PFsense – is the Home Office Security Solution
My introduction to the online world was the early 90s when I used a dial-up modem to connect with various Bulletin Board Systems and when that same dial up modem was also used to connect to the Colt and Energis Romp’s, there was no apparent risk posed by connecting to the online world of newsgroups and e-business websites.
It was only when Broadband speeds and IPV4 network connectivity, enabled me to run my own web connected servers – that I began to understand that the gateway to the online world was open to abuse and misuse. I will spare you the discovery stories for IPMasquerading, NAT and IPTables – but suffice to say it is the learning from this that has lead me to always deploy a firewall at the front door – designed to filter out malicious traffic and correctly route valid traffic to the right place.
COVID – Home Office evolution
Fastforward to the online COVID world of today – we now have much more than Homebridge servers and Hue Bridge’s on our home network. With just about everyone who can work from home working from home, many home networks have now evolved into small business networks and the progressively growth in IT system complexity, parallels the ground floor of a residential dwelling with a corporate branch office – just with a better coffee machine.
If you are anything like me, then you will have experienced an exponential jump in Broadband utilisation, which may well have lead to some strategic hardware upgrades and purchase of additional devices – from online games consoles to SMART TVs. Budding bloggers may have bought down an old PC from the loft setting it up as a Linux Web Server to host their blog, others will have figured out that their Windows 10 gaming PC comes with a virtualisation platform called Hyper-v which enables you to host a server farm in the same application space as – Call Of Duty. Swift evolution and growth of the online world at home now multiplies the opportunity for malicious code to get into your network and compromise your systems or facilitate theft of personal and sensitive information.
Large Home Networks – are a challenge for the Home IT Manager
Of course the point is – there is no competent IT team at home. We home users just get a new device and follow the instructions. However, the beast of a network some of these ultimately grow into, would be a challenge to manage even for a seasoned corporate IT team.
Lets start off with the Broadband – to cope with the increased demand due to home working we invested in Virginbusiness Broadband – 500mb download and 35mb upload speed and up to 5 fixed public IP addresses all provisioned via a Hitron router. By default the router provides a public gateway address and DHCP functionality effectively serving one of these public IP addresses dynamically, to devices attached to the network.
The port forwarding functionality cannot be set for each of the fixed IPs individually and the firewall appears to support selective enabling of – HTTP, ICMP, Ident, all or nothing, so not really suited to setting up 5 publicly addressable virtual machines such as web servers, deploying NAT whilst enabling access to the required ports. Customers could be forgiven for disabling the lot and it is easily done by following the tutorial on the Virginbusiness website to switch the unit into modem mode.
In modem mode there is no Firewall, no NAT, no Port Forwarding and in this example 5 machines could be connected by manually setting up one of the 5 IP addresses and the gateway address on each of the machines. That is just about as fast as it gets and public IP addresses are fully accessible from anywhere on the internet so absolutely ideal for public facing machines such as web servers. However, exposing any type of machine to the public internet in this way is asking for trouble and the connected system would undoubtedly be compromised in a very short time.
Designing the Gateway – Risk vs Cost
The gateway functionality we need is quite simple. Network Address Translation (NAT) protocol, effectively defining an internal IP address for every machine and forwarding traffic from public IP to internal IP is a very effective way to isolate the machine from the internet. Implementing a Firewall to block everything, and then just open specific ports for traffic forwarded from those ports is a very basic concept and no need to reinvent the wheel as a quick google reveals that there are a whole range of ready built add-on appliances which do this out of the box for multiple fixed IP addresses. Some of these appear to fully embrace the security risks and have very advanced security features. One of them comes in a bright red enclosure and is named named Watchguard Firebox – it doesn’t come cooler than that.
However, having visited the Watchguard Website and located a handy comparison table I thought the Desktop T40 model seemed to fit our needs quite well and it looks exceptionally cool.
Most of the throughput figures for the T40 exceed our 500mb connection so I thought this would be a good place start although the user count seemed a bit high..
So following the T40 link took me to the a page suggesting I contact sales or find a partner. I located a local partner but it seemed to just be a contact form.
So I had a look on Amazon and here is what I found.
Well over £1200 for a an add-on firewall was completely unexpected – no wonder the links lead to a contact page rather than a price list.
So what does a shrewd IT shopper do when encountering a whopping price mismatch such as this… He has a quick check on eBay to see if a pre-owned unit is available. In this case a pre-owned unit was indeed available for £70 with – no subscriptions. It seems the 1 year subscription to Basic Security Suite was some of the difference. Time to take a closer look.
