Login security - phishing resistant MFA
-
You should add comments to one of the open feature requests like: https://redmine.pfsense.org/issues/12546
-
This comes up from time to time and to be honest im very confused by it. To be clear, every security product that i have worked on operates in this manner.
The root/admin account is a local account. You want that to be non-2FA so you can gain entry into the device. All other accounts are set up to work with an authentication server.
Today, I have my pfsense set up to use Duo + Ldap. I also have set up using Microsoft Azure for auth with pfsense .I have set up Palos this way with the aid of AFDS servers. Probably could make it work with pfsense as well.
I understand the whole passkey/Fido demand but to be clear, you can implement 2FA today with pfsense using the methods i described above.
Security is an in-depth thing not a 'focus only on the firewall' thing.
I dont know. This is honestly a topic that can go ad-infinitum but i have yet read anything that changes my mind regarding pfsense + 2FA methods that already can be implemented. -
The root/admin account is a local account. You want that to be non-2FA so you can gain entry into the device. - Had malware installed on a laptop that contained a key logger and screen capture software that took a screenshot every second and stitched it together into a video. you ever log in to this service using just username and password and you're in big trouble. Any online service this day recommends 2FA for an admin account and a lot are now even pushing for phishing resistant ones as well.
I have my pfsense set up to use Duo + Ldap - do you have a guide or something you used for this ?
Security is an in-depth thing not a 'focus only on the firewall' thing. - I'm not, we rolled out 2FA / fido keys on every service that supports it and now the firewall not supporting it is very much a weak point because of it. The firewall is also pretty important for security so you want it to be secure.
-
@stephenw10 Added something to the bottom of that issue as you suggested.
-
@jeffsmith82 said in Login security - phishing resistant MFA:
The root/admin account is a local account. You want that to be non-2FA so you can gain entry into the device.
No you dont. If all your accounts are 2FA then how does anyone admin a device? I have never seen any deployment like that because it honeslty doesnt make sense.
@jeffsmith82 said in Login security - phishing resistant MFA:
I have my pfsense set up to use Duo + Ldap - do you have a guide or something you used for this ?
https://duo.com/docs/authproxy-reference
You need an LDAP or AD server and install the Duo proxy service on a separate server.Having malware on your computer then logging into your firewall -- the issue isnt the firewall. The issue is that you believed that the laptop should be a trusted device that is able to connect to the firewall and admin it. The way i administer my firewall or any network element is i do so from a management network. You take all the same precautions [firewall rules, threat prevention, XDR agent if you use such a thing, etc..]. Its tightly locked down. If you admin from VPN then same things apply [ tight rules, threat prevention, XDR agent on the laptop]. Lots of this is on your security profile. I wouldnt look to passkeys as the ultimate solution and I definitely wouldn't say that "such an important security appliance to most doesnt have the most basic security measures that are required these days" when you havent done the necessary preparation on your part.
-
@michmoor Had crowdstrike/falcon installed on the laptop and it still never picked it up. Not sure how me logging into a machine in a management network from a laptop increases my security if the laptop has a keylogger installed on it.
Not having 2FA on the firewalls is still weaker security than having 2FA. Saying but you should have better security somewhere else doesn't really help the security of the firewall.
-
@jeffsmith82 said in Login security - phishing resistant MFA:
user was phished and get their Azure creds stolen and hackers can now login they can add a new 2FA method. They use this to gain access to internal network over VPN and can use their new 2FA codes to get in. This is real world scenario that is actually pretty common unfortunately.
Sorry to learn of this despite the careless picture it paints...
-
@NollipfSense not sure why your attacking me over one of my users clicking a phishing link. Good to know all your users are 100% perfect and never do these sorts of things.
In the real world though these things happen and then what you do you look at the root cause and make sure it doesn't happen again. So training for the user and roll out phishing resistant authentication is what we are doaing. So im here asking for fishing resistant auth for something thats important in our infrastructure.
