Friday, April 22, 2016

pfSense 2.3 "Part 5.1: General Configuration and WebUI Tour"

Now that you've been through Part 4 of Mark Furneaux's excellent YouTube videos on the pfSense firewall to learn (or gain a refresher of) network terminology, here is "Part 5.1" of general configuration and exposure to the pfSense web interface. Although older releases of pfSense are similar, this video may be the first time you have seen the changes in the 2.3 version. I am going to re-address some security areas since that aspect comes up again.

First, abandon the notion of using HTTP access (TCP port 80) to a firewall (or actually ANY network equipment able to use HTTPS instead) that you would configure and view in a web browser. Sure, you avoid certificate complaints (which I intend to cover later), but use the Firefox browser and create a security exception or get used to navigating through the false warnings for now. For a secure network environment (especially with a device like a firewall) you want to use Secure HTTP (HTTPS, port 443) so someone cannot sniff the network to gain your firewall log-in credentials.

Mark did refer to physical security for pfSense (requiring a password for serial/local console access), using HTTP to access your firewall (even just on your local network) is a bigger security vulnerability. I don't require a password currently for local console access (but I have a locked equipment room at home), and HTTPS web access to my network equipment (including my pfSense firewall) internally is limited to an administrative network (not the main LAN) even without a Wireless Access Point. Design and use "Access Control Lists" (ACLs) of limited internal (or especially lists of external locations, when access is needed from outside your local network) addresses to add more security (it is a firewall able to do all of these features easily after all).

Many people don't understand that devices on the same network can be blocked with an ACL and some planning. Devices even like "IP cameras" can be limited to who is allowed to view them (ahead of prompting for an account and password), likewise only the locations where you will access your firewall outside of your network would not be restricted. You don't need to change SSH to non-standard ports (not that the method makes your network any more secure anyway) to block attempts to hack into your pfSense (or really any) firewall.

Here's where it gets even more interesting: In the earlier topic of "Guest" Wireless Access Point Security, I explained I have an "open" (no password required) guest wireless network that would have the same external IP address on the Internet as my main networks. I have external equipment that I access from that connection. How do I prevent someone on my guest wireless network from attempting to log-in to the equipment when my IP address is on the Access Control List of that equipment?

pfSense makes it possible. One hint is that I use "aliases" and "reserved IP addresses" heavily with pfSense. Only my systems within an aliased range of IP addresses (limited to those are on my administrative network without wireless access) are allowed to access those locations, as well as ALL network equipment within the residence. In later topics, I will show how I use aliases in combination with firewall rules to identify how I control that access.

I also block entire sections of the Internet (mostly Chinese IP address ranges that repeatedly attempt to access my network) that pfSense protects me from, although I don't log those attempts. If that traffic is correctly blocked, why have it clog your logs to hide what you may need to be more concerned with? This material will be covered in due time, but I've made enough comments for now, and it's time for you to watch Part 5.1 for Mark's excellent description to get you further along.

No comments:

Post a Comment