Basic Security Suite – (1 year subscription – £473) This is what you get:
Intrusion Prevention Service – Continually updated signatures scan traffic on all major protocols, providing real-time protection against network threats, including spyware, SQL injections, cross-site scripting, and buffer overflows.
How do you scan HTTPS? Or is this not considered a major protocol?
Application Control – Allow, block, or restrict access to applications based on a user’s department, job function, and time of day. It’s never been easier to decide who, what, when, where, why and how applications are used on your network. You will have the power to limit application usage, and keep unproductive, inappropriate, and dangerous applications off your network.
This doesn’t really apply to the single home office.
WebBlocker – In addition to automatically blocking known malicious sites, WatchGuard WebBlocker delivers granular content and URL filtering tools to block inappropriate content, conserve network bandwidth, and increase employee productivity. A a powerful and easy-to-use solution for controlling and monitoring web activity across your entire organisation.
This sounds like it leverages reputation data collected and maintained by 3rd parties to block / restrict access to harmful content. Sounds useful.
SpamBlocker – Real-time, continuous, and highly reliable protection from spam and phishing attempts. WatchGuard spamBlocker is so fast and effective, it can review up to 4 billion messages per day, while providing effective protection regardless of the language, format, or content of the message. Get real-time, continuous, and highly reliable protection from spam and phishing attempts.
This is comfortably taken care of on our network by anti-virus and spam control employed by gmail.
Gateway AntiVirus – Leverage WatchGuard’s continuously updated signatures to identify and block in real time, known spyware, viruses, trojans, worms, rogue-ware and blended threats – including new variants of known viruses. At the same time, heuristic analysis tracks down suspicious data constructions and actions to make sure unknown viruses don’t slip by.
This is sounds useful – but in our application, anti-virus protecting the end-points is feasible and anything before the endpoint is likely encrypted.
Reputation Enabled Defence – A powerful, cloud-based web reputation service that aggregates data from multiple feeds to provide real-time protection from malicious sites and botnets, while dramatically improving web processing overhead.
This sounds like it leverages reputation data collected and maintained by 3rd parties to block / restrict access to harmful content. Sounds useful.
Network Discovery – This service generates a visual map of all nodes on your network, making it easy to see where you may be at risk. It helps ensure that only authorised devices are connected while detecting all open ports and protocols.
This does not really provide useful benefit for us at this time.
Summing up – the £473/year actually buys us a bunch of features that we do not need, whilst providing some very useful ideas…. So despite the earlier comparison between the home office and a branch office – the Watchguard Firebox is clearly not a cost effective solution.
The hunt for the needle in the haystack continued and it was by chance I came across another, desktop style Network Security Appliance, in a reddit discussion regarding why the product had very few reviews. The conclusion was that is just worked.
These looked quite promising, although only available from a Netgate partner and absolutely none to be found on eBay or Amazon. Best of all they run a system called PFSense on a Linux based OS and get this… PFSense has a community supported open source edition of the software which features exactly the same functionality as the Netgate product running on a FreeBSD machine.
PFSense has an Open Source Community Edition
I setup a fresh Hyper-v Virtual Machine and installed the Linux template and fired it up, I set it up using the Hyper-v virtual switches effectively mapping 2 virtual NICs to LAN and WAN and placed the host machine between the Hitron router (WAN) and one of the numerous ethernet switches (LAN), and plugged the Airport Extreme and Airport Express into spare ports on the ethernet switches on the LAN.
I quickly learned about double NAT the hard way and within the hour I had set both Airports to passthrough mode and was serving IPs from the LAN IP Pool to devices connected to the Airport WiFi and ethernet network. Then I mapped one of the 5 fixed IP addresses to the router itself and then NAT port forwarded the other 4 to Hyper-v Virtual Machines. As I setup the port forwarding, I noticed firewall rules were being created automatically and I even created a set of Outbound NAT rules to ensure the connected Virtual Machines presented themselves with matching IP addresses.
A very highly functional Firewall which caters for multiple IPs and no license cost at all – but having combed the extensive menus I could not find any of the higher end security features seen in the Watchguard Firebox. Then I noticed the package manager.
Suricata and Snort – same question in terms of how do they can supposedly monitor network traffic when it is clearly encrypted. Squid can be used to deploy ClamAV the open source antivirus and malware scanner – which for proper integration would have meant running my own email server.
However, this package looked like it ticked all the boxes. So I installed this.
This worked absolutely fine until the host server needed a reboot after installing updates but then it took the whole network down due to DHCP server going offline, so in the end I did install a physical router running the PFSense system so when the home server went offline it did not effect anything. However, I didn’t buy a Netgate Security Gateway – I bought one of these.