ICTF15 PfSense IPS Firewall

download ICTF15 PfSense IPS Firewall

of 34

Transcript of ICTF15 PfSense IPS Firewall

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    1/34

    Low cost frewall.Using p Sense with SNORT or a frewall with intrusion

    prevention.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    2/34

    What were going to cover

    Why we chose p Sense over other options. Other eatures o ere! an! li"itations. What are p Sense # SNORT$ p Sense re%uire"ents. &nstallation overview . Using the 'U& an! console "enu. &"portant twea(s an! gotchas. )ac(et shaping. &nstalling an! using SNORT as an &*S or &)S. +alse positives, -ac(ups an! pac(et !rops. uestions$

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    3/34

    /ore !etail

    This wor(shop is a %uic( overview o p Sense 0 SNORT.1 "ore in !epth set o instructions is availa-le on theO2 or! &TSS wi(i an! &ll uploa! the" to a pu-lic we- sitetoo.

    O2 or! &TSS wi(i lin( 3https455wi(i.it.o2.ac.u(5itss5p Sense

    We- site 6 http455users.o2.ac.u(57clas89:;5

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    4/34

    Why we chose p Sense over otheroptions.What we wante! or a new frewall4 1-ility to scale a-ove :88/-5s up to

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    5/34

    @o""ercial options.

    We oun! several co""ercial -ran!s o frewall in usewithin the university.

    Reco""en!e! "a(es were4

    )alo 1lto +ortinets +ortigate ?with special pricing negotiate! via

    NS/SA *ells Sonicwall series Watchguar!s BT/ series

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    6/34

    @o""ercial frewalls The goo!4

    =ase o use ?use! Watchguar!, saw Sonicwall # trie! +ortinetA Low "aintenance. @ost or :88/-5s -an!wi!th capacity is a or!a-le. Wor(s with little confguration, out o the -o2.

    The !ownsi!e4

    @ost or :'-5s is "uch higher ?aroun! C:8,888 over ; yearsA. There can -e ven!or loc(6in or D6; years on so"e contracts. We oun! the two units ro" one "anu acturer to -e unrelia-le un!er long ter" use.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    7/34

    Open source p Sense frewall withSNORT

    The goo! Low cost ?Use e2isting server har!ware or appro2. C:E88 or a unit -uilt

    or p SenseA. Su-scription cost or SNORT ?C8 or co""unity rulesets orC

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    8/34

    Other eatures with p Sense

    High availa-ility5loa! -alancing. )ac(ages to e2ten! the syste" ?SNORT, Ia--i2 client, etcA 1* authentication, @aptive portal, R1*&US auth support. *NS service, *H@) service5relay, NT) service, SN/), )))o=,

    WoL *iagnostics 3 1R) ta-les, pretty graphs, Logs with re"ote

    logging, pac(et capture, frewall states, S/1RT status,Soc(ets an! pac(et li"iter in o, RR* graphs.

    &)vF support

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    9/34

    Hang on what are SNORT an!p Sense$

    p Sense is an e2ten!a-le open source state ull frewall witha we- 'U& an! application pac(age syste". SNORT is open source intrusion prevention5!etection

    syste" ?which happens to -e availa-le as a pac(age orp SenseA.

    SNORT analyses networ( tra>c in various ways to !etectJ-a! tra>c. SNORT rules to !efne what is e2actly is J-a! tra>c ?eg4

    S L inKection atte"ptsA. Su-scriptions to SNORT rules are o ere! -y the SNORT

    co""unity an! co""ercially -y SNORT5Talos an!

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    10/34

    p Sense re%uire"ents.

    Running as a state ull frewall, p Sense alone re%uires onlya "o!est syste"4 )@&e -us, to ensure enough -an!wi!th or the N&@s. =nough N&@s, pre era-ly well supporte! N&@s such as

    &ntel )ro. )re era-ly a F9-it processor.

    With the SNORT &*S5&)S pac(age, 9'- o R1/ isreco""en!e! as well as a goo! "ulticore processor.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    11/34

    +irewall networ(ing view

    e"8

    e":

    e"c

    L1Ntra>c1!"in

    *iggory 'ray ?&TSSA, +aculty o @lassics, O2 or!University.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    12/34

    +irewall installation steps@onsole install # setup

    &nstall ro" @* 1ssign L1N &) Turn o *H@)

    We- 'U& confguration

    @hange your passwor!an! setup HTT)S

    1ssign N&@s or L1@)groups.

    Setup *NS, NT) # turno N1T.

    1ssign W1N an! O)Tinter aces.

    Setup frewall rules. Tune your syste" or

    networ( car!s. 1!! niceties such as

    re"ote syslogging an!tra>c shaper.

    SNOcon

    &nstall S Setup an

    use with Su-scri-e

    rules sou Setup SN

    categorie @hec( SN

    each cate"onitor alerts.

    @reate wsuppressi

    When SNtest in no

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    13/34

    Using the 'U& an! console "enu.

    S i li

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    14/34

    Setting up aliases.

    =!it alias

    *elealias

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    15/34

    +irewallrules

    /oveselecterules

    -e orerule.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    16/34

    &"portant twea(s an!gotchas.

    Re"e"-er to twea( your networ( car!s an!

    chec( it wor(e! ?eg reporte! "-u s siIe on!ash-oar!A. *ont -e too %uic( to turn on SNORT # with

    "ultiple rulesets 3 try the non6-loc(ing "o!efrst.

    When applying a large change to the frewall?eg. pac(et shaper confgurationA you "ay

    nee! to reset the frewall state ta-le ?this will-rie y !isrupt tra>cA. Remove any &) a!!resses assigne! on the

    -ri!ge! W1N an! O)T inter aces. ou "ay nee! to turn o Jpac(et scru--ing

    an! !ropping o J!o not rag"ent pac(ets iyou want to let through N+S tra>c.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    17/34

    Using the pac(et shaper.

