ictf15 pfsense ips firewall
TRANSCRIPT
-
7/24/2019 ICTF15 PfSense IPS Firewall
1/34
Low cost frewall.Using p Sense with SNORT or a frewall with intrusion
prevention.
-
7/24/2019 ICTF15 PfSense IPS Firewall
2/34
What were going to cover
Why we chose p Sense over other options. Other eatures o ere! an! li"itations. What are p Sense # SNORT$ p Sense re%uire"ents. &nstallation overview . Using the 'U& an! console "enu. &"portant twea(s an! gotchas. )ac(et shaping. &nstalling an! using SNORT as an &*S or &)S. +alse positives, -ac(ups an! pac(et !rops. uestions$
-
7/24/2019 ICTF15 PfSense IPS Firewall
3/34
/ore !etail
This wor(shop is a %uic( overview o p Sense 0 SNORT.1 "ore in !epth set o instructions is availa-le on theO2 or! &TSS wi(i an! &ll uploa! the" to a pu-lic we- sitetoo.
O2 or! &TSS wi(i lin( 3https455wi(i.it.o2.ac.u(5itss5p Sense
We- site 6 http455users.o2.ac.u(57clas89:;5
-
7/24/2019 ICTF15 PfSense IPS Firewall
4/34
Why we chose p Sense over otheroptions.What we wante! or a new frewall4 1-ility to scale a-ove :88/-5s up to
-
7/24/2019 ICTF15 PfSense IPS Firewall
5/34
@o""ercial options.
We oun! several co""ercial -ran!s o frewall in usewithin the university.
Reco""en!e! "a(es were4
)alo 1lto +ortinets +ortigate ?with special pricing negotiate! via
NS/SA *ells Sonicwall series Watchguar!s BT/ series
-
7/24/2019 ICTF15 PfSense IPS Firewall
6/34
@o""ercial frewalls The goo!4
=ase o use ?use! Watchguar!, saw Sonicwall # trie! +ortinetA Low "aintenance. @ost or :88/-5s -an!wi!th capacity is a or!a-le. Wor(s with little confguration, out o the -o2.
The !ownsi!e4
@ost or :'-5s is "uch higher ?aroun! C:8,888 over ; yearsA. There can -e ven!or loc(6in or D6; years on so"e contracts. We oun! the two units ro" one "anu acturer to -e unrelia-le un!er long ter" use.
-
7/24/2019 ICTF15 PfSense IPS Firewall
7/34
Open source p Sense frewall withSNORT
The goo! Low cost ?Use e2isting server har!ware or appro2. C:E88 or a unit -uilt
or p SenseA. Su-scription cost or SNORT ?C8 or co""unity rulesets orC
-
7/24/2019 ICTF15 PfSense IPS Firewall
8/34
Other eatures with p Sense
High availa-ility5loa! -alancing. )ac(ages to e2ten! the syste" ?SNORT, Ia--i2 client, etcA 1* authentication, @aptive portal, R1*&US auth support. *NS service, *H@) service5relay, NT) service, SN/), )))o=,
WoL *iagnostics 3 1R) ta-les, pretty graphs, Logs with re"ote
logging, pac(et capture, frewall states, S/1RT status,Soc(ets an! pac(et li"iter in o, RR* graphs.
&)vF support
-
7/24/2019 ICTF15 PfSense IPS Firewall
9/34
Hang on what are SNORT an!p Sense$
p Sense is an e2ten!a-le open source state ull frewall witha we- 'U& an! application pac(age syste". SNORT is open source intrusion prevention5!etection
syste" ?which happens to -e availa-le as a pac(age orp SenseA.
SNORT analyses networ( tra>c in various ways to !etectJ-a! tra>c. SNORT rules to !efne what is e2actly is J-a! tra>c ?eg4
S L inKection atte"ptsA. Su-scriptions to SNORT rules are o ere! -y the SNORT
co""unity an! co""ercially -y SNORT5Talos an!
-
7/24/2019 ICTF15 PfSense IPS Firewall
10/34
p Sense re%uire"ents.
Running as a state ull frewall, p Sense alone re%uires onlya "o!est syste"4 )@&e -us, to ensure enough -an!wi!th or the N&@s. =nough N&@s, pre era-ly well supporte! N&@s such as
&ntel )ro. )re era-ly a F9-it processor.
