pfSense is an open source firewall and router distribution based on FreeBSD. It is a valid solution for many perimeter protection configurations.

The latest stable release is v1.2.3, and pfSense 2 is nearing completion.

I’ve spent some time with pfSense in the past, and was excited when I received a promotional copy of a new book on pfSense 2. The publisher contacted me asking if I would be interested in providing a review of this book.

Just released in March from Packt Publishing is the pfSense 2 Cookbook by Matt Williamson. The cover describes it as “A practical, example-driven guide to configure even the most advanced features of pfSense 2″. It is available as a traditional book, or in the ePub format. My preference is ePub…

My initial impression of this book is positive. The layout is clean and it is very readable. Many screen shots are included. A quick glance through the table of contents shows that everything from basic configuration to load balancing are addressed.

I’m excited to read this book carefully and work through many of the recipes that are included. At that time, I will be doing a more in-depth review of this book.

If you just cannot wait for a detailed book review, head on over to Packt Publishing and get your own copy of pfSense 2 Cookbook. I am interested in your thoughts…

- Dan

That was the statement that a friend said to me this past week. Of course a statement like that implied that he had a completely open wireless network at his place of business.

Open wireless is not all that uncommon. I’m using one right now as I’m writing this.

There are many businesses that may have a legitimate reason to have open wireless…

• coffee shops
• libraries
• hotels
• schools (maybe)

But most have no business need for open wireless. If there is not a need, then it should be encrypted.

So, what are some good reasons for encrypting the wireless network?

1. It helps to keep unauthorized users off your business network. You really don’t want to make it easy for someone to “accidentally” have access to your business information.
2. If credit card information traverses your network, then PCI-DSS may require it.
3. There are always people with less than honorable intentions looking for open networks. They may want access to your business information, or they may simply want to use your network to mount an attack on someone else.

Encrypting your wireless is very easy and is done from the administrative interface on your access point. Be sure to choose WPA2 if that is an option. Give it a complex password. Don’t share the password with people not needing it.

These suggestions also are relevant to your home network.

Finally, many of the more publicized breaches have been launched because the victim company has used weak or no encryption.

- Dan

I had a need to install a FOSS Internet gateway this past week. There were some very good reasons to use pfSense. I wanted to use pfSense. But, at the end of the day, I used Untangle.

The business requirements were pretty simple. The primary Internet connection was heavily utilized by both Internet-facing servers, and users. The objective was to off-load the users from the primary connection. Studies showed that this would also improve response times for connections to the servers.

Additionally, it was out of the question to purchases a new Juniper or Cisco firewall appliance. Appliances from non-household name companies were also looked at. In the end, it was decided that a custom-build gateway could be created at low-cost.

Parts were purchased, and the gateway box was built.

Now, here’s where things got interesting.

The live CD of pfSense would not even boot on this box.

This meant that I would have to do some thinking. I knew that pfSense is based on FreeBSD. There is a hardware compatibility list for FreeBSD, and it turns out that the particular AMD processor used in the new gateway box is not supported in the version of FreeBSD that is the basis for pfSense.

That left us with two options… Get a different computer with a compatible processor, or use Untangle.

We went with Untangle.

The install went smoothly, and the system was configured appropriately. Untangle features meet the planned requirements.

So, another win for Untangle.

- Dan

You can read the first part of my experiences with pfSense here.

So, as you recall. I had kicked the power switch on the pfSense box causing a dramatic crash. When I powered it back on, I discovered that the pfSense box was not giving up DHCP information to request.

Being pragmatic, it seemed that the quickest solution was to reinstall, reconfigure and then see if the problem still exists.

Wow! This fixed that particular problem. I’m guessing that some conf file was corrupted during the hard power-down.

I installed pfSense in the non-profit as described in the post.

Everything was working very well, until I decided to try content filtering of web access.

Now here’s what the plan was… Because pfSense does not have a built-in content filtering system, I had planned to use the OpenDNS FamilyShield as the resolver for DNS requests. The only problem with that is that if the user has administrative rights on their computer, they can change DNS settings to point to some generic resolver (like Google), thus bypassing content filtering.

So, I worked and worked on configuring the pfSense firewall to only allow DNS requests heading toward FamilyShield. However, the firewall was not stopping these requests. Hmmmmm…….

