What is the best way to protect this network?
-
I am currently doing an assignment to protect a clinic with pfSense, I need help and additional info to improve what I've already done. Thank you so much in advance, because every input will help me by a ton.
Information about the target:
- It is a small clinic with a Wi-Fi network only for the Staff, no public access.
- Most of their patient's data is stored online through vendors (https://pcarejkn.bpjs-kesehatan.go.id/eclaim/Login a government database for patients and https://myklinik.id/ a website database provider to manage clinics). Some of their patient's data are also in Excel spreadsheets stored locally. They do not have a local database or a website of their own.
- I have installed pfSense with this infrastructure: ISP -> a PC with pfSense -> Router AP that also acts as a small hub-> Additional APs, PCs, and Phones. All of the pfSense configurations are set to default with no modifications.
Here are the things that I want to know:
- Is this default installation of pfSense already enough for a clinic with this size and limitations?
- If they are, I want to know what exactly pfSense does as a firewall in this exact case.
- If they are not, what can I do to improve? the infrastructure or pfSense configurations.
-
@meowmere said in What is the best way to protect this network?:
Is this default installation of pfSense already enough for a clinic with this size and limitations?
If they are, I want to know what exactly pfSense does as a firewall in this exact case.
If they are not, what can I do to improve? the infrastructure or pfSense configurations.These 3 lines - pfSense using 100 % default settings - can be resumed as two lines :
Nothing from the outside can come in.
The only 'danger' is now .... the users on your LAN, behind pfSense.
The good news is the bad news : this is valid for all of us.Even if you have the most secure firewall, the best network, you always have to deal with the LAN users.
One USB key that has been found 'on the parking lot' and inserted into one of the PC can create the most horrible situation : data gone or encrypted, or data copied to the outside and begin kept as hostage.
The only real workaround is (don't laugh) : give every PC it's own "LAN", so you have to deal with devices that have a shared usage, like printers.
Educate the users so the recognize fake mails, fake web sites etc, don't have them installing 'programs' or other stuff, and you'll be pretty good. -
@Gertjan Thank you for the insight! I have some more questions:
- In what case should a pfSense setting be configured? and why is it enough for my network specifically to be ok as it is with default pfSense?
- This might be a silly question, but what does pfSense do in the background to prevent outsiders from entering the network, how do they work exactly? How do they filter outbound and inbound data? especially on how this clinic heavily relies on vendor websites
-
everyone else is free to join in with your opinion or thoughts, I am in desperate need of information
-
@meowmere said in What is the best way to protect this network?:
but what does pfSense do in the background to prevent outsiders from entering the network, how do they work exactly?
Dangerous question.
As it shows that you don't know what a firewall is.
pfSense, or the firewall used by the router from your ISP, or any other firewall (router) out there, behave the same way.
IMHO, the fastest way to understand what happens, what this is, a "statefull firewall", install "Youtube", search for "what is a state-full firewall", hit enter, select the videos that have 'zillions' of likes, watch them all, and done.
Be aware, a couple of decades ago you had to visit Havard to know what you know now.
It's as easy as that.How do they filter outbound and inbound data?
Everything initiated from the outside, also known as the Internet, is blocked.
Everything initiated from the inside, also known as the LAN, is passed.With you doing nothing more, without changing any settings, without you activating any pfSense "gadgets", if the LAN users behave as real adults, you're job is over.
Keep in mind : it happens a lot : the real security problem of a network can be the admin itself, because he doesn't know what he is doing - or worse, he thinks he does ....@meowmere said in What is the best way to protect this network?:
I am in desperate need of information
Not that hard to find.
Half the planet is now hooking up his home, small company or what ever else to the Internet.
Everybody has the same question.
The most discussed subject on the Internet is ... not the new car of the neighbor, or who win the elections, but Internet itself and everything related.
It's like playing chess. There is no short cut, not brain implant possible, no miracle solution.
It's the good old ancient process : you have to take some time, sit down, and learn. -
S stephenw10 moved this topic from Problems Installing or Upgrading pfSense Software on