With the SNORT &*S5&)S pac(age, 9'- o R1/ isreco""en!e! as well as a goo! "ulticore processor.
-
7/24/2019 ICTF15 PfSense IPS Firewall
11/34
+irewall networ(ing view
e"8
e":
e"c
L1Ntra>c1!"in
*iggory 'ray ?&TSSA, +aculty o @lassics, O2 or!University.
-
7/24/2019 ICTF15 PfSense IPS Firewall
12/34
+irewall installation steps@onsole install # setup
&nstall ro" @* 1ssign L1N &) Turn o *H@)
We- 'U& confguration
@hange your passwor!an! setup HTT)S
1ssign N&@s or L1@)groups.
Setup *NS, NT) # turno N1T.
1ssign W1N an! O)Tinter aces.
Setup frewall rules. Tune your syste" or
networ( car!s. 1!! niceties such as
re"ote syslogging an!tra>c shaper.
SNOcon
&nstall S Setup an
use with Su-scri-e
rules sou Setup SN
categorie @hec( SN
each cate"onitor alerts.
@reate wsuppressi
When SNtest in no
-
7/24/2019 ICTF15 PfSense IPS Firewall
13/34
Using the 'U& an! console "enu.
S i li
-
7/24/2019 ICTF15 PfSense IPS Firewall
14/34
Setting up aliases.
=!it alias
*elealias
-
7/24/2019 ICTF15 PfSense IPS Firewall
15/34
+irewallrules
/oveselecterules
-e orerule.
-
7/24/2019 ICTF15 PfSense IPS Firewall
16/34
&"portant twea(s an!gotchas.
Re"e"-er to twea( your networ( car!s an!
chec( it wor(e! ?eg reporte! "-u s siIe on!ash-oar!A. *ont -e too %uic( to turn on SNORT # with
"ultiple rulesets 3 try the non6-loc(ing "o!efrst.
When applying a large change to the frewall?eg. pac(et shaper confgurationA you "ay
nee! to reset the frewall state ta-le ?this will-rie y !isrupt tra>cA. Remove any &) a!!resses assigne! on the
-ri!ge! W1N an! O)T inter aces. ou "ay nee! to turn o Jpac(et scru--ing
an! !ropping o J!o not rag"ent pac(ets iyou want to let through N+S tra>c.
-
7/24/2019 ICTF15 PfSense IPS Firewall
17/34
Using the pac(et shaper.
&ts i"portant to note, that the tra>c shaper has a -an!wi!th overhea! onyour "ain connection o aroun! :8P 6 :QP.
The tra>c shaper lin(s in with frewall J)1SS rules to i!enti y pac(et priority.Several types o pac(et shaper algorith"s are availa-le4 HFSC 3 /ost @o"ple2 # "ay -e !iscontinue!. CBQ Li(e )R& -ut with a hierarchal structure an! -an!wi!th li"its or
%ueues. FAIRQ ase! on @O*=L , -ut atte"pts air allocation or each %ue. CODELQ Use! to avoi! T@) -u er -loat pro-le"s through controlle!
!elay. PRIQ *i erent %ueues, each with a !i erent priority # -an!wi!th.
-
7/24/2019 ICTF15 PfSense IPS Firewall
18/34
@hoosing your algorith".
& you want to prioritise so"e tra>c at the e2penses oother types ?such as Mo&)A, then you will want H+S@, @or )R& .
)R& is the easiest to setup, -ut can allow lower prioritytra>c to -e starve! o -an!wi!th co"pletely.
@ allows a hierarchal set o tra>c %ueues to -ecreate!.
-
7/24/2019 ICTF15 PfSense IPS Firewall
19/34
frewall
-
7/24/2019 ICTF15 PfSense IPS Firewall
20/34
+irewall rules an! tra>c li"iters
-
7/24/2019 ICTF15 PfSense IPS Firewall
21/34
&nstalling an! using SNORT as an&*S or &)S.
&nstalling SNORT is easy. p Sense will !ownloa! an!install the pac(age auto"atically or you.
p Sense wont start the SNORT service or confgureSNORT to inspect any o your inter aces.
The tric(y -it is confguring the rules SNORT will use to"onitor your tra>c an! tuning SNORT para"eters.