Now, before you start thinking that I just didn’t know what I was doing, you should know that I have many years of firewall configuration/management and packet analysis experience under my belt.

So I did what any self-respecting, over-confident geek does. I kept right on working, thinking that I would finally make pfSense submit to my will. Didn’t work, though.

Never did get it to work. I even went to the pfSense forums to see if anyone else was having a similar problem. Other folks did, but the solutions provided were nearly identical to what I had configured.

Realizing that I had already spent much more time that I had planned on this little project, I decided to punt the pfSense implementation.

Enter unTangle

I had used unTangle on another job and knew many of it’s capabilities. The only problem is that it does not handle multiple internal subnets and routing well. One of the benefits, though, is that it has built-in web content filtering. The only problem is that I would have to change the network design.

Here is what I finally landed on…

I installed a different hard drive in the computer that acts as the gateway and then installed the unTangle software. Smooth…

The initial configuration requires that you define the network interfaces. Piece of cake…

Installation of the Web Filtering and the Firewall applications was a simple as Point And Click. Configuration was almost as simple. The big test was trying to hit playboy.com from the internal network. It was blocked and the attempted access was logged. Nice…

You may be wondering about the NetGear Router w/NAT. I put that in so that users on the Public Network could not access resources on the Private Network.

Let’s go back to pfSense for just a minute. I’m not entirely convinced that I didn’t have some hardware issue that was causing problems. So don’t discount pfSense just based on my experience for this installation. If it is the right solution for you, then use it.

However, as it turns out, unTangle (at www.untangle.com) was the right solution for this location.

- Dan

I finally had some “heads down” time with pfSense this past weekend. Normally I would be outside working like a dog on a Saturday, but with the temperature closing in on 100F, I chose to stay inside and take advantage of the A/C.

If you don’t know what pfSense is, I would suggest that you take some time at their website – http://www.pfsense.org

Here’s a brief description of how I intended to use pfSense in a non-profit environment.

Notice that there are three network segments coming off the pfSense box. The Internet is connected via the WAN interface. The private network is connected on the LAN interface. The OPT1 interface is used to allow pseudo-public access to the Internet. The wireless access point on the public network is protected by WPA2-PSK, and anyone attaching to that subnet must be granted access through a captive portal.

pfSense Install

The first step was to install pfSense using the LiveCD that can be downloaded from the pfSense website. The current version is v1.2.3, but they are working on v2.0. I chose to stay with v1.2.3. When booting, there is an option for a customized installation. I wanted to know what the default installation was, so I chose the Easy option.

I have 4 ethernet interfaces in the host computer. A habit I got into a long time ago is to identify the MAC address of each interface prior to installing any software that needs to differentiate. A part of the install is to identify which interface is WAN and which one is LAN. Knowing the MAC address makes this simple.

The install also expects an IP address to be assigned to the LAN interface. I chose 192.168.200.1.

The WAN interface was set to get information via DHCP.

pfSense Configuration

Configuration is performed via a web interface. I just connected my MacBook to a hub on the LAN interface. The MacBook got configuration via DHCP just fine. The web console is accessed by pointing your browser to 192.168.200.1. Most configuration you need to do can be done with the web interface.

When I logged in using the default credentials, I immediately changed the password. I also changed it so that https was used rather than clear-text https.

The firewall is configured by default to allow full access from LAN to WAN. It also is configured to do ingress filtering from the WAN side.

I enabled the OPT1 interface and assigned an IP address of 192.168.210.1. Now, here’s where things got just a bit sticky…

Normally I don’t read documentation too carefully. In fact, I didn’t read any of the documentation online, nor did I poke around the pfSense forums. I then took my MacBook off the LAN segment and put it on the OPT1 segment. Could not do anything, and didn’t get DHCP. Hmmmmm……

Back to the LAN segment. You must enable DHCP to be served on the OPT1 interface. Also, there must be a rule in the firewall section to allow access from OPT1 to WAN. I put those in and put another computer on the OPT1 segment. Then it happened…

I kicked the power strip the pfSense computer was plugged into and performed a hard crash.

No problem. Just power it back on and wait for the boot process to complete. Did that. Tried to get the computer on the OPT1 segment to access the Internet. It did not work.

