Unfortunately a firewall isn't going to offer much protection against
these sorts of social engineered attacks. As the real weakness here
is the neural network behind the keyboard and not the computer
network. The best thing you can do is educating the employees about
social engineering. And implement a good on going security program.
It's all about managing your risk and exposure. There's no real magic
bullet that will make the threat disappear.
The firewall isn't completely useless and there are few things you can
do from pfSense at the network edge. Force all web traffic through a
proxy and use squidguard to enforce company policy on what sites users
are allowed to access and HVAP to scan the web traffic for known
viruses. However I've found HVAP to be a bit touchy and blocks a lot
of legitimate files like the important Adobe Flash update that closes
some known vulnerabilities. If possible use country block to block
countries that your business has no interaction with. Snort can also
help as it can alert you to traffic going to known command and control
servers and other known hacked systems. The other main attack vector
for social engineered attacks is email so make sure you are scanning
inbound email for known viruses. This is normally done on the email
server(s) or email relay in the DMZ depending on how your email
infrastructure is setup.
Internally your security program should include: vulnerability
assessment, patch management, system hardening (best practices),
centralized AV on the desktops, strong security policies (password
policies, etc), log correlation and analysis, and employee education.
Patch management should include the desktop applications. Especially
Adobe Reader and Flash as this is typically what's being used to
deliver these targeted attacks. Most of all know your network and
what traffic is normal.
Employee education plays an important part of your security posture
these days. Employee's should know how IT will and won't communicate
with them. Things like IT will never ask a user for their password.
They should be educated on company security policies. These policies
should be enforced if possible. They need to know common since things
like don't share your password and don't plug in that thumbdrive that
they found in the parking lot into their desktop. Better yet disable
USB mass storage devices using Group Policies. They need to be
educated about general web and email safety. Things like they should
not open attachments or click on urls in emails from people they don't
know and/or weren't expecting. Avoid clicking on shortened urls
unless you know where they are going, etc. And most of all IT should
have a good report with the employees so that they feel comfortable
coming to the IT team if they think something is suspicious.
Overall network design can come into play too. Proper segmentation
and vlans, etc can act as bulkheads on your network to contain any
breach. And not so common sense things like if your public facing
servers are behind a load balancer and you have a way to manage system
updates from an internal source, such as an internal repository mirror
or WSUS, then your servers no longer need a default gateway in their
routing table. They just have routes to be able to get to your update
server and the load balancer and any backend systems that support
them. So even if someone were to successfully hack your web server
they wouldn't be able to get a reverse shell or leverage it in any way
since the traffic would not have any route back to them.
There are a lot of commercial UTMs and End Point Protection products
out there that may be better suited to dealing with the threats your
business faces so don't get too tunnel visioned on pfSense. pfSense
is a great firewall, routing, and VPN platform and it can do some UTM
type functions if you leverage the available 3rd party packages. But
as UTM platform it's not at the same level as a good commercial UTM
solution. Which can do things like allow employees to access to gmail
but disallow uploading attachments. And include technologies like DLP
(Data Leak Prevention) that can block documents that include things
like social security numbers from leaving your network. Most of these
also allow you to setup your own rules so if the company has a policy
that any internal only document use a certain word template you can
make sure that they are blocked from leaving your network. If you
need to secure web and database servers then their are application
firewall products, both commercial and opensource that can help.
Wow that rambled on longer than I had expected. So I guess that's my 3 cents.
--
David
On Thu, Aug 4, 2011 at 7:33 AM, mayak-cq ma...@australsat.com wrote:
hi all,
i have deployed pfsense since its earliest versions and it has simply proven
to be one of the best pieces of software that i have ever used. i have had
several calls now from clients asking me questions about network