-
@jeffsmith82 said in Login security - phishing resistant MFA:
In the real world though these things happen and then what you do you look at the root cause and make sure it doesn't happen again. So training for the user and roll out phishing resistant authentication is what we are doaing. So im here asking for fishing resistant auth for something thats important in our infrastructure.
I get what your saying. Whatever security tools you used, failed you. So thats problem 1.
You have not set up 2FA on the firewall which you can do with the link i provided.I only take issue with your below statement.
@jeffsmith82 said in Login security - phishing resistant MFA:
It doesn't look good that such an important security appliance to most doesn't have the most basic security measures that are required these days.
This just objectively isnt true. By all measures, pfSense is very secure. Having additional security checks that you want are fine but do not take away from what the product - pfsense - already has at its core which is security.
-
I don't think anyone really disagrees that it would be good to have some form of native MFA in pfSense.
-
@jeffsmith82 said in Login security - phishing resistant MFA:
It doesn't look good that such an important security appliance to most doesn't have the most basic security measures that are required these days.
This just objectively isnt true. By all measures, pfSense is very secure. Having additional security checks that you want are fine but do not take away from what the product - pfsense - already has at its core which is security.
So 2FA isn't built in to the core product which is by all measures these days it's not secure. Try and get cyber insurance if you don't say you use 2FA and see what you get quoted compared to if you do have it as proof of this.
https://redmine.pfsense.org/issues/4242 here is an 8 year old issue raised asking for 2FA for the admin login that is still open and not confident this is going to happen any time soon but worth asking right.
Implementing SAML so pfsense doesn't have to deal with authentication and push it off to a third party service like Azure would be a great option too. Someone made a project that implements everything that's required as far as I can see https://github.com/jaredhendrickson13/pfsense-saml2-auth This should have been made part of the core product. https://redmine.pfsense.org/issues/11920 2 year old issue here pointing this out.
I have used pfsense since about 2008 and I do really like it but it's okay to admit it has faults and not having decent 2FA is a big one. Not having a decent 2FA option for any of the out of the box VPN's is number 2 on my list of issues. https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa having to manully recreate a user list and somehow hand out the QR codes to register users isn't exactly easy.
-
@stephenw10 said in Login security - phishing resistant MFA:
I don't think anyone really disagrees that it would be good to have some form of native MFA in pfSense.
100%
-
@jeffsmith82 No argument from me that there should be some level of modernization in the base code.
I would welcome SAML support wholeheartedly. -
@stephenw10 said in Login security - phishing resistant MFA:
I don't think anyone really disagrees that it would be good to have some form of native MFA in pfSense.
Someone has already done the hard work and written a package for it https://github.com/jaredhendrickson13/pfsense-saml2-auth would be great to see this either become a supported one by netgate or just migrate it into the core.
-
There's an open feature request for that too: https://redmine.pfsense.org/issues/11920
Comments welcome. That was discussed internally though and there were some issues with it making it non-trivial.
Steve
-
@stephenw10 Would be interested to know what the non-trivial issues are.
-
I wasn't involved directly, might be better to ask about that on the ticket. Unless one of the developers chimes in here....
-
@jeffsmith82 said in Login security - phishing resistant MFA:
not sure why your attacking me
How is this attacking you? How does "Sorry to learn of this despite the careless picture it paints..." turned to attacking you? How did you interpret it as an attack on you? Did I said YOU ARE CARELESS...no. Does the hacking appears to paint careless imagery...it sure does...doesn't it?
-
@jeffsmith82 After extensive research, the passkey actually appears best suited for a firewall, whether one is surfing or working the web...maybe as a package or if pfSense continues its plan to add API for WebAuthn and to store the public keys, rather than say icloud keychain or Google or Microsoft. Thank you for bring it up.
-
I decided to take on implementing this feature as a personal project because I want it on my Netgate 6100.
The request has a working pull request against RELENG_2_7_2 - https://redmine.pfsense.org/issues/15244I hope it gets approved for everyone to use as it's very convenient :)
