Re: [pfSense Support] Firewall security compromised by auxillary programs?
On Fri, Feb 4, 2011 at 20:21, Joseph L. Casale wrote: >>Well, I hear of people running pfSense in a VM, and I wonder how do you >>avoid exposing the host OS to the network? How can a firewall be run in a >>VM and not leave the host OS hanging out to be attacked? > > Well, if the interface is setup in a bridge with nothing else, what exactly is > addressable that you can connect to and then hack? Now add a vm and plug > a nic into this bridge and put pfsenses wan designation on it. When you show > me one case of the host being compromised I'll believe it, until then it's not > been done as far as I know... If the OS is a VM, then you might want to understand Blue Pill: http://en.wikipedia.org/wiki/Blue_Pill_%28malware%29 And, I believe, it's just the beginning of the threats for virtual environments. Kurt - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Firewall security compromised by auxillary programs?
In message Mark Jones was claimed to have wrote: >Well, I hear of people running pfSense in a VM, and I wonder how do >you avoid exposing the host OS to the network? Proper configuration? >How can a firewall be run in a VM and not leave the host OS hanging out >to be attacked? I can't speak to VMWare's design limitations, but Hyper-V makes it trivial to bind the local machine's IP stack to one NIC, while Hyper-V guests are bound to one or more other interfaces. The attack surface is still marginally larger since the Hypervisor's virtual switch is a potential target, but this is reasonably tolerable. Crawling out of the guest environment and compromising the host isn't necessarily impossible, but by that point your firewall is already so thoroughly compromised that you've probably got bigger things to worry about. >Yes, I agree that having a jabber server on the firewall is less secure >than not having a jabber server, but I question it being less secure >than having it on my internal server. If it is on the pfSense box and >becomes compromised, the hacker will need pfSense skills to get any >further, then they will need an additional set of skills to get at my >primary servers. If I open the ports that the jabber server uses, then >they have access to my primary servers via the jabber server software >because the firewall is permitting connections into and out of the >network on those ports. If the Jabber service itself is compromised then no additional skills are needed to get out beyond what would be needed to get out of a standalone server. Sure, some basic OS skills will be useful, but being on pfSense is no better or worse than anything else here. >If this analysis is wrong, please someone point out where it is wrong. >This assumes that the jabber server only opens the ports for XMPP and >nothing else, no management ports etc. There's a number of considerations. To start with, many networks have more than "inside" and "outside", your Jabber server doesn't necessarily need to have access to anything at all other than other Jabber servers (plus the ability to receive client connections from within the user-facing LAN) In this context, the firewall becomes the gatekeeper between each subnet/VLAN/LAN/whatever, and so is a far more attractive target. Also consider, if your Jabber server only opens ports for XMPP and nothing else, and your firewall passes all traffic to those XMPP ports, what benefit do you receive from having a firewall at all vs putting the XMPP server completely outside your firewall? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Firewall security compromised by auxillary programs?
>Well, I hear of people running pfSense in a VM, and I wonder how do you >avoid exposing the host OS to the network? How can a firewall be run in a >VM and not leave the host OS hanging out to be attacked? Well, if the interface is setup in a bridge with nothing else, what exactly is addressable that you can connect to and then hack? Now add a vm and plug a nic into this bridge and put pfsenses wan designation on it. When you show me one case of the host being compromised I'll believe it, until then it's not been done as far as I know... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall security compromised by auxillary programs?
