe?
A thought a management VLAN was the normal solution to this issue. The Management VLAN does not need internet or wifi access (physical Ethernet only). The Management VLAN should be the only access through which your network devices can be controlled (managed switches, router, etc.)
@stephenw10 said in How to securely manage pfSense in times of increased Cyber Threats?:
Using a VLAN for that would be much better.
Agree
-
Your data is secure when it costs more to get it than it is worth. Vigilance is the only thing that will keep the price high.
-
@patch said in How to securely manage pfSense in times of increased Cyber Threats?:
A thought a management VLAN was the normal solution to this issue
It is - I don't let my other vlans access the web gui for example.. But I a sure am not worried about my box being compromised and then accessing pfsense to do what??
My box has already been compromised - its already too late..
This sort of lock down to isolated machine to access the gui is mr robot tinfoil hat sort of stuff if you ask me.. While this might be something you would do in a work setup sure.. You can only access the firewall from devices in the computer room, which is secured access, etc.. You don't surf the web from those machines, etc.
Using a laptop only specific to admin pfsense gui - ok sure, if you think that helps in your security, have at it. But to honest its more the tinfoil hat is couple of sizes too small and cutting off the blood flow ;)
I access my pfsense web gui like all day every day - really only to help people here on the boards, grabbing screenshots and the like, etc.. But sure and the hell couldn't be helping on the forums if I had to access pfsense from some locked down specific laptop in a locked vault after giving a dna sample to gain access ;) heheh
-
@johnpoz
I agree it is easier not to worry about this. I have not bothered to set up a Management VLAN at home.Having said that, it would not be hard to do. Just need a Managed switch near the computer I normally use. Program one Ethernet port for general use, another for Management LAN access. Then plugging into the Management VLAN whenever network management was required would be relatively easy. The set up would be relatively secure as there is no internet access, and no routine local access. Physical access to my computer area, passwords, knowledge of local network set up and a sufficient motivation to jump these hurdles would be required, all for potential returns limited by what is on my network.
-
@patch said in How to securely manage pfSense in times of increased Cyber Threats?:
I have not bothered to set up a Management VLAN at home.
Define management vlan ;)
Do you have your devices on a vlan? For example all my switches IP are on a vlan, This is the vlan i access pfsense gui, my switches from.. This could be considered your "management vlan"
There is no "rule" or even best practice that says you can not access the internet from a device you do management from..
There is best practice for segmenting your network and controlling access to "required" access - zero trust.. etc.. But in what document does it state that hey the box you use to manage your IT infrastructure should be air gaped?
This sure is not the case at my work, and I work for a major player. Now we have to auth through a vpn to get access to that vlan where we can access infrastructure stuff in the DC.. And then we rdp to a "jump box" - but that jump box has internet access. Its via a proxy sure - management of a network from 1 specific box in a physical location and limited to what else it can access is problematic in the real world from a get work done point of view..
But if the OP wants to only access his pfsense from a laptop that he keeps tucked away in his safe room, and has to give a blood sample to get login to it - hey more power to him ;)
Badware, malware, ransomware, worm, bot, etc. Doesn't really want access to your firewall (pfsense is not a soho router with common code where exploits found in firmware shared among vendors and on millions of devices) - it wants access to your other PCs running unpatched windows with file sharing open, etc. It wants to run on your pc your accessing your bank account from, etc. etc.
It wants to turn your dvr into a bot in its ddos army, etc.. I get it from a tinfoil hat point of view - sure the box should be air gapped, and only used to manage your infrastructure.. Not saying its a "bad" idea or completely pointless - what I am saying is its a bit over the top for home setup, and it gets you very little bang for your buck in effort in actual risk mitigation..
-
I don't find it paranoid or over the top to use a dedicated, offline system for managing your IT infrastructure considering the low prices for a Chromebook or similar. My diy nuclear reactor must stay secure... ;)