low cost firewall. using pfsense with snort for a firewall with intrusion prevention

Low cost firewall.Using pfSense with SNORT for a firewall with intrusion prevention.

What we’re going to cover…

• Why we chose pfSense over other options.• Other features offered and limitations.• What are pfSense & SNORT?• pfSense requirements.• Installation overview.• Using the GUI and console menu.• Important tweaks and gotchas.• Packet shaping.• Installing and using SNORT as an IDS or IPS.• False positives, backups and packet drops.• Questions?

More detail

This workshop is a quick overview of pfSense + SNORT.A more in depth set of instructions is available on the Oxford ITSS wiki and I’ll upload them to a public web site too.

• Oxford ITSS wiki link – https://wiki.it.ox.ac.uk/itss/pfSense

• Web site - http://users.ox.ac.uk/~clas0415/

Why we chose pfSense over other options.What we wanted for a new firewall:• Ability to scale above 100Mb/s up to 2Gb/s to match TONE upgrade.• Ability to bridge rather than NAT – as we host services.• Packet shaping & QoS to avoid congestion for critical traffic (eg:

Chorus/ICP & web sites).• Reliable (as opposed to the one it replaced).• Not too expensive.

Commercial options.

We found several commercial brands of firewall in use within the university.

Recommended makes were:• Palo Alto• Fortinet’s Fortigate (with special pricing negotiated via NSMS)• Dell’s Sonicwall series• Watchguard’s XTM series

Commercial firewalls

The good:

• Ease of use (used Watchguard, saw Sonicwall & tried Fortinet)• Low maintenance.• Cost for 100Mb/s bandwidth capacity is affordable.• Works with little configuration, out of the box.

The downside:

• Cost for 1Gb/s is much higher (around £10,000 over 5 years).• There can be vendor lock-in for 3-5 years on some contracts.• We found the two units from one manufacturer to be unreliable under long term use.

Open source pfSense firewall with SNORTThe good• Low cost (Use existing server hardware or approx. £1700 for a unit built for

pfSense). Subscription cost for SNORT (£0 for community rulesets or £260pa - £390pa for commercial subscriptions).• Use commodity hardware.• IDS/IPS as with commercial firewalls.

The downsides:• Requires more time to test & setup the IDS/IPS system initially.• Application monitoring and control not to easy to setup.• Not reported as working at 10Gb line speed yet.

Other features with pfSense

• High availability/load balancing.• Packages to extend the system (SNORT, zabbix client, etc…)• AD authentication, Captive portal, RADIUS auth support.• DNS service, DHCP service/relay, NTP service, SNMP, PPPoE, WoL• Diagnostics – ARP tables, pretty graphs, Logs with remote logging,

packet capture, firewall states, SMART status, Sockets and packet limiter info, RRD graphs.• IPv6 support

Hang on what are SNORT and pfSense?

• pfSense is an extendable open source statefull firewall with a web GUI and application package system.• SNORT is open source intrusion prevention/detection system (which

happens to be available as a package for pfSense).• SNORT analyses network traffic in various ways to detect ‘bad’ traffic.• SNORT rules to define what is exactly is ‘bad’ traffic (eg: SQL injection

attempts).• Subscriptions to SNORT rules are offered by the SNORT community and

commercially by SNORT/Talos and Emerging threats.

pfSense requirements.

Running as a statefull firewall, pfSense alone requires only a modest system:• PCIe bus, to ensure enough bandwidth for the NICs.• Enough NICs, preferably well supported NICs such as Intel Pro.• Preferably a 64bit processor.

With the SNORT IDS/IPS package, 4Gb of RAM is recommended as well as a good multicore processor.

Diggory Gray (ITSS), Faculty of Classics, Oxford University.

Firewall networking view

em0

em1

em2 igb0 igb1 igb2

LAGG0 LAGG1

LAN WAN OPT1

BRIDGE

Physical NICS

NIC aggregation

Virtual interfaces

Network linking

pfSenseWeb GUI

WAN traffic

LANtrafficAdmin

Firewall installation stepsConsole install & setup

• Install from CD• Assign LAN IP• Turn off DHCP

Web GUI configuration

• Change your password and setup HTTPS

• Assign NICs for LACP groups.• Setup DNS, NTP & turn off

NAT.• Assign WAN and OPT

interfaces.

• Setup firewall rules.• Tune your system for network

cards.• Add niceties such as remote

syslogging and traffic shaper.

SNORT package configuration

• Install SNORT package• Setup an Interface to use

with SNORT• Subscribe to SNORT rules

sources.• Setup SNORT categories.• Check SNORT rules for each

category and monitor for SNORT alerts.

• Create white list and suppression list.

• When SNORT is ready, test in non-blocking mode (IDS not IPS) first.

Using the GUI and console menu.

Setting up aliases.

Edit alias

Add new alias

Delete alias

Firewall rules

Move selected rules before this rule.

Important tweaks and gotchas.

• Remember to tweak your network cards and check it worked (eg reported mbufs size on dashboard).

• Don’t be too quick to turn on SNORT & with multiple rulesets – try the non-blocking mode first.

