Using pfSense with SNORT for a firewall with intrusion prevention What were going to cover Why we chose pfSense over other options Other features offered and limitations What are ID: 406009
Download Presentation The PPT/PDF document "Low cost firewall." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Low cost firewall.
Using
pfSense
with SNORT for a firewall with intrusion prevention.Slide2
What we’re going to cover…
Why we chose
pfSense
over other options.
Other features offered and limitations.
What are
pfSense
& SNORT?
pfSense
requirements.
Installation
overview
.
Using the GUI and console menu.
Important tweaks and gotchas.
Packet shaping.
Installing and using SNORT as an IDS or IPS.
False positives, backups and packet drops.
Questions
?Slide3
More detail
This workshop is a quick overview of
pfSense
+ SNORT.
A more in depth set of instructions is available on the Oxford ITSS wiki and I’ll upload them to a public web site too.
Oxford ITSS wiki link
– https://wiki.it.ox.ac.uk/itss/pfSense
Web site - http://users.ox.ac.uk/~clas0415/Slide4
Why we chose pfSense
over other options.
What we wanted for a new firewall:
Ability to scale above 100Mb/s up to 2Gb/s to match TONE upgrade.
Ability to bridge rather than NAT – as we host services.
Packet shaping &
QoS
to avoid congestion for critical traffic (
eg
: Chorus/ICP & web sites).
Reliable (as opposed to the one it replaced).
Not too expensive.Slide5
Commercial options.
We found several commercial brands of firewall in use within the university.
Recommended
m
akes were:
Palo Alto
Fortinet’s
Fortigate
(with special pricing negotiated via NSMS)
Dell’s
Sonicwall
series
Watchguard’s
XTM seriesSlide6
Commercial firewalls
The good:
Ease of use (used
Watchguard
, saw
Sonicwall
& tried Fortinet)
Low maintenance.
Cost for 100Mb/s bandwidth capacity is affordable.
Works with little configuration, out of the box
.
The downside:
Cost for 1Gb/s is much higher (around £10,000 over 5 years).
There can be vendor lock-in for 3-5 years on some contracts.
We found the two
units
from one manufacturer to be unreliable under long term use.Slide7
Open source
pfSense
firewall with SNORT
The good
Low cost (Use existing server hardware or approx. £1700 for a unit built for
pfSense
). Subscription cost for SNORT (£0 for community rulesets or £260pa - £390pa for commercial subscriptions).
Use commodity hardware.
IDS/IPS as with commercial firewalls.
The downsides:
Requires more time to test & setup the IDS/IPS system initially.
Application monitoring and control not to easy to setup.
Not reported as working at 10Gb line speed yet.Slide8
Other features with
pfSense
High availability/load balancing.
Packages
to extend the system (SNORT,
zabbix
client, etc…)
AD authentication, Captive portal, RADIUS
auth
support.
DNS service, DHCP service/relay, NTP service, SNMP,
PPPoE
,
WoL
Diagnostics
– ARP tables, pretty graphs, Logs with remote logging, packet capture, firewall states, SMART status, Sockets and packet limiter info, RRD graphs.
IPv6 supportSlide9
Hang on what are SNORT and
pfSense
?
pfSense
is an extendable open source
statefull
firewall with a web GUI and application package system.
SNORT is open source intrusion prevention/detection system (which happens to be available as a package for
pfSense
).
SNORT analyses network traffic in various ways to detect ‘bad’ traffic.
SNORT rules to define what is exactly is ‘bad’ traffic (
eg
: SQL injection attempts).
Subscriptions to SNORT rules are offered by the SNORT community and commercially by SNORT/
Talos
and Emerging threats.Slide10
pfSense
requirements.
Running as a
statefull
firewall,
pfSense
alone requires only a modest system:
PCIe
bus, to ensure enough bandwidth for the NICs.
Enough NICs, preferably well supported NICs such as Intel Pro.
Preferably a 64bit processor.
With the SNORT IDS/IPS package, 4Gb of RAM is recommended as well as a good multicore processor.Slide11
Firewall networking view
em0
em1
em2
igb0
igb1
igb2
LAGG0
LAGG1
LAN
WAN
OPT1
BRIDGE
Physical NICS
NIC
aggregation
Virtual interfaces
Network linking
pfSense
Web GUI
WAN traffic
LAN
traffic
Admin
Diggory Gray (ITSS), Faculty of Classics, Oxford University.Slide12
Firewall installation stepsSlide13
Using the GUI and console menu.Slide14
Setting up aliases.
Edit alias
Add new alias
Delete aliasSlide15
Firewall rules
Move selected rules before this rule.Slide16
Important tweaks and gotchas.