So there I sat, reviewing configurations on pfSense for correctness. It was correct and should have served DHCP. I even put another computer with Wireshark on OPT1 segment so that I could see if DHCP requests were being answered. I saw DHCP requests coming from the computer, but no answers were being provided by pfSense.

—- end part 1 —

I’ll finish this story in the next post.

It’s been over two weeks now since I installed a Verizon Wireless Network Extender at home. We can get a weak Verizon signal at our house, but it varies based upon where in the house the phone is. I wanted to have a way to reliably use my Verizon Wireless cell phones at home. That is why I got the Network Extender.

As you can imagine, results have been mixed…

What is the Network Extender?

It is a small box that attaches to your broadband Internet connection and creates a small cell for your cell phone to connect to. When inside that cell, or “bubble” as I have seen it referred, your cell phone talks to this little box rather than trying to find a signal from a far-away tower. Your conversation is routed across your Internet connection to Verizon’s servers and then to to other party.

What do I like about the Network Extender?

1. I like the idea of using broadband internet to allow cellular access in an area of weak cell phone signal.
2. Access to the Network Extender can be limited to only specified cell phone numbers.
3. A certain amount of management can be done on-line via the Verizon Wireless web site.
4. Our landline was out the past couple of days. With the Network Extender, we were still able to communicate with the outside world!

What do I not like about the Network Extender?

1. Following the published setup instructions did not work on my home network. I had to call tech support for more information. My connection t the Internet is very generic. They should include more information in the setup instructions.
2. I live in an area that was AllTel until last October. I couldn’t connect to the Network Extender with my cell phones, and so called Tech Support. Because of the migration from AllTel to Verizon, we have a hybrid PRL pushed out to our phones. The Tech Dude had to turn off the hybrid PRL, and then we had to do the *228, option 2 to get a Verizon-only PRL. (Of course, I had to take each phone to the one location in the house that get sufficient signal off of a Verizon tower in order to get the PRL update.) I’m still experimenting with my Moto Android to see if there is any impact on my reception and signal strength while out-and-about.
3. The cell phone needs to be within 15′ of the Network Extender to latch onto the femtocell for incoming or outgoing calls. Then the phone can go further away. I haven’t quite figured out the patterns of when the femtocell is used, and when it is not.
4. I had to configure my home router (linksys wrt610n) so that the Network Extender is the DMZ machine. This was one of the things that I needed to call tech support for. What if I had another machine using the DMZ configuration? How could I use both? The tech dude didn’t know what ports I needed to allow. I configured the wrt610n so that the Network Extender is the DMZ host.

Being the inquisitive sort, I decided to put a hub on the network drop going to the Network Extender and fired up Wireshark. It appears that the Network Extender is using IPSec to connect to the Verizon servers. I wonder if they are using VoIP protocols encapsulated in IPSec, or not…

I am thinking about sniffing the traffic for a bit longer and then removing the Network Extender from the DMZ and putting it back on the internal network. I will update this post if I try this.

- Dan

The final commonly held element of good Defense in Depth is Operations. I say “commonly held” because various authors make additions to the list of People, Technology and Operations.

For a functioning description, consider Operations to be the tasks required to maintain a desired level of security. It is easy to get bogged down thinking about the security posture and auditing to make sure that we are maintaining that posture.

Regardless of what level of security you want, the following are some ideas to get you started thinking about InfoSec Operations…

Good InfoSec operations will be driven by policy.

• Acceptable Use Policy – The AUP clearly lays out what the organizations resources can or can not be used for. Check out some reasons you need an Acceptable Use Policy.
• Configuration Change Policy – Even the smallest of businesses needs to have guidelines and policies of who can make and when changes can be made to computer, software and infrastructure. Chaos ensues without this.

Good InfoSec operations will work to minimize the risk from malware.

• Operation system patches – Whether you are running Unix, Linux, Windows or OS X as you operating system, there are frequent patches that should be applied. Depending upon your business, you may even need to test patches on test servers and workstations prior to general deployment.
• Anti-virus updated and scanning – Malware is a significant attack vector. Viruses, worms or spyware are often used to gather personal information from the infected host. A major step in minimizing the risk if to keep the anti-virus software updated and scanning.

Good InfoSec operations will be aware of threats.

