secure your networks with the opensource firewall pfsense
play

Secure your Networks with the Opensource Firewall pfSense - PowerPoint PPT Presentation

Feb 21, 2023 •154 likes •512 views

Secure your Networks with the Opensource Firewall pfSense hagen.bauer@rusticus-consulting.de Agenda About me Why something new? My provider gave me a fjrewall. What exactly is pfSense? Its an easy start More complex

  1. Secure your Networks with the Opensource Firewall pfSense hagen.bauer@rusticus-consulting.de

  2. Agenda ● About me ● Why something new? My provider gave me a fjrewall. ● What exactly is pfSense? ● It’s an easy start ● More complex scenarios are easy to implement ● Summary

  3. About Me ● First job: technical sales for enterprise collaboratjon sofuware ● neither sysadmin nor network engineer ● Power User with “learning by doing” ● pfSense in my home offjce since 2009 – 10 PCs, 4 Server, 8 mobile devices, – Home automatjon, Freifunk, Sonos, Asterisk – 2 Tor Nodes – 4 VLANs – Dual WAN ● netgate authorized partner

  4. Why something new? My provider gave me a fjrewall.

  5. Firewall Market (roughly) ● Enterprise solutjons – $$$$ ● Home use devices – Cheap – Simple but growing set of functjons – Bad track record in regards of security updates

  6. Devices for Home Use ● Missing functjons for small / medium enterprises and family use. – Logging – Site to site connectjons / VPN – Bandwidth limitjng – Network segmentatjon – Multj WAN – Outgoing block of traffjc

  7. LAN local branch your parents Internet DMZ LAN IOT VOIP

  8. So what exactly is pfSense?

  9. pfSense Overview ● Based on FreeBSD – Popular OS plaform for network- and security products – Juniper Junos, NetApp, NetASQ, Cisco IronPort, Citrix, Netglix, etc... ● Administratjon via web interface ● Connects the base components of FreeBSD in one easy to use web user interface ● More functjons then most commercial products

  10. Project History ● Started in 2004 as fork from m0n0wall 1.2 - 02/2008 (FreeBSD 6.2) 2.0 - 09/2011 (FreeBSD 8.1) 2.1 - 09/2013 (FreeBSD 8.3) 2.2 - 01/2015 (FreeBSD 10.1) 2.3 - 04/2016 (FreeBSD 10.3) 2.4 - 10/2017 (FreeBSD 11.1)

  11. Comprehensive Feature Set ● DHCP Server ● Intrusion Detectjon ● DHCP Relay ● PKI ● DNS Resolver ● HA ● Dynamic DNS ● Captjve Portal ● Load Balancer ● Freeradius3 ● Multj WAN ● Squid ● Wake on LAN ● … ● VLAN ● ...

  12. Runs On ● Your own hardware – Min CPU - 500 Mhz RAM - 512 MB ● Appliances from Netgate – Preconfjgured and optjmized – With or without support ● In the cloud – Microsofu Azure / Amazon Cloud ● Hardware requirements depend on throughput and installed packages

  13. It’s an easy start

  14. Scenario 1: Base Installatjon Internet ISP 1 10.17.1.100 Head office 172.17.1.1 LAN 172.17.1.0/24 172.17.1.100

  15. Demonstratjon Base Installatjon

  16. Szenario 1: Base Installatjon Internet ISP 1 10.17.1.100 Head office 172.17.1.1 LAN 172.17.1.0/24 172.17.1.100

  17. Firewall Rules ● Rules are inbound (to the pfSense box) ● First rule wins, the rest will be ignored ● Stateful fjltering ● Aliases simplify the administratjon and reduce possibilitjes of errors – IP addresses – Networks – Hostnames – Ports

  18. More complex scenarios are easy to implement

  19. Advanced Features ● VPN ● DMZ and network segmentatjon ● Bandwidth limitatjon ● Logs of confjguratjon changes

  20. Virtual Private Network ● Connectjon to remote offjces or mobile clients ● IPSec – Standard clients on OS X, iOS, Android – Interoperable ● OpenVPN – Clients behind NAT – Very easy client confjguratjon

  21. LAN 172.18.1.0/24 172.18.1.100 ● Architektur 172.18.1.1 Local branch 10.18.1.100 Internet ISP 1 10.17.1.100 Headquarter 172.17.1.1 LAN 172.17.1.0/24 172.17.1.100

  22. Szenario: Connect 2 Offjces ● Server – Defjnitjon of the VPN server – Open fjrewall for OpenVPN – Defjne network traffjc for VPN tunnel ● Client – Defjnitjon VPN client ● Connectjon test

  23. Demo: Connect 2 Offjces

  24. LAN 172.18.1.0/24 172.18.1.100 ● Architektur 172.18.1.1 Local branch 10.18.1.100 Internet ISP 1 10.17.1.100 Headquarter 172.17.1.1 LAN 172.17.1.0/24 172.17.1.100

  25. Network Segmentatjon ● Base component of network security ● Physical or virtual (VLAN) ● Privat use: IOT, VOIP, „YourChildsLAN” ● Business use: DMZ, old OS in manufacturing facilitjes

  26. LAN 172.18.1.0/24 172.18.1.100 ● Architektur 172.18.1.1 Local branch 10.18.1.100 Internet ISP 1 10.17.1.100 Headquarter 172.17.1.1 DMZ LAN 172.17.2.0/24 172.17.1.0/24 172.17.1.100 172.17.2.10