Remember to tweak your network cards and check it worked (
eg
reported
mbufs
size on dashboard).
Don’t be too quick to turn on SNORT & with multiple rulesets – try the non-blocking mode first.
When applying a large change to the firewall (
eg
. packet shaper configuration) you may need to reset the
firewall state table (
this will
briefly disrupt traffic).
Remove
any IP addresses assigned on the bridged WAN and OPT interfaces.
You may need to turn off ‘packet scrubbing’ and dropping of ‘do not fragment packets’ if you want to let through NFS traffic. Slide17
Using the packet shaper.
It’s important to note, that the traffic shaper has a bandwidth overhead on your main connection of around 10% - 18%.
The traffic shaper links in with firewall ‘PASS’ rules to identify packet priority.
Several types of packet shaper algorithms are available:
HFSC
– Most Complex & may be discontinued.
CBQ –
Like PRIQ
but with a hierarchal structure and bandwidth limits for queues.
FAIRQ –
Based on CODELQ, but attempts fair allocation for each
que.
CODELQ –
Used to avoid TCP buffer bloat problems through controlled delay.
PRIQ –
Different queues, each with a different priority & bandwidth.Slide18
Choosing your algorithm.
If you want to prioritise some traffic at the expenses of other types (such as VoIP), then you will want HFSC, CBQ or PRIQ.
PRIQ is the easiest to setup, but can allow lower priority traffic to be starved of bandwidth completely.
CBQ allows a hierarchal set of traffic queues to be created.
HFSC is quite complex, but provides the most flexible shaping system.Slide19
Example of CBQ setup on our firewallSlide20
Firewall rules and traffic limitersSlide21
Installing and using SNORT as an IDS or IPS.
Installing SNORT is easy.
pfSense
will download and install the package automatically for you.
pfSense
won’t start the SNORT service or configure SNORT to inspect any of your interfaces.
The tricky bit is configuring the rules SNORT will use to monitor your traffic and tuning SNORT parameters.Slide22
Interfaces configurationSlide23
Signing up to ruleset subscriptions
There are several sources of SNORT rules:
Snort VRT rules (paid
(~$260pa) or
free sign up versions)
SNORT community rules
Emerging threats open rules (free)
Emerging threats Pro rules (paid
only ~£390pa)Slide24
Selecting the rulesets you need.Slide25
Diggory Gray (ITSS), Faculty of Classics, Oxford University.
Preprocessor
configurationSlide26
Logging and whitelisting.Slide27
Alerts & false positivesSlide28
Positive?
The resolving of host names can help determine host names.
The rule descriptions will give you the rule which triggered the attack, as well as the ‘SID’ number.
Look out for rules which say ‘possible’ in the wording.
If you think the host may be genuine and the rule suspect, check the source IP and destination port and IP carefully.
Use online IP reputation website to look up known bad IPs as a second source of reference (such as
IP Checker
,
IP Void
or others).Slide29
IP
Blocklisting
, rule suppression and disabling
Supress alerts for this rule
from
this IP
Remove this IP from the block list.
Supress alerts for this rule to this IP
Supress all alerts for this rule
Disable this rule and
delete it!Slide30
Suppression vs disabling
If
you have the option, supressing an IP will give you more flexibility – allowing you to add an exception to a rule for a destination or source IP.
You can modify any exceptions you make in the suppression list (which is a list of SNORT suppression rules).
Disabling a rule will reduce the load on SNORT slightly, but is a last resort and will mean SNORT will not monitor future occurrences.
It is better to disable rules in the interface ‘rules’ tab, rather than delete them in the alerts tab (just in case you change your mind).Slide31
Trying to avoid the impact of false positives.
Setup another SNORT instance without blocking to test new rulesets. (or use another server purely for SNORT ruleset testing).
Make sure you have a good ‘pass list’ and ‘home net’ lists setup.
Check the rules and documentation (if any) in rulesets before activation.
Review your logs for SNORT alerts in the few weeks after installation of SNORT or ruleset changes.
Don’t use rules which use the ‘
portscan
’ pre-processor – it’s to touchy (even on ‘low’).Slide32
Backups
and packet drops.
pfSense
backups are quite good and you can backup all
pfSense
settings in a small file.
Note: if you select individual areas for your backup, the package specific settings (such as those for SNORT) are ignored.
If you restore an entire backup to different hardware, you may need console access to fix any problems with interface
mixups
.
Packet sniffing may help identify problems with packet drops.
pfSense
can sniff packets and save these in a file readable by
W
ireshark
.Slide33
Questions?
Diggory Gray (ITSS), Faculty of Classics, Oxford University.Slide34
Reference