• Know what the risks are to your organization – The risks to a small bank are different than the risks for the fitness club. Awareness of the risks to your specific industry will enable you to establish sound defenses.
• Know what has been done to remediate specific threats – I keep a “risk register” of the various risks, threats, problems that I encounter. It includes the date found, a brief description of the risk, what I have done to address the risk, and the date that was done. Not only does it help me remember, but it is good to periodically review it to make sure the remediation is still valid.

Good InfoSec operations will be ready to recover from an incident.

• Backups – Having good backups can make you look like a genius! (and they can be the difference between an inconvenience and the organization shutting the doors…)
• Disaster Recover Planning – Even the smallest of businesses needs a DRP. Ready.gov can be a good starting place.

- Dan

Any Defense In Depth strategy requires a technology component. Yes, we’ve already seen that people play an important role, but technology is used where consistency and repeatability are needed.

You could have someone assigned to capture and analyze every packet that is aimed toward your your network, but they wouldn’t be able to do this with the speed and consistency required to effectively protect your information assets. That is where technology comes in.

Your small or medium business, or even your home, network needs to have some technology used to help defend and protect.

Consider the use of these basic technologies in your defense in depth strategy…

• Anti-virus and anti-spyware – Defends against malware and helps to ensure availability and confidentiality. Your computers stay running and the information on them stays in the organization. Opportunities to accidently install viruses and spyware come from shared files, or even from just surfing the Internet. Even legitimate sites often will spread malware!
• Firewall – Defends against unauthorized access and helps to protect the perimeter of your network. Your connection to the Internet is being frequently tested for openings that would allow entrance to hackers. The firewall is a basic first line of defense.
• File system encryption – Defends against loss of data if the computer is stolen. Many solutions exist, but both Windows and Mac OS X have built-in features for encrypting the file systems. Learn how to use this feature, and then make sure that you really are using it!
• Automatic Backup – Makes your information available in the event of a disk drive failure. This is an often overlooked element to information security in the small business. The usability of the backups should periodically be tested.

Of course, there are many others steps that can be taken ranging from segmenting your network to installing (and monitoring) intrusion detection/prevention systems to installing hardware encryption to active application scanning to multi-tiered firewall architectures to data classification systems to access control methodologies to …

So, by now we have learned that just being careful (the People element) is not all you need for good information security. You also need technology to supplement your people.

The last element of Defense in Depth is Operations. We will be looking at that in the next week or so…

- Dan

People play a vital role in your Defense In Depth strategy. Technology, by itself, cannot provide information assurance. Likewise, great operational procedures cannot assure confidentiality, integrity and availability.

Time and effort must be invested in people.

I used to think that good technology and procedures could overcome almost any problem. That was before a co-worker was arrested for stealing many thousands-of-dollars worth of new computers. He was able to circumvent operational procedures. The technology in place to watch the receiving dock did not catch him. People really can be the weakest link!

Here are a couple of items you need to consider as you work to strengthen the People portion of the information security program.

• Top-level management support – While this may sound pretty basic, it is key to the whole InfoSec program. Everyone says this, but it really is true. It is critical that the CIO or CEO support the efforts to protect the information assets of the organization. It may require some creative work to ensure this happens, but is certainly worth the effort.
• Awareness of employees – The folks that do the work of the organization need to understand their role. Most people want to do the right thing, but sometimes do not know how. Creativity is the key here. Will people remember a two-hour briefing on their role in information security? Probably not! So, how about spending some time coming up with unusual ways to show them.

The role of people in your information security strategy cannot be over-emphasized. They need to be aware of their role and the importance of their careful actions. The top-level of management needs to buy in to the efforts.

Take a look at your organization. Make sure that the CIO or CEO or owner know and support the program. Help people to understand their role.

Have fun!

- Dan

Can a small or medium sized business do Defense in Depth?

How about the home user?

The phrase “defense in depth” is tossed around in the Information Security field as if everyone knows what is being talked about.

Just what is Defense in Depth?

The National Security Agency has put out a short paper which discusses a strategy for defense in depth.

I certainly encourage you to take a look at that paper.

The defense in depth strategy focuses on three important elements as we work toward information assurance. These elements are:

• People
• Technology
• Operations

We will soon begin looking at each of these elements as it related to Information Security and the small business or home user.

- Dan