Security risk in running vpn server on pfSense?
-
Hello,
Based on the information gathered below from forum member jflsakfja I would like to ask if there is a risk involved in running a vpn service straight onto a network gateway installation like pfSense?
What risks are we talking about here and how would they be reduced by running the vpn service on a seperate device on the local lan? Can a zero day exploit affecting Openvpn for example potentially grant attackers access to the host system and thus in this case the entire network gateway (pfSense)?
Thank you!
@jflsakfja:
There is a reason for keeping the software we install on the gateway to the absolute minimum required. And that reason is that the gateway should be considered as a bastion system. Bastion systems are the "if that system is compromised, you are fucked" systems. Systems that could cost you your job if you are not careful. It sits at a spot where it can intercept most network traffic (…)
You have configured a VPN client on your newly configured gateway, and you are happy about it. What will happen when a 0-day comes out for it? Not so imaginary scenario, there have been numerous occasions where such 0-days have come out, allowing authenticated and unauthenticated attackers to access the VPN in ways they shouldn't.
@jflsakfja:
An even safer way is terminating the tunnel on a separate host connected to a separate LAN-type interface. A raspberrypi/cubox-i/other-cheap-ARM-thingy is perfect for this, unless trying to route loads and loads of bandwidth through it.
-
"Can a zero day exploit affecting Openvpn"
So lets say there was some exploit that gave me access to openvpn – what would it matter what the host was located. VPN is normally designed to give access to your network.. So if that is compromised I would have access to your network..
VPNs are best suited at the EDGE of the network.. If your tinfoil hat tells you this should be a 2nd system then run it on a 2nd system. But the firewall is what controls access in and out of your network - endpointing the vpn in and out of your network here seems the most logical place to put that service.. I sure and the F would not host web pages, ftp off my firewall for example. Or use it for a plex server like on recent thread or a NAS that keeps coming up - running samba on your firewall, etc. etc.. But VPN on your edge firewall device is very logical solution.
I would say you might want to break it off on to its own hardware if your providing say vpn for user base that is LARGE.. You sure and the hell would not run that on a raspberry pi like suggested. You would use a dedicated vpn concentrators sort of solution. Say Juniper pulse gateway https://www.pulsesecure.net/products/mag/ or https://www.pulsesecure.net/products/psa/
But if your talking a few users, Admins needing to admin the network, etc. etc. Then yes running vpn into your firewall makes great sense.. If you really paranoid then lock down the access to the networks you will be coming from. Or use something like pfblockerng to limit to only the countries your using would be coming from, etc. No reason for IPs in Russia or China to hit your vpn port if you have no users there, etc.
To be honest if was running vpn on some raspberrypi/cubox-i/other-cheap-ARM-thingy for the enterprise I don't think I would be too worried about loosing that job in the first place ;)
-
So lets say there was some exploit that gave me access to openvpn – what would it matter what the host was located. VPN is normally designed to give access to your network.. So if that is compromised I would have access to your network..
Yes, you are indeed correct that both methods would anyway grant you access to the network. Is there however not an advantage to still having your gateway up and running if it would have the ability through an IDS like Snort or even forwarded fail2bans from the other hosts to detect additional attacks coming from this internal vpn server? Couldn't it then add this server to a blocklist and isolate it? Or is it not possible to setup an IDS to monitor traffic inside the network?
I'm completely new to pfSense and I'm trying to figure out best practices in order to make an informed decision on what hardware to buy for a simple home use scenario. Maybe such measures are overkill for home use but I'm curious to learn and if you do something why not do it right :)
Thanks again for your help!
-
One potential risk is system exhaustion like seen here. http://tools.cisco.com/security/center/viewAlert.x?alertId=36542
or heartbleed as another example.With that in mind, how do other devices behave when the gateway goes down unexpectedly or backdoor access can be gained with things like this http://www.bbc.co.uk/news/technology-33839925
If a gateway goes down, its good to test how other devices behave in case they can be compromised in someway when the gateway comes back.
So yes not having all your eggs or services in one basket can be good, there are still other risks to check out though.
-
"Maybe such measures are overkill for home use but I'm curious to learn and if you do something why not do it right"
Dude running another box as your vpn connection in your home because of some perceived insecurity in running a vpn service on your firewall is beyond overkill IMHO.. Get your self a nice piece of hardware in your budget and fire up openvpn on it.. And enjoy the goodness!
How about you tackle some low hanging fruit first before you go out in the left field of security.. Your wifi for example is very low hanging, like on the ground barely have to bend over to pick up security to your network.. And your wondering if you should run your vpn service on different hardware because of some possible unknown exploit to openvpn that could be somehow leveraged to gain access to the firewall in general?
Dude really??
-
And dont forget to ditch your mobile, its even easier low hanging fruit. ;D
http://www.dailymail.co.uk/news/article-3199978/Hackers-access-call-message-send-world-moment-German-computer-experts-just-easy-eavesdrop-smartphone.html
-
Dude running another box as your vpn connection in your home because of some perceived insecurity in running a vpn service on your firewall is beyond overkill IMHO..
Ok, thank you for your opinion. A directive yes or no is a start but it is also nice to have the argumentation as to why you feel it is this way (even though the arguments might seem obvious to you): so, why do you feel it is overkill for home use? Also, it would still be nice if you could give me a more technical answer to the question I asked regarding how pfSense and Snort could maybe sniff out and isolate attacks from within the network (if you have the know-how of course).
