Network wide compliance policy

kris95

Hi!
I wanted to ask the question regarding a compliance policy or also sometimes called Conditional Access Policy in the windows world. We have a need in out network to create a way to block/restrict devices (both Android and Windows) that has not been updated or have the wrong apps similar to how Microsoft Intune does. I thought that the best way was to check these devices at the edge of the network (hence my firewall question) and also we don't use our network in a Microsoft infrastructure so we cannot use Intune.

Is this something that has been discussed for PfSense or a plugin for PfSense?

I have also heard something about a "host checker" that people have been tinkering with as a shell command for PfSense but I haven't found any documentation around this.

Thanks guys!

Gertjan

@kris95

For what it's worth :
No connected device will 'voluntary' make available what software of software versions it uses. As that would directly tell the outside world to what they are vulnerable, or not.
Also, most devices will only fire off connection to 'elsewhere' using TLS.
So :

@kris95 said in Network wide compliance policy:

I have also heard something about a "host checker

this must be some place where no ordinary people have access.
Like basement level -2 @Pentagon, or, whatever cave is been used by the NSA these days.
For the rest of planet earth : you can't break TLS, so pfSense doesn't know nothing about what a network device is doing.
Yes, you would be able to see that a device is connecting to an IP that is part of the Microsoft AS. So it could be a Microsoft Update server ? The traffic is of course, pure random bits.

This all boils down to : put non trusted users on your non trusted 'local LAN network. If you don't want these non trusted, non know devices to use your network, then : don't give them access to your network, and limit your networks to the devices you manage.
Nothing, or close to nothing, can be done at router / firewall level.
That's not a pfSense thing : this is valid for any router / firewall.

True : with network packet capturing some presumptions can be made what Owas used when it start to emit Ethernet packets, as these have sequence numbers, and these don't start at "0" but some random seed number. It's this random number that can indicate "what OS is involved".
Same for the default TTL value of a Ethernet packet.
Some OSs like to talk to ports (services) that are known to be used by a typical OS, and less or not at all by other OSs.
So, results like : this is probably a "Debian 11.2" are possible. Version of the libs used ? That's, imho, a no go.
Just keep in mind that it is easy to fake these results. My Windows 11 Pro is often mistaken as a Linux Mint ;)

Also : many users fire up a VPN right after connection.
You'll see : nothing (try for yourself).
But you will know what VNP ISP that device is using.

@kris95 said in Network wide compliance policy:

that has not been updated

If some device has old software that shows pretty known and broken behavior : why not, you could be able to detect that. But then what ? You feel pity for the device owner ? For you, this is an unknown guy, on your 'unknown only' network. If they like their iOS 1 apple device the way it is, so let them have it, as I'm sure that user has a pretty good reason to use that old device.

tcpdump, is a "packet analyzer", they say.
Its more a filter to me.
The analyze part is the human interpreting the results.
Its heavily documented on the internet. As tcpdump shows you 'the Internet/ethernet'.
Up to you to know when and what command line parameters to use in what situation. The quantity of combinations is just daunting.
And yeah, you have to master the Ethernet to understand what's happening. No GUI interface will make that 'easier'.

edit : I actually hoping that I' wrong of course.
I work and live in a silent environment, so I hear nothing, but I read a lot ....

michmoor

@kris95 Seems you're essentially looking for a HIP check. Typically an agent is installed that will handle this.
For example, a VPN user before they are allowed in, the VPN client has corporate policies (A/V version, latest updates, browser version, etc.) that it gets pushed down from the firewall. If the host passes a check they are allowed in. Otherwise, whats typically done is that the client is placed in a remediation vlan while further checks are done or Infosec has a chance to review.
To my knowledge, pfsense does not support any HIP check nor does any VPN client that it currently supports.

stephenw10

Indeed, not directly. I would expect to use some central authentication and maybe 802.1x auth for clients. Though I'm not sure how clients would reach the auth server to register their accepted status to do that....

kris95

@gertjan said in Network wide compliance policy:

For the rest of planet earth : you can't break TLS, so pfSense doesn't know nothing about what a network device is doing.

Thanks for the reply, I just learned about the strength of TLS.
I was going to say "but gertjan, that requires the communication to only use port 443 for that to be totally secure with TLS" and while I was saying that in my head I remembered that the devices I am talking about are using OpenVPN. So I guess even if they are sending traffic to an internal server on port 80, the OpenVPN will keep it TLS secured right inside the tunnel?

@michmoor said in Network wide compliance policy:

Seems you're essentially looking for a HIP check. Typically an agent is installed that will handle this.
For example, a VPN user before they are allowed in, the VPN client has corporate policies (A/V version, latest updates, browser version, etc.) that it gets pushed down from the firewall. If the host passes a check they are allowed in. Otherwise, whats typically done is that the client is placed in a remediation vlan while further checks are done or Infosec has a chance to review.

Yes now that you said it I think the "script rumour" was linked to OpenVPN for it to check it for versions before it lets it through.

I should clarify my purpose is to "endpoint secure" a bunch of android devices that the employees have. They are usually too lazy too keep their android phones updated so I wanted to have some tool to remind them to update it. I have worked to hard securing our internal network and firewall and I don't want it to be all in vain when Bob is sitting on his phone with access to the internal databases through OpenVPN with a bunch of vulnerabilities (I know a IT policy approved by the CEO should be enough for Bob to follow).

@stephenw10 said in Network wide compliance policy:

Indeed, not directly. I would expect to use some central authentication and maybe 802.1x auth for clients. Though I'm not sure how clients would reach the auth server to register their accepted status to do that....

Yes in theory the 802.1x should have the ability built in to check os version but I haven't found anything on the web talking about the idea of restricting users. The closest thing i found was windows users not being accepted via RADIUS + 802.1x when updating to a new windows version.

stephenw10

Yeah I can't see how that would be possible without a client running on the connecting hosts to do the check.
If OpenVPN can do that I'm not aware of it but it would be interesting to look into if you have any links.

Steve

johnpoz

@stephenw10 openvpn can do post auth checks.. can check for files, etc.. not sure if can check if running, or in the case of antivirus - are the dat files current, etc.. But you could prob do that.. But I am not clear on is if you can do this with community version or if you need to be using openvpn-as their paid for version.

https://openvpn.net/vpn-server-resources/post-auth-programming-notes-and-examples/

You can extend OpenVPN Access Server’s built-in authentication methods using a post-auth Python3 script to add additional user connection requirements, such as MFA or other custom checks.

Notice the mention of access server..

stephenw10

Right, I'm not sure that's in the open source server.

kris95

@stephenw10 said in Network wide compliance policy:

Right, I'm not sure that's in the open source server.

Ugh that is the paid server for 180 dollars a month "built on the open-source structure".
I think I am gonna stay away from that. Anyways seems like my quest has hit a rough end. I will try to harden my network in a different way.

Thanks for all of the replies. Great community!