Friday, April 22, 2016

pfSense 2.3 "Part 5.1: General Configuration and WebUI Tour"

Now that you've been through Part 4 of Mark Furneaux's excellent YouTube videos on the pfSense firewall to learn (or gain a refresher of) network terminology, here is "Part 5.1" of general configuration and exposure to the pfSense web interface. Although older releases of pfSense are similar, this video may be the first time you have seen the changes in the 2.3 version. I am going to re-address some security areas since that aspect comes up again.

First, abandon the notion of using HTTP access (TCP port 80) to a firewall (or actually ANY network equipment able to use HTTPS instead) that you would configure and view in a web browser. Sure, you avoid certificate complaints (which I intend to cover later), but use the Firefox browser and create a security exception or get used to navigating through the false warnings for now. For a secure network environment (especially with a device like a firewall) you want to use Secure HTTP (HTTPS, port 443) so someone cannot sniff the network to gain your firewall log-in credentials.

Mark did refer to physical security for pfSense (requiring a password for serial/local console access), using HTTP to access your firewall (even just on your local network) is a bigger security vulnerability. I don't require a password currently for local console access (but I have a locked equipment room at home), and HTTPS web access to my network equipment (including my pfSense firewall) internally is limited to an administrative network (not the main LAN) even without a Wireless Access Point. Design and use "Access Control Lists" (ACLs) of limited internal (or especially lists of external locations, when access is needed from outside your local network) addresses to add more security (it is a firewall able to do all of these features easily after all).

Many people don't understand that devices on the same network can be blocked with an ACL and some planning. Devices even like "IP cameras" can be limited to who is allowed to view them (ahead of prompting for an account and password), likewise only the locations where you will access your firewall outside of your network would not be restricted. You don't need to change SSH to non-standard ports (not that the method makes your network any more secure anyway) to block attempts to hack into your pfSense (or really any) firewall.

Here's where it gets even more interesting: In the earlier topic of "Guest" Wireless Access Point Security, I explained I have an "open" (no password required) guest wireless network that would have the same external IP address on the Internet as my main networks. I have external equipment that I access from that connection. How do I prevent someone on my guest wireless network from attempting to log-in to the equipment when my IP address is on the Access Control List of that equipment?

pfSense makes it possible. One hint is that I use "aliases" and "reserved IP addresses" heavily with pfSense. Only my systems within an aliased range of IP addresses (limited to those are on my administrative network without wireless access) are allowed to access those locations, as well as ALL network equipment within the residence. In later topics, I will show how I use aliases in combination with firewall rules to identify how I control that access.

I also block entire sections of the Internet (mostly Chinese IP address ranges that repeatedly attempt to access my network) that pfSense protects me from, although I don't log those attempts. If that traffic is correctly blocked, why have it clog your logs to hide what you may need to be more concerned with? This material will be covered in due time, but I've made enough comments for now, and it's time for you to watch Part 5.1 for Mark's excellent description to get you further along.

Saturday, April 16, 2016

pfSense Part 4, "Network Crash Course"

So you're saying "I'm not quite following some of the concepts that Mark Furneaux is talking about, pfSense will be too hard for me to understand.". Fear not, Part 4 is a "Network Crash Course", where Mark covers many of the basics to networking. In fact, I'm not going to comment (Mark does acknowledge there are some areas that could be improved, but he did it as one long session and didn't want to retake it), here's the video:

pfSense Firewall Part 3: "Installation"

Mark Furneaux continues his YouTube pfSense series, this is the part 3 "Installation" portion. I am able to note that Mark's video shows the interface of pfSense version 2.3, which is what you will be using if you install pfSense now anyway. Older versions resemble the appearance and features in the basic pfSense installation he shows that you wouldn't be lost there either.

I won't need to annotate Mark's excellent overview of the pfSense installation process much. As he reports, the "link auto-detect" function doesn't typically work well to determine which network interface is which network port on your host system. Just note or diagram what network interface has which MAC address (if you have adapters with dual or "quad" (4) NIC ports, the MAC addresses will be subsequent in the series). I use a label maker to physically mark the system for which port is what ('WAN', LAN', etc.) for troubleshooting or working with cabling later.