How about you tackle some low hanging fruit first before you go out in the left field of security.. Your wifi for example is very low hanging
If you have some actual references as to how to secure home wifi beyond wpa2/aes with a complex pass phrase and using a separate ssid for guests then that would be greatly appreciated! Unless you of course mean to simply throw it out the window. :) Also if you can think up other low hanging fruit for us newer users to tackle then please share.
Dude really??
Yes, really. I'm asking a question because I do not know the answer. Again, thank you for your opinion. If any other users have a diverting one please do not hesitate to share. :)
-
If you have some actual references as to how to secure home wifi beyond wpa2/aes with a complex pass phrase and using a separate ssid for guests then that would be greatly appreciated! Unless you of course mean to simply throw it out the window. :) Also if you can think up other low hanging fruit for us newer users to tackle then please share.
If you have a spare ISP supplied router which does wifi, having a pfsense box with a separate nic which you can just plug access points or spare isp supplied routers can help to isolate traffic from your wired devices on other networks.
The trick with isp supplied routers to act as an access point is to put the ip address of the pfsense nic to wifi network in a different ip address range to the default the isp supplied router uses. eg if the ISP router always defaults to 192.168.1.1, then make the pfsense nic to the wifi network say 192.168.2.1. Most ISP supplied routers serve wifi irrespective of the DHCP server running on the isp supplied router or alot else. The wifi key will be what ever you set in the isp supplied router. Thats a cheap work around if you dont want to justify getting a dedicated access point.
If you get a conflict between the dhcp running on pfsense and the router, and if you have an isp supplied router which also has a cable/fibre port ie its accepts an ethernet cable, you can try plugging in your pfsense wifi nic lan cable into that instead. The ones I've tried in the past which are just huawei routers all work like this.
Yes, really. I'm asking a question because I do not know the answer. Again, thank you for your opinion. If any other users have a diverting one please do not hesitate to share. :)
Snort's is always good as it blocked the akamai network and dailymail.co.uk one day last week around 3.30pm citing a spray heap attack of sorts amongst other things, which is something you wouldnt expect from a major cdn or most popular online website in the world. Also worth running it on pfsense as well as your other devices, eg it runs on windows and linux.
Also worth setting up a block lists for everything, to really isolate devices on your network where possible, as each one may have a vulnerability which could then be used to spread across your network to other devices. So if a device like a games console doesnt need to talk to say your apple laptop, put a block rule in to specifically block it for extra piece of mind.
Edit. One other point, if you do put your wifi access on a separate interface (OPTx), put in specific block rules for the ports used to access pfsense (sftp 21, ssh 22, webgui 80 & 443), this way no compromised wifi device can gain access to your pfsense box.
-
If you have a spare ISP supplied router which does wifi, having a pfsense box with a separate nic which you can just plug access points or spare isp supplied routers can help to isolate traffic from your wired devices on other networks.
I was thinking of getting an access point (open mesh, xclaim,..) that supports multiple ssids. Right now I'm considering the sg-2220 for pfSense but that one only has one nic for lan. I suppose I could circumvent this limitation by using a managed switch that supports vlan tagging and then restricting the guest ssid to its own vlan? On the internal network I would need some wifi devices to have access to the wired file server but I suppose I could set the wired and wireless on different subnet and set specific rules for what can cross over?
Also worth running it on pfsense as well as your other devices, eg it runs on windows and linux.
That sounds good, will check it out. What are the advantages of running snort in multiple places on the internal network as opposed to just on the gateway?
Also worth setting up a block lists for everything, to really isolate devices on your network where possible
Could i set up such blocklists for traffic between internal devices on the pfSense gateway or would I have to do this on the devices themselves?
Thank you for your help! If anyone else has more input, preferably backed by argumentation, to add on the idea of seperating a vpn server from the gateway for security concerns, also if you disagree, please chip in! :)
-
Cant comment on the SG-2200 as I have no experience of it.
Re Snort on more than one device, you can have different rules running on each instance like you do on each interface in pfsense but you can include some additional check data which shouldnt appear on other devices and is not put in snort on the main gateway, plus its just a form of redundancy in case of snort not running on an interface which can happen when resources are tight, like during bootup when put under certain conditions, especially applies to earlier versions of pfsense.
Ideally you would have something like snort ie an IDS/IPS between your devices/subnets or on your devices but different, as just like one AV cant find 100% of viruses, considering the tricks people go to to get around IDS/IPS systems, the more you diversify everything the better. Monocultures never last long in nature, nor in IT.
Isolate and observe as much as possible, it can be quite illuminating. Like a driver become intimate with the handling of their car, so you must become intimate with your IT to have confidence in it, hence why logging as much as possible, ideally with debug switched on for extra meta data if your HW can handle the extra load, can be useful.
Running stuff in debug can throw up examples of some of the tricks which get employed to hack systems, if you want to learn that sort of stuff.
If you want a really paranoid setup, every day cheap tech & software can also be used to provide an air gap as well, if you think about it in an innovative way. ;)
-
I would need some wifi devices to have access to the wired file server but I suppose I could set the wired and wireless on different subnet and set specific rules for what can cross over?
Tag two SSIDs to the AP. Put an internal SSID on your internal VLAN and the guest SSID on the guest VLAN.
No need for any rules. Internal wifi clients will be on the same broadcast domain as your LAN.
