Adventures with pfSense: Act 2— Improving your network security
pfSense comes with several packages which enables you to further secure your network beyond the built-in firewall and captive portal. Popular tools such as pfBlocker, Snort, Suricata, SquidGuard, ArpWatch can be utilized and configured in order to strengthen your home, office or data center network security posture.
I’ve experimented with several of them and eventually settled down on 3 packages that serve most of my needs. The 3 packages are
- ArpWatch — Notifies me when new devices are connected to network
- pfBlocker — DNS filter to prevent access to unsavory sites
- Suricata — Intrusion detection and prevention system
Enabling all of these features require a minimum hardware configuration comprising a dual core Intel processor with at least 8GB of ram.
This tool builds up a database of what devices are connected to your network and can automatically notify you when there is a new device connected.
Within a controlled environment such as your home, this is extremely useful as you will be know when unknown devices are connected to your network and you can then investigate or take actions such as banning them from accessing anything on the network
Configuration of ArpWatch is super simple, requiring not more than 3 simple steps.
Now just sit back and wait for the database to be populated with devices connected to your network for you to verify.
Personally i prefer email notifications. They are sent when a new connection is made and super helpful to track new devices connected to my home network.
This tool main maintains a list of DNS entries that you may not want users in your network to access. This is similar to DNS security products offered by the likes of Palo Alto, Checkpoint, CloudFlare and Cisco.
Note: pfBlockerNG-devel is the latest version, please install that instead of pfBlockerNG
Setting up pfBlocker is slightly more complex and requires more steps. This is expected since pfBlocker provides a more flexibility and options on how and what to block.
pfBlocker — IP Tab
Most of the settings should already be configured, you will want to consider turning on CIDR Aggregation to optimize pfBlocker’s performance.
pfBlocker — DNSBL Tab
Main thing here is to ensure DNSBL is enabled and to whitelist/blacklist any domains that you want to explicitly allow/block.
In the screenshot above, any domain ending with .edu.sg will be expressly allowed thru pfBlocker.
Within the DNSBL Groups Tab, you will get EasyList, ADs and Malicious groups configured with block by default. Should you need to add your own list, click on the “Add” button.
Within the DNSBL Category Tab, you have the option to configure additional blacklist and their associated categories.
Note: You will get a warning if you selected large categories (i.e with many domains), this should be sufficient as long as you meet the minimum memory requirements listed at the beginning of the page.
pfBlocker — General Tab
Once you are done with all the settings, go back to the general tab and enable pfBlockerNG.
Remember to click Save!
pfBlocker — Dashboard widget
Lastly pfBlocker comes with a dashboard widget that allows you to view blocked domain statistics and quickly whitelist domains when required.
Suricata is a popular tool that performs real time intrusion detection (IDS), inline intrusion prevention (IPS) and network security monitoring (NSM).
As with all such products, IDS/IPS can be hideously difficult to configure and typically requires someone with in-depth knowledge of the network traffic. Constant fine-tuning is needed especially when your users gets locked out of seemingly normal network access.
The configuration below provides a baseline for the more obvious malicious traffic and uses the emerging threats (ET) list as the primary signature database
Suricata — Global Settings Tab
Start off by going to the Global Settings tab and configuring Suricata to use ET and Snort GPLv2 rules. You may also fiddle with the Rules Update and General settings if you wish, but the defaults are generally good enough.
Suricata —WAN Tab
Next go to Interfaces and click on the pencil icon beside your WAN link.
There are 2 main areas of interest
- Enable Suricata inspection on the WAN interface.
Next you will want to turn on the blocking capabilities for Suricata. This can be done by checking both “Block Offenders” as well as “Block on DROP Only”
At this point nothing is being blocked yet as Suricata is not yet running on the interface
Suricata — WAN Categories Tab
Next select “WAN Categories” and then click on the “Select All” button followed by the “Save” button.
This will select all rules to be loaded to Suricata on startup.
Suricata — WAN Flow/Stream
This next section is required for devices with 4 or more cores. Due to the increased core count, there is a need to increase the memory cap for Fragmentation, Flow and Stream beyond the default 32MB and 64MB. You will need to double it or more when you get an alloc error starting up Suricata later on.
Suricata — SID Mgmt Tab
SID management is key for Suricata. If one were to go about manually enabling/disabling each SID, it can quickly grow to become a nightmare. To assist with this, Suricata has a SID management section where you can script the SIDs you want to enable, disable, modify or drop.
Primarily, i make use of dropsid to configure Suricata on which SIDs to drop (and hence block). The drop configuration which is used can be found at https://github.com/kwanann/Suricata/blob/master/dropsid-sample.conf
You may also refer to SID documentation found here on how to further customize SID configurations for your needs.
Once you are done editing, you will need to use the Interface SID Management List Assignments found at the bottom of the page to build the SID list for the WAN interface.
Suricata — Turning it on
Finally the last step is to turn on Suricata on the WAN interface and let it perform its job.
Suricata — Alerts and Blocks
After a while, you should see Suricata populating the Alerts and Blocks tab with attacks that match the signatures in its database.
Overall, pfSense is a very capable open source network appliance that offers significantly more value than similarly priced boxes.
- More out of the box (OOTB) capabilities that most consumer routers e.g captive portal, support Class A DHCP, multiple OpenVPN servers, L3 port configuration.
- Available of network security packages to enable capabilities like DNS filtering, IDS, IPS, HTTP/AV/malware scanning and HTTPS offloading.
- Generally cheaper than hardware routers with similar specs both in upfront costs as well as running energy costs.
- Ease of backup and restore.
- Configuration know how, more technical skills required to manage certain components such as Suricata
- Supports WIFI with add-on adapter card. Needs to integrate with existing WIFI mesh systems
- Component failure and troubleshooting may get quite complex. That said these boxes are known to run for years without any unscheduled downtime.