For where I work, we use the "PPPoE" method for the Internet uplink on the WAN interface (and my modem is in "bridged" mode purely to link the DSL connection to Ethernet for the firewall). There are fields for the username and password, just like I would have on my DSL modem if I was not using pfSense. If you are with a cable Internet provider, you may need to enter the MAC address of your cable modem (check with your ISP, and they may need to help you to bridge your modem). I "spoof" (change the MAC address that would be reported) my MAC address using that field, but only to what my modem would report if it was not bridged.

Another area I should address with a bridged modem (whether cable or DSL) is that ALL other features of the modem are not functional with it in bridge mode. Wireless connection? That's no longer running because you want all Internet access to go through your firewall (its raison d'ĂȘtre). You will probably need to connect wireless (if you are using it currently, especially with devices that do not have wired connections or that wireless connection methods make easier) like Mark describes in the second part previously, preferably as separate Wireless Access Points (WAPs).

I also want to note that Mark changes from the default HTTPS web interface access to HTTP at the end of the video to avoid certificate warnings. This has the potential for someone to electronically siphon the username and password you are using for your pfSense firewall if you access the web interface from outside your network (remotely viewing the firewall configuration or information it provides). Keep it set to HTTPS access (even accessing it internally), later I can cover certificate installation and setting the pfSense firewall for outside access by you.

pFSense: The Hardware

Mark Furneaux talks about CPUs, memory, NIC (Network Interface Controller) adapters, and wireless configurations for pfSense in the second part of his series. I agree with all of his recommendations, detailed below. He doesn't discuss how pfSense is stored on the system (except in later notes on the video), but I also follow his recommendation of a hard drive.

He recommends CPUs as old as ten years, I will lengthen that to 15 years if it is higher-performance for the age, and especially if it is a dual CPU configuration (two CPUs in the same system). That timespan includes the last of Intel's Pentium IIIs, and the start of AMD's 64-bit CPUs.

My current pfSense firewall has dual Pentium IIIs. Mark doesn't mention that pfSense comes in two different CPU deployments: 'x86' which is 32-bit and 'AMD64' that is 64-bit. It is recommended that you go with the 64-bit architecture if possible, that path is still open for FreeBSD (and by convention, pfSense), and you aren't limited to less than 4Gb of RAM.

I typically hear of pfSense installations of around 2 or 4Gb. Mine is currently 4Gb, Mark's is 6Gb. Usually, RAM is easy enough to procure to maximize it (at 4Gb) with 32-bit CPU(s).

Mark also mentions the native ability of pfSense to run "VLANs" (Virtual LANs). The easiest way to describe a VLAN is more than one network on a single physical Ethernet connection. I use VLANs on my network, but it is on switch trunks for security, and my pfSense firewall has separate "interfaces" for each network. My networks will be described later, at this point I will identify that I have four of them.

As Mark recommends, I use Intel NICs, in "dual" port Gigabit flavors that are widely available second-hand, like he says. Mark also addresses wireless networks, which I again agree with. I have separate WAPs (Wireless Access Points) on two of my networks.

Here is part 2 from Mark Furneaux, "The Hardware":

Friday, April 15, 2016

An Introduction to pfSense

Although I've already provided a couple topics on my pfSense firewall, I want to backtrack into the basics to qualify what pfSense is able to do, what it is, and how it is put to work. What is a better way than to have someone else do it for me? Mark Furneaux has done a series of pfSense videos on YouTube which I will link here, but make sure you 'like' them on his channel if you find them informative.

The videos are titled as pfSense 2.3, which wasn't released when he started the series but is now. All of the concepts he discusses also apply to earlier versions of pfSense, but a correction he may not have known of when he did the video is the release of an update of FreeBSD 10.3, the foundation that pfSense 2.3 runs on. Just as I did with that explanation, these blog entries will discuss relevant sections of Mark's videos I have found helpful, or I may add other material to what he has.