?-Original Message- From: Mark Jones Sent: Friday, February 04, 2011 2:54 PM To: support@pfsense.com Subject: [pfSense Support] Firewall security compromised by auxillary programs? Well, I hear of people running pfSense in a VM, and I wonder how do you avoid exposing the host OS to the network? How can a firewall be run in a VM and not leave the host OS hanging out to be attacked? Or, go the otherway and put the VM in the FreeBSD used by pfSense since there is plenty of excess CPU and memory to do the trick. Only getting vmware to run on pfSense FreeBSD might be difficult (I haven't actually tried it) given the very few pieces of FreeBSD that are present in a pfSense environment. Yes, I agree that having a jabber server on the firewall is less secure than not having a jabber server, but I question it being less secure than having it on my internal server. If it is on the pfSense box and becomes compromised, the hacker will need pfSense skills to get any further, then they will need an additional set of skills to get at my primary servers. If I open the ports that the jabber server uses, then they have access to my primary servers via the jabber server software because the firewall is permitting connections into and out of the network on those ports. Admittedly running log digesting software increases the attack surface if those program actually use networking services, but if they are self-contained, the attack surface doesn't change. Adding a website (like say the pfSense PHP website interface) increases my exposure as well, but yet we do it to facilitate easy configuration. If this analysis is wrong, please someone point out where it is wrong. This assumes that the jabber server only opens the ports for XMPP and nothing else, no management ports etc. I currently run my pfSense firewall inside VMware Server on a Windows 2003 box. I set it up with 2 dedicated physical NICs for pfSense for WAN and LAN as well as 1 virtual NIC for all other VMs. the 2 Physical NICs have every protocol/program/connector turned OFF on them except the VMware bridge, meaning that as far as windows sees, there's nothing on the interface to talk to. aka, by default, the host system has ZERO network connectivity for itself. the Virtual interface is used for a virtual network on the server for all other VMs that need network access as well as internet access for the server itself. inside PfSense I have the virtual interface set up as opt1 and put in rules so that opt1 and LAN can communicate with each unhindered. This also means that anything on the physical LAN network wanting to talk to the physical server host has to pass thru the firewall first, meaning I can put rules in place if need be to filter on internal side. overall this gives my network a single server that handles both my Windows file share, FreeBSD hosting servers and my firewall while keeping them all properly set up separately on a logical network level and yet physically on the same hardware. It is also set up in VMware that if the system crashes, the pfSense VM will be rebooted automatically. I have even created a VM with snort running that tapped into the same physical interfaces parallel to pfSense and has granted me some awesome level packet capture as it will run bus speed with only a single interface instead of 2 for physical install (you do have to manually disable transmission on the listening interface though inside the VM, which varies by OS) if you have the resources, I would actually recommend use of VMware ESXi as the host since it lets you configure virtual switches and gives much tighter control over how the VMs and logical systems are configured. doing it the other way and running jails/VM inside the firewall I feel is a really bad idea as nothing should ever be run under a firewall host. you could have a glitch and have a jail cause a kernel panic and crash the host. -Sean - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall security compromised by auxillary programs?
On 4 February 2011 20:54, Mark Jones wrote: > ... A lot of stuff ... I'm no network expert, nor am I a computer expert. Nor will I ever claim to be. But if it's one thing I know for a fact, is that putting all your eggs in one basket isn't a good idea, no matter what. The whole point of a firewall, is to keep you and in effect your network infrastructure secure. The way to achieve this, is to implement some sort of mechanism to make sure that your ingress point is as little exposed as possible. In this respect, the ingress point is your firewall, aka pfSense. By limiting the services/programs running on that crucial ingress point, you as have been said previously, effectively limit the attack surface exposed to external parties (read: external sources trying to breach you ingress point). For me, this is all sound sane and logic. I try to the best of my abilities to run as few services as possible on the firewall, no matter if it's at home or in a corporate environment. The thing about a firewall, is that it's supposed to give you and your network protection. Services such as a web server, voip service, jabber, IRC, ftp server, shell