    &ts i"portant to note, that the tra>c shaper has a -an!wi!th overhea! onyour "ain connection o aroun! :8P 6 :QP.

    The tra>c shaper lin(s in with frewall J)1SS rules to i!enti y pac(et priority.Several types o pac(et shaper algorith"s are availa-le4 HFSC 3 /ost @o"ple2 # "ay -e !iscontinue!. CBQ Li(e )R& -ut with a hierarchal structure an! -an!wi!th li"its or

    %ueues. FAIRQ ase! on @O*=L , -ut atte"pts air allocation or each %ue. CODELQ Use! to avoi! T@) -u er -loat pro-le"s through controlle!

    !elay. PRIQ *i erent %ueues, each with a !i erent priority # -an!wi!th.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    18/34

    @hoosing your algorith".

    & you want to prioritise so"e tra>c at the e2penses oother types ?such as Mo&)A, then you will want H+S@, @or )R& .

    )R& is the easiest to setup, -ut can allow lower prioritytra>c to -e starve! o -an!wi!th co"pletely.

    @ allows a hierarchal set o tra>c %ueues to -ecreate!.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    19/34

    frewall

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    20/34

    +irewall rules an! tra>c li"iters

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    21/34

    &nstalling an! using SNORT as an&*S or &)S.

    &nstalling SNORT is easy. p Sense will !ownloa! an!install the pac(age auto"atically or you.

    p Sense wont start the SNORT service or confgureSNORT to inspect any o your inter aces.

    The tric(y -it is confguring the rules SNORT will use to"onitor your tra>c an! tuning SNORT para"eters.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    22/34

    confguration

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    23/34

    Signing up to ruleset su-scriptions

    There are several sources o SNORT rules4

    Snort MRT rules ?pai! ?7

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    24/34

    Selectingthe rulesets

    you nee! )reprocessor confguration

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    25/34

    *iggory 'ray ?&TSSA, +aculty o @lassics, O2 or!University.

    )reprocessor confguration

    Logging an! whitelisting

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    26/34

    Logging an! whitelisting.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    27/34

    1lerts # alse positives

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    28/34

    )ositive$

    The resolving o host na"es can help !eter"ine hostna"es. The rule !escriptions will give you the rule which

    triggere! the attac(, as well as the JS&* nu"-er. Loo( out or rules which say Jpossi-le in the wor!ing. & you thin( the host "ay -e genuine an! the rulesuspect, chec( the source &) an! !estination port an! &)

    care ully. Use online &) reputation we-site to loo( up (nown -a!

    &)s as a secon! source o re erence ?such as &) @

    &) Moi! or othersA.

    http://ipinfo.info/html/ip_checker.phphttp://www.ipvoid.com/http://www.ipvoid.com/http://ipinfo.info/html/ip_checker.php
  • 7/24/2019 ICTF15 PfSense IPS Firewall

    29/34

    &) loc(listing, rule suppression an!!isa-ling

    Supressalerts orthis rulefrom this &)

    Re"ovethis &) ro"the -loc(list.

    Supressalerts orthis rule tothis &)

    Supress allalerts orthis rule

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    30/34

    Suppression vs!isa-ling

    & you have the option, supressing an &) will give you "oree2i-ility 3 allowing you to a!! an e2ception to a rule or a

    !estination or source &). ou can "o!i y any e2ceptions you "a(e in the suppression list

    ?which is a list o SNORT suppression rulesA. *isa-ling a rule will re!uce the loa! on SNORT slightly, -ut is a

    last resort an! will "ean SNORT will not "onitor utureoccurrences.

    &t is -etter to !isa-le rules in the inter ace Jrules ta-, ratherthan !elete the" in the alerts ta- ?Kust in case you changeyour "in!A.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    31/34

    Trying to avoi! the i"pact o alsepositives.

    Setup another SNORT instance without -loc(ing to testnew rulesets. ?or use another server purely or SNORTruleset testingA.

    /a(e sure you have a goo! Jpass list an! Jho"e netlists setup.

    @hec( the rules an! !ocu"entation ?i anyA in rulesets-e ore activation. Review your logs or SNORT alerts in the ew wee(s

    a ter installation o SNORT or ruleset changes. *ont use rules which use the Jportscan pre6processor 3

    its to touchy ?even on JlowA.

    ac(ups an! pac(et

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    32/34

    ac(ups an! pac(et!rops.

    p Sense -ac(ups are %uite goo! an! you can -ac(up allp Sense settings in a s"all fle.

    Note4 i you select in!ivi!ual areas or your -ac(up, thepac(age specifc settings ?such as those or SNORTA areignore!.

    & you restore an entire -ac(up to !i erent har!ware,you "ay nee! console access to f2 any pro-le"s withinter ace "i2ups.

    )ac(et sni>ng "ay help i!enti y pro-le"s with pac(et!rops. p Sense can sni pac(ets an! save these in a flerea!a-le -y Wireshar(.

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    33/34

    uestion

    s$*iggory 'ray ?&TSSA, +aculty o @lassics, O2 or!

    University.

    R

  • 7/24/2019 ICTF15 PfSense IPS Firewall

    34/34

    Re erence

    p Sense "ain !ocu"entation wi(i S"allnet -uil!er 3 -uil!ing your own &*S frewall with p Sense ?-oo(A p Sense < @oo(-oo( ?&S N4 GEQ6:6Q9G;:96QF6FA 3 bit thin in places (eg tr ?-oo(A p Sense 4 The *efnitive 'ui!e ?&S N4 GEQ68GEG8D9