Without further delay, here is the first part of his series, this episode titled "The What and Why of pfSense":

Monday, April 11, 2016

Grammarly Chrome Extension

Time to say another Chrome extension I use - Grammarly - shown as the green dot with a white arrow. Whatever I type while using Chrome, including these blog entries, is automatically checked for spelling and grammar. Again, I use the free level of the extension, and haven't seen the need to go "Pro".

If there doesn't seem like there is much information about configuring or using this Chrome extension, how can you say much about a spelling and grammar checker that runs in the background? Just click of whatever it flags for options to correct it. The biggest issue I see flagged is an "unnecessary comma" (I was always taught that you use a comma as if during narrating aloud you have a pause), but you can tell Grammarly to ignore each instance individually when it prompts.

"Guest" Wireless Access Point Security

More firewall information! As I wrote in my "Internet of Things" isolated networks entry several days ago, I have an open "guest" wireless connection at home. Much of the reasons are security-based: We don't need to give out wireless connection information to our guests, and anyone around looking for Internet access within range has an easy choice rather than trying to hack into our secure wireless connection.

But that wireless connection is limited to 1.5Mbits/sec (through my pfSense firewall) as well as blocked from many sites that could suck bandwidth from my Internet connection, or use it in ways that I do not want. It is also blocked from any internal or external equipment I manage over my connection, and devices connected to that "guest" wireless cannot change any of those settings. There is a reason it seems like it is a 1.5Mbit DSL connection, because in almost every way it is.

A VisionNet M505N DSL modem is repurposed as a Wireless Access Point ("WAP"). Rather than having a DSL connection, one port is configured as the WAN (Wide-Area Network) interface, and it authenticates to my pfSense firewall with a username and password. I then use features on the M505N modem to limit website access (yes, mostly pr0n sites, but also legitimate video streaming services like Netflix [this simplistic method doesn't work; I'll make a later blog entry on attempting this] that could take too much of that bandwidth; there are more entries than shown, the maximum of 100 sites is very sufficient).

First, I set up the open wireless connection (meaning that it doesn't require a passphrase to connect to it), and I enable "Client Isolation" (different devices connecting to the wireless are prevented from interacting with each other). In a separate configuration area (typically listed under "NAT", Network Address Translation, and "Port Forwarding") I turn off uPnP, the ability for a device to negotiate to open ports on the Wireless Access Point to the outside (although my pfSense firewall has all this covered, it's good practice to disable how uPnP could be used).

Next, I control which IP address range(s) can access the management interface of the modem through an "Access Control List" (ACL). On my networks, I use "reserved" IP addresses (the system is set to obtain an address automatically, but the DHCP function has been programmed to give a specific address only to the system). Note these entries on the table are for both the WAN and LAN sides.

Again note that all 'LAN' (Local-Area Network) configuration access is disabled in an additional table ("PING", or ICMP, can't be turned off for the LAN interface for this particular modem model). This even overrides any device on the Access Control List if it is originating from the LAN. Make sure you can access it through the WAN interface before you change this setting! A scan of the network would only show what wireless device you are using, and that the WAP responds to PINGs (but has interfaces that are inaccessible, with no LAN services running).

You should also change the default passwords to the management accounts, and can block specific MAC addresses from connecting as well if there is a need (from time to time you can look at the devices that have been assigned an IP address by the modem on the DHCP table). Just make sure you document your settings in a safe location, and be careful you don't adjust anything that prevents you from configuring the Wireless Access Point later with systems listed in the ACL (I save each configuration before making each critical change, and can reset and reload that configuration quickly). With all of these settings the Wireless Access Point is "locked-down" enough to prevent common security vulnerabilities.

I also want to discourage attempting to do this same functionality from the same Wireless Access Point that carries your main network. Many DSL modems (like this VisionNet model) and home wireless routers have a feature that allows up to three additional "guest" wireless networks (they will also run on the same wireless channel, increasing interference). DO NOT ENABLE THESE NETWORKS WITHOUT PASSWORDS. This would have the same effect as turning off the password on your main wireless connection, since everything else on the device is shared.

