Creating best security pratices to Pfsense



  • Hello Guys!

    I have worked with pfsense since 2012 and we know about powerfull features that this firewall has and many configurations options. But I never find in the network, a guide with the best pratices to use with this firewall for ensure the security and prevent no authorized persons access the  firewall.

    One that things is disable HTTP management because this protocol travels everything in clear text including password admins. Another thing is change the default management port to prevent brute force attacks.

    Anyone have more ideas so we can create a guide to be follow to administrators?

    Thanks for everyone.



  • @Freechoice:

    But I never find in the network, a guide with the best pratices to use with this firewall for ensure the security and prevent no authorized persons access the  firewall.

    Hi,

    honestly: There is no generic approach!
    I depends on your needs and mostly on your use cases.

    But to cover the basics:
    No unencrypted
    changing the default ports
    Use ACL Rules to permit Admin Access
    Do not allow to much from internal networks

    The rest (specially your ACL/Rules) depends on your requirements (e.g. who is in your network and so on).

    I'm a friend of DENY Everything and allow just the few things that my network need. And I have LAN Zones (Separated Networks) for me and all others.  But this is something that you have to decide for yourself :)

    Have Fun!



  • There was a popular thread some time ago (somewhere!) on here where people posted their sets of 'common first things to do' on a fresh pfSense install.  It was a great bunch sort of best practices / common hints collections that admins collected over the years.  I can't find it now, of course, but maybe you will have better luck searching, or someone else recalls the thread.



  • @Freechoice:

    Another thing is change the default management port to prevent brute force attacks.

    I disagree. That is very close to useless.

    Security-by-obscurity like that will, at best, only delay the inevitable attack slightly if you have made the mistake to expose the admin interface to a hostile environment.

    What you should do is here:
    @jhochwald:

    Use ACL Rules to permit Admin Access

    Security-by-obscurity actions like changing from a default port adds no real security. The only time it may be useful is to decrease noise in logs, that you have to scan religiously, if you absolutely need to have something exposed to a hostile environment. The firewall admin interface is much too sensitive to at all be a candidate for such exposure.

    If remote access is necessary, firewall administration should be over a secure VPN.

    I understand that there may be a use for a best security practices guide for the least educated pfSense administrators. However, it is very hard to hit the correct level of security for a document like that as I believe that the knowledgeable forum participants are probably much more ambitious than what is acceptable for the target audience.


  • Netgate Administrator

    This thread is an interesting read:
    https://forum.pfsense.org/index.php?topic=78062.0
    I don't agree with all of it, or at least that's not quite how i'd do it.
    The huge variation in user experience, network size, hardware etc amongst pfSense installs makes writing such a document very difficult. It would likely be both unreadably complex or patronizingly simply depending on the reader.  ;)

    Steve