PfSense newbie - Controlling user access to a network
-
Hi guys,
Not sure exactly where this belongs but it seems like it should be alright here!
I'm currently working on something that involves securing a server on a separate network (let's call it 192.168.1.0/24) The server does not have internet access (security reasons) and besides the pfSense firewall is the only device on this network. What I'm trying to do is allow only certain users access to this network by requiring an additional layer of authentication which I'm hoping pfSense can provide. All users attempting to access this network will be connected to our main corporate network (let's call this 172.16.0.0/24) which does have internet access. So the LAN side of the pfSense firewall is the 192.168.1.0/24 network and the WAN side is the 172.16.0.0/24 network.
My initial plan was to have the pfSense firewall provide a VPN service and just have the users use this connection to access the network and they would then use Remote Desktop to access the server. One of the higher ups didn't like the idea that this traffic wouldn't be controlled by our main firewall (all activity from our LAN to the internet is monitored and filtered by this) and was worried that once a hacker had access to this restricted network, they would then only be one jump away from our main corporate network and as such I'm searching for another alternative.
My first question is - If I was to go with the VPN option, would there be a way to block as much traffic as possible from the 192.168.1.0/24 network to the 172.16.0.0/24 network assuming clients would ONLY be using Remote Desktop to access the server and should not be transferring anything from the server to the client machine but may need to transfer from the client machine to the server? So I want limited inbound traffic to the network and very limited outbound traffic.
Second question is - Is there a way to force a user to authenticate through the firewall before providing them access to the restricted network that isn't VPN? I was hoping the Captive Portal feature would allow this but all the pages I've read suggest it's used for WiFi Hotspots only.
Third question is - Can I use the pfSense firewall as a RADIUS server to sync the authentication details used by a client on the firewall (assuming there is a solution for my second question) with their local windows account so that they only have to remember one set of credentials?
This is the first time I've used pfSense so I'm not sure what the capabilities of it are, hopefully you can help me with this!
Thanks.
-
Interesting question.
I'm not really sure how using a VPN approach would in fact by-pass anything. It's possible that you're using a simplified description so as not to make things complex but…. if your clients are in the 172.16.0.0/24 subnet and so it the pfSense box then traffic to it is not going to be going through your corporate firewall anyway. (unless it's bridging in some way).
If you do have a pfSense setup as a VPN server then you can applyfirewall rules to block anything you want. Block all outgoing connections from 192.168.1.0/24, block everything incoming except RDP (TCP 3389), anything you want.
The captive portal is most often used with wifi hotspots but can be used with any interface. You could use it to authenticate users.
You can set pfSense to authenticate against a remote server. I've never tried that but there are docs in the wiki, not sure if it can authenticate against a Windows DC. :-\Steve
-
Apologies, I wasn't quite clear in my first post. The original solution of using VPN would have meant that a few of our remote workers would access it from outside the corporate network. I think I'll look into it and see if there's a way to get the Captive Portal user accounts synced with the Windows accounts. If I can find a way to do this it should work quite nicely!
Thanks for the help.
-
If your main firewall has monitoring, filtering and user authentication features, it should (usually) have multiple interfaces and VPN server functions (possibly SSL VPN too).
Any reason not to use the existing hardware to do this work?