Adventures with pfSense: Act 2— Improving your network security

pfSense comes with several packages which enables you to further secure your network beyond the built-in firewall and captive portal. Popular tools such as pfBlocker, Snort, Suricata, SquidGuard, ArpWatch can be utilized and configured in order to strengthen your home, office or data center network security posture.

I’ve experimented with several of them and eventually settled down on 3 packages that serve most of my needs. The 3 packages are

1. ArpWatch — Notifies me when new devices are connected to network
2. pfBlocker — DNS filter to prevent access to unsavory sites
3. Suricata — Intrusion detection and prevention system

Enabling all of these features require a minimum hardware configuration comprising a dual core Intel processor with at least 8GB of ram.

1. ArpWatch

This tool builds up a database of what devices are connected to your network and can automatically notify you when there is a new device connected.

Within a controlled environment such as your home, this is extremely useful as you will be know when unknown devices are connected to your network and you can then investigate or take actions such as banning them from accessing anything on the network

Configuration of ArpWatch is super simple, requiring not more than 3 simple steps.

3 simple steps to configure ArpWatch

Now just sit back and wait for the database to be populated with devices connected to your network for you to verify.

ArpWatch database of devices

Personally i prefer email notifications. They are sent when a new connection is made and super helpful to track new devices connected to my home network.

Email notification from ArpWatch

2. pfBlocker

This tool main maintains a list of DNS entries that you may not want users in your network to access. This is similar to DNS security products offered by the likes of Palo Alto, Checkpoint, CloudFlare and Cisco.

Note: pfBlockerNG-devel is the latest version, please install that instead of pfBlockerNG

pfBlocker — OLD VERSION

pfBlocker —NEW VERSION

Setting up pfBlocker is slightly more complex and requires more steps. This is expected since pfBlocker provides a more flexibility and options on how and what to block.

pfBlocker — IP Tab

Most of the settings should already be configured, you will want to consider turning on CIDR Aggregation to optimize pfBlocker’s performance.

pfBlocker — IP Tab

pfBlocker — DNSBL Tab

Main thing here is to ensure DNSBL is enabled and to whitelist/blacklist any domains that you want to explicitly allow/block.

pfBlocker — DNSBL Tab

Whitelisting .edu.sg

In the screenshot above, any domain ending with .edu.sg will be expressly allowed thru pfBlocker.

Within the DNSBL Groups Tab, you will get EasyList, ADs and Malicious groups configured with block by default. Should you need to add your own list, click on the “Add” button.

pfBlocker — DNSBL Groups Tab

Within the DNSBL Category Tab, you have the option to configure additional blacklist and their associated categories.

pfBlocker — DNSBL Category Tab

Note: You will get a warning if you selected large categories (i.e with many domains), this should be sufficient as long as you meet the minimum memory requirements listed at the beginning of the page.

Warning when selecting large blacklist categories

pfBlocker — General Tab

Once you are done with all the settings, go back to the general tab and enable pfBlockerNG.

Remember to click Save!

pfBlocker — Dashboard widget

Lastly pfBlocker comes with a dashboard widget that allows you to view blocked domain statistics and quickly whitelist domains when required.

pfBlocker — Dashboard widget

3. Suricata

Suricata is a popular tool that performs real time intrusion detection (IDS), inline intrusion prevention (IPS) and network security monitoring (NSM).

As with all such products, IDS/IPS can be hideously difficult to configure and typically requires someone with in-depth knowledge of the network traffic. Constant fine-tuning is needed especially when your users gets locked out of seemingly normal network access.

The configuration below provides a baseline for the more obvious malicious traffic and uses the emerging threats (ET) list as the primary signature database

Suricata — Global Settings Tab

Start off by going to the Global Settings tab and configuring Suricata to use ET and Snort GPLv2 rules. You may also fiddle with the Rules Update and General settings if you wish, but the defaults are generally good enough.

Suricata — Global Settings Tab

Suricata —WAN Tab

Next go to Interfaces and click on the pencil icon beside your WAN link.

There are 2 main areas of interest

1. Enable Suricata inspection on the WAN interface.

Suricata — WAN Settings Tab

Next you will want to turn on the blocking capabilities for Suricata. This can be done by checking both “Block Offenders” as well as “Block on DROP Only”

At this point nothing is being blocked yet as Suricata is not yet running on the interface

Suricata — WAN Settings Tab

Suricata — WAN Categories Tab

Next select “WAN Categories” and then click on the “Select All” button followed by the “Save” button.

This will select all rules to be loaded to Suricata on startup.

Suricata — WAN Flow/Stream

This next section is required for devices with 4 or more cores. Due to the increased core count, there is a need to increase the memory cap for Fragmentation, Flow and Stream beyond the default 32MB and 64MB. You will need to double it or more when you get an alloc error starting up Suricata later on.

Fragmentation Memory Cap

Flow Memory Cap

Stream Memory Cap

Suricata — SID Mgmt Tab

SID management is key for Suricata. If one were to go about manually enabling/disabling each SID, it can quickly grow to become a nightmare. To assist with this, Suricata has a SID management section where you can script the SIDs you want to enable, disable, modify or drop.

Suricata — SID Mgmt Tab

Primarily, i make use of dropsid to configure Suricata on which SIDs to drop (and hence block). The drop configuration which is used can be found at https://github.com/kwanann/Suricata/blob/master/dropsid-sample.conf

You may also refer to SID documentation found here on how to further customize SID configurations for your needs.

Sample of dropsid-sample.conf

Once you are done editing, you will need to use the Interface SID Management List Assignments found at the bottom of the page to build the SID list for the WAN interface.

Suricata — SID Mgmt — Rebuilding list

Suricata — Turning it on

Finally the last step is to turn on Suricata on the WAN interface and let it perform its job.

Suricata — Enabling on WAN

Suricata — Alerts and Blocks

After a while, you should see Suricata populating the Alerts and Blocks tab with attacks that match the signatures in its database.

Suricata — Alerts

Suricata — Blocks

Conclusion

Overall, pfSense is a very capable open source network appliance that offers significantly more value than similarly priced boxes.

Pros

1. More out of the box (OOTB) capabilities that most consumer routers e.g captive portal, support Class A DHCP, multiple OpenVPN servers, L3 port configuration.
2. Available of network security packages to enable capabilities like DNS filtering, IDS, IPS, HTTP/AV/malware scanning and HTTPS offloading.
3. Generally cheaper than hardware routers with similar specs both in upfront costs as well as running energy costs.
4. Ease of backup and restore.

Cons

1. Configuration know how, more technical skills required to manage certain components such as Suricata
2. Supports WIFI with add-on adapter card. Needs to integrate with existing WIFI mesh systems
3. Component failure and troubleshooting may get quite complex. That said these boxes are known to run for years without any unscheduled downtime.