access etc etc, is supposed to run on machines *behind* the ingress point, in this case the firewall. This is where the multiple interface scenario comes into play. If you plan a good network, you know that you need to separate services/machines, and where they reside based on the function/service/machine does. For instance, a web server does not *need* to be in your LAN segment to work, it can without problem reside in a different network segment (read: interface) to function as it should, both from the inside *and* outside. Whenever you implement a firewall, you plan your firewall and network topology based on what you're actually doing. The basic thumb of rule in an ideal scenario is that you shut down access to *everything*, and just open up access to whatever is needed, but inbound and outbound. This way, your firewall controls what is allowed on the network or not. If someone was to gain access to a host behind your ingress point (read: firewall), the rules *you* implemented would be the base of the attack base, or the lack of, depending on your rules. The problem with running unneeded services on your firewall, no matter if it's on a dedicated machine or in a virtually hosted environment, is that if someone is actually able to gain access to your firewall due to open doors exposed by these services, is that they basically have unlimited access to your network. pfSense has access to *all* your network segments, all your active VPN connections (site to site, satellite to server) and what not. Gain access to the ingress point, and you basically have the key to all the doors in the house, no matter if they use a physical key, magnetic card or biometric reading. If you have done your planning right, and implemented the right rule set for your ingress point, gaining access to a host behind the ingress point will in most cases prove less dangerous than gaining access to the main ingress point itself. I'm sure that there's people out there that's ready to pick this particular analysis apart, and I welcome them to. But this is the way I see things, and on a personal note, it's worked out great so far. -- Yours sincerely Jostein Elvaker Haande "A free society is a place where it is safe to be unpopular" - Adlai Stevenson http://tolecnal.net -- tolecnal at tolecnal dot net - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Firewall security compromised by auxillary programs?
Well, I hear of people running pfSense in a VM, and I wonder how do you avoid exposing the host OS to the network? How can a firewall be run in a VM and not leave the host OS hanging out to be attacked? Or, go the otherway and put the VM in the FreeBSD used by pfSense since there is plenty of excess CPU and memory to do the trick. Only getting vmware to run on pfSense FreeBSD might be difficult (I haven't actually tried it) given the very few pieces of FreeBSD that are present in a pfSense environment. Yes, I agree that having a jabber server on the firewall is less secure than not having a jabber server, but I question it being less secure than having it on my internal server. If it is on the pfSense box and becomes compromised, the hacker will need pfSense skills to get any further, then they will need an additional set of skills to get at my primary servers. If I open the ports that the jabber server uses, then they have access to my primary servers via the jabber server software because the firewall is permitting connections into and out of the network on those ports. Admittedly running log digesting software increases the attack surface if those program actually use networking services, but if they are self-contained, the attack surface doesn't change. Adding a website (like say the pfSense PHP website interface) increases my exposure as well, but yet we do it to facilitate easy configuration. If this analysis is wrong, please someone point out where it is wrong. This assumes that the jabber server only opens the ports for XMPP and nothing else, no management ports etc. -Original Message- From: Pandu Poluan [mailto:pa...@poluan.info] Sent: Thursday, February 03, 2011 12:21 AM To: support@pfsense.com Subject: Re: [pfSense Support] Can anyone build a 1.2.3 ISO? I agree with Jim. A firewall box should be exclusively a firewall, no matter how 'stout' it is. More components == more attack surface area. Not to mention the intricacies of interaction that might bollix the firewall's mechanisms in a non-repeatable way. Better to put all analysis packages in another box, which may be realized as a Linux box, which Mark is more comfortable with. Or, you can also save on boxes by installing the analysis mechanisms as a VM, either through KVM or XenServer. Admittedly, the latter requires you to reformat a box, but IMO more stable because it does not have to rely on the stability of the Dom0 Linux. Just my 2 cents. Rgds, On 2011-02-03, Jim Pingle wrote: > On 2/2/2011 11:35 AM, Mark Jones wrote: >> The Beta label on 2.0 is holding us back. (Also, last night I tried >> building 2.0 on 8.1 and it failed, but I don't even see any errors, >> nor do I know where they are squirreled away.) We are