Can attacker get access from LAN area to the PFsense if using EMBEDDED


  • From other opensurce Firewalls (named "IPF…") that was running off a standard PC with 2 NIC's then the harddisc content was daily hacked or deleted (hacker used RPC bind to basically control part of the pc'S PROCESSES somehow in the firewall so even flashing BIOPS multiple times could never get rid of it, unfortunately).
      Question is:  If buying PFsense installed on an EMBEDDED device with 4 LAN holes and 1 or 2 for WAN -  instead of using a PC - are the access to the PFSense firewall and its data then completely physically separate from the LAN ports?
        (so any acker from outside would not be able to hack the EMBEDDED device even if they had access from WITHIN the LAN?

    Example:

    Letss say the PFsense Embedded device has:
    Wan1
    Wan2

    Lan1  - used for 2 PC's
    Lan2  - used for 2 PC's
    Lan3  - "LAN3" is only connected to 1 PC and LAN3 is only used to access the PFsense firewall. And no firewall port is open to the outside world/no port is open to WAN from Lan3.
    Lan4    - Used for 2 PC's that do have internet connection.

    The 4 lans are kept separate so communcation cannot (should not?? :) ) be able to "cross-over" each other.

    No VPN are activated. for any of the 4 LANs.
    Only open protocls are:    http/HTTPS    (and DNS 53)

    No conections are allowed from WAN to LAN a all.

    QUESTION: 
    1.1  Lets say that the PFsense hardware is similar to the PFsense advertisement shown above (VK-2D13 in the picture above)

    • can any malicious scripts penetrate from LAN area to inside the firewall?

    1.2 If a malicious script does penetrate from LAN area - say, a script that makes 400 DNS requests per minute = 600.000 DNS requests per day (without anyone even using the machine for any internet activity whatsoever) -  will such malicious script then be completely gone after:
      1.3  shutting off and then restart  the firewall after 45 seconds?
      1.4) RESETTING the firewall for 60 seconds - and then upload the desired configuratiation file again?
      1.5) Re-flashing the firmware with latest firmware.
      1.6) OR, could Something more drastic be required? If so, what would/could be required in such situation to solve it?

    (Even using the "30-30-30" technique from DD-WRT site multiple times didnt work for the firewall from the famous manuffacturer).


  • I have some basic issues with what I think you're describing:

    From other opensurce Firewalls (named "IPF…") that was running off a standard PC with 2 NIC's then the harddisc content was daily hacked or deleted (hacker used RPC bind to basically control part of the pc'S PROCESSES somehow in the firewall so even flashing BIOPS multiple times could never get rid of it, unfortunately).

    This seems to imply some kind of hack that was somehow linked to a flaw or backdoor in the BIOS of the system?
    If you can't trust the hardware, there's a simple solution - get new hardware, it's cheap these days.
    There's lots of very good embedded systems available (some of them from ESF  :))

    If you don't trust the software, there a simple soultion - get new software, there's more than one that's been well vetted (my favorite is pfsense  8))

    As far as securing pfsense from unwanted  Internal as well as external attack, you get to specify which internal access and on what nics you want to allow.

    If you turn off (it defaults to "on") the anti-WebLockout rules and disable SSH, you won't be able to use the Lan to control pfsense at all, you're stuck with the console.
    From there, you can add rules for the specific ports, networks, and NIC's you want to allow access.

    In the end, pfsense is as secure as the environment you put it into.  If some can access the pfsense hardware, all bets are off as far as security.  If you can secure the box, then you can move forward and secure the networks it's connected to.

  • Netgate Administrator

    @trads:

    Question is:  If buying PFsense installed on an EMBEDDED device with 4 LAN holes and 1 or 2 for WAN -  instead of using a PC - are the access to the PFSense firewall and its data then completely physically separate from the LAN ports?

    No. PfSense running on embedded hardware is not much different to a standard PC. It's still X86 hardware.

    If the attack you are describing was at the BIOS level I imagine it via some out-of-band management facility. If that is the case then it's a config issue. IPFire is a mature firewall, i'd be surprised to find they had some huge security hole.

    Steve