• When applying a large change to the firewall (eg. packet shaper configuration) you may need to reset the firewall state table (this will briefly disrupt traffic).

• Remove any IP addresses assigned on the bridged WAN and OPT interfaces.

• You may need to turn off ‘packet scrubbing’ and dropping of ‘do not fragment packets’ if you want to let through NFS traffic.

Using the packet shaper.

It’s important to note, that the traffic shaper has a bandwidth overhead on your main connection of around 10% - 18%.The traffic shaper links in with firewall ‘PASS’ rules to identify packet priority.Several types of packet shaper algorithms are available: • HFSC – Most Complex & may be discontinued.• CBQ – Like PRIQ but with a hierarchal structure and bandwidth limits for

queues.• FAIRQ – Based on CODELQ, but attempts fair allocation for each que.• CODELQ – Used to avoid TCP buffer bloat problems through controlled delay.• PRIQ – Different queues, each with a different priority & bandwidth.

Choosing your algorithm.

If you want to prioritise some traffic at the expenses of other types (such as VoIP), then you will want HFSC, CBQ or PRIQ.

PRIQ is the easiest to setup, but can allow lower priority traffic to be starved of bandwidth completely.

CBQ allows a hierarchal set of traffic queues to be created.

HFSC is quite complex, but provides the most flexible shaping system.

Example of CBQ setup on our firewall

Firewall rules and traffic limiters

Installing and using SNORT as an IDS or IPS.

• Installing SNORT is easy. pfSense will download and install the package automatically for you.• pfSense won’t start the SNORT service or configure SNORT to

inspect any of your interfaces.• The tricky bit is configuring the rules SNORT will use to monitor

your traffic and tuning SNORT parameters.

Interfaces configuration

Signing up to ruleset subscriptions

There are several sources of SNORT rules:

• Snort VRT rules (paid (~$260pa) or free sign up versions)• SNORT community rules• Emerging threats open rules (free)• Emerging threats Pro rules (paid only ~£390pa)

Selecting the rulesets you need.

Diggory Gray (ITSS), Faculty of Classics, Oxford University.

Preprocessor configuration

Logging and whitelisting.

Alerts & false positives

Positive?

• The resolving of host names can help determine host names.• The rule descriptions will give you the rule which triggered the attack,

as well as the ‘SID’ number.• Look out for rules which say ‘possible’ in the wording.• If you think the host may be genuine and the rule suspect, check the

source IP and destination port and IP carefully.• Use online IP reputation website to look up known bad IPs as a

second source of reference (such as IP Checker , IP Void or others).

IP Blocklisting, rule suppression and disabling

Supress alerts for this rule from this IP

Remove this IP from the block list.

Supress alerts for this rule to this IP

Supress all alerts for this rule

Disable this rule and delete it!

Suppression vs disabling

• If you have the option, supressing an IP will give you more flexibility – allowing you to add an exception to a rule for a destination or source IP.• You can modify any exceptions you make in the suppression list

(which is a list of SNORT suppression rules).• Disabling a rule will reduce the load on SNORT slightly, but is a last

resort and will mean SNORT will not monitor future occurrences.• It is better to disable rules in the interface ‘rules’ tab, rather than

delete them in the alerts tab (just in case you change your mind).

Trying to avoid the impact of false positives.• Setup another SNORT instance without blocking to test new rulesets.

(or use another server purely for SNORT ruleset testing).• Make sure you have a good ‘pass list’ and ‘home net’ lists setup.• Check the rules and documentation (if any) in rulesets before

activation.• Review your logs for SNORT alerts in the few weeks after installation

of SNORT or ruleset changes.• Don’t use rules which use the ‘portscan’ pre-processor – it’s to touchy

(even on ‘low’).

Backups and packet drops.

• pfSense backups are quite good and you can backup all pfSense settings in a small file.• Note: if you select individual areas for your backup, the package

specific settings (such as those for SNORT) are ignored.• If you restore an entire backup to different hardware, you may need

console access to fix any problems with interface mixups.• Packet sniffing may help identify problems with packet drops. pfSense

can sniff packets and save these in a file readable by Wireshark.

Diggory Gray (ITSS), Faculty of Classics, Oxford University.

Questions?

Reference

•pfSense main documentation wiki•Smallnet builder – building your own IDS firewall with pfSense•(book) pfSense 2 Cookbook (ISBN: 978-1-849514-86-6) – bit thin in places (eg traffic shaper).•(book) pfSense: The Definitive Guide (ISBN: 978-0979034282) – old, but detailed.

General pfSense guides:

•http://blog.allanglesit.com/2011/08/traffic-limiting-with-pfsense-2-0-rc3/•http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/Traffic limiting guides:

•pfSense Documentation on SNORT•Techrepublic – using snort for intrusion detection•Emerging Threats ruleset information•(free e-book) SNORT cookbook (O’REILLY commons)

SNORT specific:

•http://wiki.abadonna.info/doku.php?id=pfsense:trickspfSense Tweaks

•pfSense – Supply hardware, support and develop software. •Deciso – EU based supplier. Supply and support pfSense hardware. On Oracle system as a supplier as of 2015.

pfSense support and suppliers