running on 7.2 >> with 1.2.3 and it works. What we are trying to do is add java and >> openfire so that we can run our IM client/setup on the pfsense box. >> >> The fact that portsnap isn't available to do that is a severe problem >> for us (or maybe it just keeps us from shooting our own foot). Is >> there some webpage that points out HOW to build an addon for pfsense >> so that we could do a private addon for java and openfire? >> >> I'd also like to move our log analysis/display tool to the pfsense box. >> It reads snort logs and squid proxy logs and tries to present a >> coherent view of what has happened yesterday. Right now it's almost >> pre-alpha and requires we suck the logs off the box and do the work >> elsewhere. We have a very stout box we are devoting to pfsense so it can >> carry this load. >> Any pointers on how you do this would be much appreciated. >> >> I can't find any pages that talk about how to build/package an addon >> for pfsense. This doesn't give any hints as to how to pull it off >> http://doc.pfsense.org/index.php/Packages#Specific_Package_Informatio >> n >> >> PS: the code we use to display the logs is based on Django and runs >> in python (mod_wsgi, or mod_python), so that would be the next hurdle > > Sounds like a lot of stuff that doesn't belong on a firewall ;-) > > You don't need to build on a firewall, use the ports system on a full > 7.2 box and just run "make package-recursive" in the ports you want, > then copy the resulting .tbz files to the pfsense box and add them > with pkg_add. > > It's just like building packages for any FreeBSD system. > > You should really be pushing the logs off the firewall and onto a > dedicated box for that. You really want the firewall to be a firewall, > not a general purpose box. > > Though if you want to install all of that, you will be shooting > yourself in the foot in one way or another, so you'll be on your own there. > > You might at least look into the jailctl package so you can at least > segregate this stuff off into an area that is isolated from the main > firewall (and incidentally, you can get make and friends working > inside of a jail) - though I would still caution against
Re: [pfSense Support] Error deleting opt int
On Fri, Feb 4, 2011 at 12:21 PM, Joseph L. Casale wrote: >>http://www.mail-archive.com/support@pfsense.com/msg19120.html > > My bad, should have searched... > I found it anyway, it was obvious once I ssh'ed in. Is that case handled in > 2.0 yes - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Alias Renaming Issue
I saw that but assume that was normal science the changed alias did't exist on the old rule, I belive its normal but would be great if the rules auto update the alias name changes Leonel -SiRGt- Reyes Linux User #343531 lreyes6(at)gmail(dot)com http://sirgt.chapinware.com On Fri, Jan 21, 2011 at 12:20 PM, Dimitri Rodis < dimit...@integritasystems.com> wrote: > pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 > > I created a NAT rule with a linked firewall rule using a port alias that I > called OWA_PORTS. After creating the rule I decided to rename the port alias > to PORTS_WEBSERVER. When I did, the alias was renamed in the NAT rule > properly, but it was not updated in the linked firewall rule, and now in the > log I see: > > php: : filter_generate_address: OWA_PORTS is not a valid source port. > > Opening up the NAT rule and just hitting "save" again did cause the > firewall rule to update (as a workaround)--but you first have to notice that > your stuff doesn't work ;) > > Anyone else see this? > > Dimitri Rodis > http://www.integritasystems.com > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
RE: [pfSense Support] Error deleting opt int
>http://www.mail-archive.com/support@pfsense.com/msg19120.html My bad, should have searched... I found it anyway, it was obvious once I ssh'ed in. Is that case handled in 2.0 or is this something I need to watch there as well? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Error deleting opt int
On Fri, Feb 4, 2011 at 12:06 PM, Joseph L. Casale wrote: > I tried to delete an opt interface and got the following error: > > XML error: OPT at line 2103 cannot occur more than once > > After which the web ui no longer responded. > > Look familiar, otherwise is there a log I can provide to glean insight? > http://www.mail-archive.com/support@pfsense.com/msg19120.html - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Error deleting opt int
I tried to delete an opt interface and got the following error: XML error: OPT at line 2103 cannot occur more than once After which the web ui no longer responded. Look familiar, otherwise is there a log I can provide to glean insight? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense - Squid user levels
This is achievable but I don't think you can do this is pfSense. The options aren't in the squidGuard menu options within pfSense so you would have to ssh in and set it up your self but my understanding is that anytime you make a change via the pfSense interface it will whipe over your manual config. --James. (This email was sent from a mobile device)