Physical security (the concept that someone may be able to handle the device directly, to remove security features) hasn't been addressed in this article, but if someone resets the unit they wipe out all settings (the username and password that authenticate to my firewall allowing Internet access). They would disable themselves. Since the Wireless Access Point connects to the "DMZ" (DeMilitarized Zone, in this concept an isolated area of advanced networks) interface of my firewall, using the connection for another system still is unable to do anything.

Other portions of my home networks (hint: I have more than one) will be in later topics, please stay tuned!

Thursday, April 7, 2016

MightyText Chrome Extension

I've been heavily using a free Chrome extension called MightyText lately. Of course I have my Chromebox running during my workday, and it is easier responding to a notification that pops up on my screen rather than turning my phone's screen on, and selecting the notification there. It's also much easier to use a computer keyboard to type a lengthy message or send a link.

One nice feature is showing the battery charge level (and whether it is in the process of charging), and a notification when the charge is complete. Recently added is the feature to dial, as well as to ring your phone (in case you have misplaced it). For the more serious scenario of a lost phone that I need to lock, erase, or track, I use Google's own Android Device Manager.

Photos and videos are also automatically synchronized to the MightyText extension in your Chrome browser. So far, I've been satisfied with the free version, and haven't migrated to the more advanced features of the Pro upgrade (which is a reoccurring monthly cost of $3.33, or $39.99 annually).

The irony here is that MightyText is the latest Chrome extension I have. There is a handful of other Chrome extensions I find just as useful that I will list in more blog entries. Stay tuned!

Tuesday, April 5, 2016

"Internet of Things" Isolated Networks, aka "Three Dumb Routers"

Tonight I changed my "IoT" ("Internet of Things"; a definition that many household devices are now Internet-enabled) Honeywell thermostat to my "guest" wireless network instead of my main wireless LAN (Local Area Network). This proactive measure comes from a concept of renown security expert Steve Gibson called "Three Dumb Routers". In brief, potential security flaws in a small Internet-enabled device could allow a hacker to use it (once compromised) as a jumping point to attack the rest of your network.

Here is the original episode Steve Gibson did on his Security Now show with Leo Laporte of TWiT (This Week in Technology). Leo and Steve do discuss politics at first, but the relevant section comes up at the hour mark. Steve does initially say that firewalls like pfSense (which I run) have the ability to handle this problem more elegantly than having three small home routers daisy-chained together for his solution (Steve also elaborates on his "sleep formula" too):

In a set of later articles, I intend to expand on my pfSense configuration. For this discussion, I have an open wireless network for guests in my "DMZ" (DeMilitarized Zone), isolated from my main network. Beyond the separation from a protected network, there is also a secondary goal of providing a sacrifice connection to the Internet: If someone "war-driving" wants Internet access, they will be satisfied with an open network that is provided without effort, rather than hacking into my main wireless network.

The "guest" wireless is also restricted on bandwidth through my firewall (1.5Mbit/sec), as well as being locked down from accessing specific external equipment from my Internet connection. Of course, if my thermostat required a direct connection from my systems to read and program it this solution would not be viable. Instead it "phones home" periodically with the temperature and settings to a Honeywell server, and the Honeywell app on my smartphone retrieves the information from their systems.

In other words, it's an easy candidate to consider doing this. I was helped immensely by Tom Hesley's pages, where he documents how to change the wireless settings for the exact model I have. No "IoT" attacks for me. The Honeywell service even notifies me if the thermostat has not checked in (meaning the Internet connection could be down; I have other monitoring on my main network anyway).

Using a pfSense firewall is a dream (the software itself is open-source and free, but there are complete units and support that are sold by the organization) to have as protection. In later articles I will show the hardest tasks of the initial rule-creation, the actual installation is easy (but I will cover that too). Please stay tuned!