-
7/24/2019 ICTF15 PfSense IPS Firewall
22/34
confguration
-
7/24/2019 ICTF15 PfSense IPS Firewall
23/34
Signing up to ruleset su-scriptions
There are several sources o SNORT rules4
Snort MRT rules ?pai! ?7
-
7/24/2019 ICTF15 PfSense IPS Firewall
24/34
Selectingthe rulesets
you nee! )reprocessor confguration
-
7/24/2019 ICTF15 PfSense IPS Firewall
25/34
*iggory 'ray ?&TSSA, +aculty o @lassics, O2 or!University.
)reprocessor confguration
Logging an! whitelisting
-
7/24/2019 ICTF15 PfSense IPS Firewall
26/34
Logging an! whitelisting.
-
7/24/2019 ICTF15 PfSense IPS Firewall
27/34
1lerts # alse positives
-
7/24/2019 ICTF15 PfSense IPS Firewall
28/34
)ositive$
The resolving o host na"es can help !eter"ine hostna"es. The rule !escriptions will give you the rule which
triggere! the attac(, as well as the JS&* nu"-er. Loo( out or rules which say Jpossi-le in the wor!ing. & you thin( the host "ay -e genuine an! the rulesuspect, chec( the source &) an! !estination port an! &)
care ully. Use online &) reputation we-site to loo( up (nown -a!
&)s as a secon! source o re erence ?such as &) @
&) Moi! or othersA.
http://ipinfo.info/html/ip_checker.phphttp://www.ipvoid.com/http://www.ipvoid.com/http://ipinfo.info/html/ip_checker.php -
7/24/2019 ICTF15 PfSense IPS Firewall
29/34
&) loc(listing, rule suppression an!!isa-ling
Supressalerts orthis rulefrom this &)
Re"ovethis &) ro"the -loc(list.
Supressalerts orthis rule tothis &)
Supress allalerts orthis rule
-
7/24/2019 ICTF15 PfSense IPS Firewall
30/34
Suppression vs!isa-ling
& you have the option, supressing an &) will give you "oree2i-ility 3 allowing you to a!! an e2ception to a rule or a
!estination or source &). ou can "o!i y any e2ceptions you "a(e in the suppression list
?which is a list o SNORT suppression rulesA. *isa-ling a rule will re!uce the loa! on SNORT slightly, -ut is a
last resort an! will "ean SNORT will not "onitor utureoccurrences.
&t is -etter to !isa-le rules in the inter ace Jrules ta-, ratherthan !elete the" in the alerts ta- ?Kust in case you changeyour "in!A.
-
7/24/2019 ICTF15 PfSense IPS Firewall
31/34
Trying to avoi! the i"pact o alsepositives.
Setup another SNORT instance without -loc(ing to testnew rulesets. ?or use another server purely or SNORTruleset testingA.
/a(e sure you have a goo! Jpass list an! Jho"e netlists setup.
@hec( the rules an! !ocu"entation ?i anyA in rulesets-e ore activation. Review your logs or SNORT alerts in the ew wee(s
a ter installation o SNORT or ruleset changes. *ont use rules which use the Jportscan pre6processor 3
its to touchy ?even on JlowA.
ac(ups an! pac(et
-
7/24/2019 ICTF15 PfSense IPS Firewall
32/34
ac(ups an! pac(et!rops.
p Sense -ac(ups are %uite goo! an! you can -ac(up allp Sense settings in a s"all fle.
Note4 i you select in!ivi!ual areas or your -ac(up, thepac(age specifc settings ?such as those or SNORTA areignore!.
& you restore an entire -ac(up to !i erent har!ware,you "ay nee! console access to f2 any pro-le"s withinter ace "i2ups.
)ac(et sni>ng "ay help i!enti y pro-le"s with pac(et!rops. p Sense can sni pac(ets an! save these in a flerea!a-le -y Wireshar(.
-
7/24/2019 ICTF15 PfSense IPS Firewall
33/34
uestion
s$*iggory 'ray ?&TSSA, +aculty o @lassics, O2 or!
University.
R
-
7/24/2019 ICTF15 PfSense IPS Firewall
34/34
Re erence
p Sense "ain !ocu"entation wi(i S"allnet -uil!er 3 -uil!ing your own &*S frewall with p Sense ?-oo(A p Sense < @oo(-oo( ?&S N4 GEQ6:6Q9G;:96QF6FA 3 bit thin in places (eg tr ?-oo(A p Sense 4 The *efnitive 'ui!e ?&S N4 GEQ68GEG8D9