Re: [pfSense] Snort as IPS in Pfsense
I see no keyword match for "Bro IDS" nor "Cymru" from the previous 34 messages. https://github.com/sethhall/bro-scripts/wiki/The-Malware-Hash-Registry-and-Bro-IDS https://www.bro.org/ 2c -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 x100 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 09/29/2014 11:13 PM, Roberto Carna wrote: > I think this is good for us: > > > - Router ISP with IP 200.0.0.1 > > - pFsense with the following interfaces: > > a) WAN IP-Less > b) LAN IP-Less > c) OPT1 with IP 200.0.0.2 (management) > d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less > > - Corporate firewall with IP 200.0.0.3 > > - Snort runs in Bridge interface > > Do you think this is correct ??? > > Good night !!! > > Roberto > > > 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral : >> I can say that I imagine this addresses space: >> >> Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / >> IP 200.1.1.2 >>OPT1 / IP >> 200.1.1.3 >> (management) >> >> So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), >> and the OPT1 interface from pFsense has a public IP as router and firewall. >> >> Can I do this in pfsense ??? >> >> >> On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral >> wrote: >>> OK Ivo, this is very helpful to meSuppose I have: >>> >>> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 >>> >>> I have to maintan invariable the addressing of this scenario, so what IP >>> addresses do I have to assign to WAN and LAN pFsense interfaces ??? >>> >>> Thanks a lot, >>> >>> JeLo >>> >>> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev wrote: >>>> In production environment you need 3 interfaces - one for WAN, one for >>>> LAN and one for management. >>>> >>>> >>>> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html >>>> >>>> >>>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc wrote: >>>>>> But you say: one interface for WAN, a second for >>>>>> LAN...and which interface is for managing ??? >>>>> >>>>> >>>>> >>>>> >>>>> You manage with a browser from LAN, and optional also from the WAN port. >>>>> And with ssh from the LAN. >>>>> >>>>> >>>>> >>>>> >>>>> ___ >>>>> List mailing list >>>>> List@lists.pfsense.org >>>>> https://lists.pfsense.org/mailman/listinfo/list >>>> >>>> >>>> >>>> -- >>>> Ivo R. Tonev >>>> +55 61 8409-2642 >>>> i...@tonev.com.br >>>> >>>> ___ >>>> List mailing list >>>> List@lists.pfsense.org >>>> https://lists.pfsense.org/mailman/listinfo/list >>> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
It is my believe that we all are on this list, in this discussion, because we have a requirement, desire and/or need of a solid network security solution. I applaud the community as a whole for making pfSense a product for that is available for the societal masses. #respect "Give me your low TTL, your latent, your packets en mass yearning to be delivered freely fore pfSense shall protect us all." We all have bad days, none of us always use the most proper words. There is no use for us to be divided, we are stronger together. Lest we all put this quarrel to rest and move forward, forge ahead without complication. We all deserve a congratulation, especially not me, for furthering a unified vision that WE ALL have. -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/22/2014 11:18 PM, Chris Bagnall wrote: > On 23/7/14 4:11 am, Ryan Coleman wrote: >> I may have fired off the message in a fit of frustration but you made >> it a public statement - if you wanted to be the “mom” and handle it >> you should have sent it privately instead of publicly. > > I can't work out if the above is directed at me or Jim. > > (I certainly don't have any intention of being anyone's mum) > > Kind regards, > > Chris ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.
Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based services. I would prefer staying within the framework of the interface or nominal BSD magic. -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/12/2014 09:54 PM, Chris Buechler wrote: > I don't see the point. If you don't want people to see the path, don't > allow traceroute in (or stop it after the first NAT). If you do, what > do you care if the layers of NAT can be enumerated. If anything even > remotely useful to an attacker can be done to your network because > someone knows how many layers of NAT you have, you have a lot bigger > problems than showing that in a traceroute. > > pf scrub does have a min-ttl option but it's not one that's exposed > anywhere in the GUI and would require changing the source to use. Not > something I've ever seen a real need to use. > > > On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell > mailto:bcorn...@integrissecurity.com>> > wrote: > > I would put it on a report as an issue.. further more... no > comment > > -- > Blake Cornell > CTO, Integris Security LLC > 501 Franklin Ave, Suite 200 > Garden City, NY 11530 USA > http://www.integrissecurity.com/ > O: +1(516)750-0478 > M: +1(516)900-2193 > PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 > Free Tools: https://www.integrissecurity.com/SecurityTools > Follow us on Twitter: @integrissec > > On 07/10/2014 05:29 PM, Walter Parker wrote: >> I disagree that this is a vulnerability/weakness. If this >> is truly your only issue with the network, I'd call it good and >> done if you are not the DOD/NSA. >> >> If you are, then you need to start again with an even more secure >> foundation. >> >> >> Walter >> >> >> On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell >> > <mailto:bcorn...@integrissecurity.com>> wrote: >> >> There is a reason for it. It works well except for this ONE >> issue. >> >> I like setting up 0 vulnerability/weakness networks. This is >> the only >> one minus presentation/application issues. >> >> Thank you both for your input. I'll touch base when I determine a >> resolution strategy. >> >> -- >> Blake Cornell >> CTO, Integris Security LLC >> 501 Franklin Ave, Suite 200 >> Garden City, NY 11530 USA >> http://www.integrissecurity.com/ >> O: +1(516)750-0478 >> M: +1(516)900-2193 >> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 >> Free Tools: https://www.integrissecurity.com/SecurityTools >> Follow us on Twitter: @integrissec >> >> On 07/10/2014 01:49 PM, James Bensley wrote: >> > Further to what Walter has said - Double NATB! >> > ___ >> > List mailing list >> > List@lists.pfsense.org <mailto:List@lists.pfsense.org> >> > https://lists.pfsense.org/mailman/listinfo/list >> >> ___ >> List mailing list >> List@lists.pfsense.org <mailto:List@lists.pfsense.org> >> https://lists.pfsense.org/mailman/listinfo/list >> >> >> >> >> -- >> The greatest dangers to liberty lurk in insidious encroachment by >> men of zeal, well-meaning but without understanding. -- Justice >> Louis D. Brandeis >> >> >> ___ >> List mailing list >> List@lists.pfsense.org <mailto:List@lists.pfsense.org> >> https://lists.pfsense.org/mailman/listinfo/list > > > ___ > List mailing list > List@lists.pfsense.org <mailto:List@lists.pfsense.org> > https://lists.pfsense.org/mailman/listinfo/list > > > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.
I would put it on a report as an issue.. further more... no comment -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/10/2014 05:29 PM, Walter Parker wrote: > I disagree that this is a vulnerability/weakness. If this > is truly your only issue with the network, I'd call it good and done > if you are not the DOD/NSA. > > If you are, then you need to start again with an even more secure > foundation. > > > Walter > > > On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell > mailto:bcorn...@integrissecurity.com>> > wrote: > > There is a reason for it. It works well except for this ONE issue. > > I like setting up 0 vulnerability/weakness networks. This is the only > one minus presentation/application issues. > > Thank you both for your input. I'll touch base when I determine a > resolution strategy. > > -- > Blake Cornell > CTO, Integris Security LLC > 501 Franklin Ave, Suite 200 > Garden City, NY 11530 USA > http://www.integrissecurity.com/ > O: +1(516)750-0478 > M: +1(516)900-2193 > PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 > Free Tools: https://www.integrissecurity.com/SecurityTools > Follow us on Twitter: @integrissec > > On 07/10/2014 01:49 PM, James Bensley wrote: > > Further to what Walter has said - Double NATB! > > ___ > > List mailing list > > List@lists.pfsense.org <mailto:List@lists.pfsense.org> > > https://lists.pfsense.org/mailman/listinfo/list > > ___ > List mailing list > List@lists.pfsense.org <mailto:List@lists.pfsense.org> > https://lists.pfsense.org/mailman/listinfo/list > > > > > -- > The greatest dangers to liberty lurk in insidious encroachment by > men of zeal, well-meaning but without understanding. -- Justice > Louis D. Brandeis > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.
There is a reason for it. It works well except for this ONE issue. I like setting up 0 vulnerability/weakness networks. This is the only one minus presentation/application issues. Thank you both for your input. I'll touch base when I determine a resolution strategy. -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/10/2014 01:49 PM, James Bensley wrote: > Further to what Walter has said - Double NATB! > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.
Any thoughts anyone? -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/03/2014 06:15 PM, Blake Cornell wrote: > Hello, > > I have a pfSense network that uses multiple layers of NAT translation. > Public IP's are mapped to specific NAT addresses using a 1 to 1 mapping > on the edge device. The packets are then forwarded to another pfSense > device using another layer of NAT translation. > > Ex: public ip -> NAT network 1 -> NAT network 2 -> target machine. > > The issue lies when using the example IP of 1.1.1.1, on an example open > port 80. > > # tcptraceroute 1.1.1.1 80 > [removed for brevity] > 3 1.1.1.1 29.247 ms 17.670 ms 14.007 ms > 4 1.1.1.1 20.142 ms 16.119 ms 16.609 ms > 5 1.1.1.1 [open] 21.387 ms 17.176 ms 70.283 ms > > As you can see, the results show three instances of 1.1.1.1. This > allows an attacker the ability to enumerate the depth of NAT > translation. This is a low risk issue. > > To resolve this issue I need to "mangle" forwarded IP packets by > incrementing their TTL by 1. This would effectively hide the above > included results. If anyone knows how to do this either through the web > interface or through custom configurations then please let me know. > > EMail me directly for a real world example for your analysis. > > Thanks in Advance, > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.
Hello, I have a pfSense network that uses multiple layers of NAT translation. Public IP's are mapped to specific NAT addresses using a 1 to 1 mapping on the edge device. The packets are then forwarded to another pfSense device using another layer of NAT translation. Ex: public ip -> NAT network 1 -> NAT network 2 -> target machine. The issue lies when using the example IP of 1.1.1.1, on an example open port 80. # tcptraceroute 1.1.1.1 80 [removed for brevity] 3 1.1.1.1 29.247 ms 17.670 ms 14.007 ms 4 1.1.1.1 20.142 ms 16.119 ms 16.609 ms 5 1.1.1.1 [open] 21.387 ms 17.176 ms 70.283 ms As you can see, the results show three instances of 1.1.1.1. This allows an attacker the ability to enumerate the depth of NAT translation. This is a low risk issue. To resolve this issue I need to "mangle" forwarded IP packets by incrementing their TTL by 1. This would effectively hide the above included results. If anyone knows how to do this either through the web interface or through custom configurations then please let me know. EMail me directly for a real world example for your analysis. Thanks in Advance, -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: 54DE 7526 4D9C 8641 A3AB 2B30 3C76 DF58 5B3D 6377 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