  27. Szenario 3: DMZ ● Defjnitjon Network / DHCP ● Test Ping – HQ LAN → DMZ => OK – DMZ → HQ Intranet => Error – DMZ → Internet => Error – Branch → DMZ Server => NA ● Port forward to webserver in DMZ ● Test Webserver – Branch → DMZ Server => OK

  28. Demo: DMZ ● Video

  29. LAN 172.18.1.0/24 172.18.1.100 ● Architektur 172.18.1.1 Local branch 10.18.1.100 Internet ISP 1 10.17.1.100 Headquarter 172.17.1.1 DMZ LAN 172.17.2.0/24 172.17.1.0/24 172.17.1.100 172.17.2.10

  30. Scenario 4: Traffjc Shaping ● “Managed unfairness of bandwidth” instead of FIFO ● Queues defjne prioritjes ● Rules manage the queues ● Two methods – Limiter: hard boundary – Traffjc Shaper (ALTQ)

  31. Demo 4: Traffjc Shaping

  32. Confjguratjon History ● Necessary to be GDPR compliant ● Automatjc backup of every change ● “Go back to last version” (save your a**) ● Who did what at what tjme?

  33. Demo: Confjguratjon History

  34. Summary ● Standard device supplied by your provider do not match your growing need. ● pfSense stands out due to – Low / no pre-investments – Enterprise level feature set – Enterprise support if needed – No running license fees of individual capabilitjes (ports / user) ● Ideal start for – Small and medium companies – High end home offjce – Domestjc home

  35. Secure your Networks with the Opensource Firewall pfSense hagen.bauer@rusticus-consulting.de

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Secure Networks Presentation to Plymouth State University IT Systems &

Secure Networks Presentation to Plymouth State University IT Systems &

Secure Networks Presentation to Plymouth State University IT Systems & Networking Staff Fall 2003 Security By Isolation Our Network Servers Internet Public Fac/Staff Firewall Wireless ResNET Border Security

441 views • 26 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of

Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of

Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 1 Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of Energy U N I V E R S I T Y Computer Science Network

1.21k views • 49 slides
Hacking Lucene for Custom Search Results Doug Turnbull OpenSource Connections OpenSource

Hacking Lucene for Custom Search Results Doug Turnbull OpenSource Connections OpenSource

Hacking Lucene for Custom Search Results Doug Turnbull OpenSource Connections OpenSource Connections Hello Me @softwaredoug dturnbull@o19s.com Us http://o19s.com - Trusted Advisors in Search, Discovery & Analytics OpenSource

479 views • 44 slides
Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24 1.1.1.0/24 Rd .1 Ra .4.1 .4.4 1.1.0.0/16 Rc 2.2.2.0/24 .1 .4.2 .1 .23 Rb .47 Re .15.6 .99 1.1.2.0/24 4.4.4.0/24 .24 2 Firewall

708 views • 13 slides
Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services

Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services

Ubiquitous and Secure Networks and Services: SunSpot Development Platform Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and

489 views • 25 slides
Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter

Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter

Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 10 Page 1 CS 236 Online Firewall Configuration and Administration Again, the firewall is the point of attack for intruders

375 views • 16 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
S t e p h e n K i n g ' s P r a c t i c a l A d v i c e f o r T e

S t e p h e n K i n g ' s P r a c t i c a l A d v i c e f o r T e

S t e p h e n K i n g ' s P r a c t i c a l A d v i c e f o r T e c h Wr i t e r s Rikki Endsley @ rikki opensource.com : @ Twitter rikkiends opensource.com/stephen-king What, Why, Who, How What

366 views • 26 slides
Computer Networks M QoS basics and protocols Antonio Corradi Academic year 2015/2016 QoS 1

Computer Networks M QoS basics and protocols Antonio Corradi Academic year 2015/2016 QoS 1

University of Bologna Dipartimento di Informatica Scienza e Ingegneria (DISI) Engineering Bologna Campus Class of Computer Networks M QoS basics and protocols Antonio Corradi Academic year 2015/2016 QoS 1 Stream Quality of Service

639 views • 49 slides
Infrastructure for Scientific Instruments Lifetime Connectivity PI: Klara Nahrstedt

Infrastructure for Scientific Instruments Lifetime Connectivity PI: Klara Nahrstedt

CC*Integration: BRACELET: Robust Cloudlet Infrastructure for Scientific Instruments Lifetime Connectivity PI: Klara Nahrstedt University of Illinois at Urbana-Champaign klara@Illinois.edu Current situation in campus scientific instruments

280 views • 9 slides
Real-Time Communication Integrated Services: Integration of variety of services with

Real-Time Communication Integrated Services: Integration of variety of services with

CPSC-663: Real-Time Systems Real-Time Communication Real-Time Communication Integrated Services: Integration of variety of services with different requirements (real-time and non-real-time) Traffic (workload) characterization

703 views • 20 slides
Network Neutrality and the IETF Mark Handley Why should the IETF care about Network Neutrality?

Network Neutrality and the IETF Mark Handley Why should the IETF care about Network Neutrality?

Network Neutrality and the IETF Mark Handley Why should the IETF care about Network Neutrality? An economic and legal issue. IETF doesnt do this well. Both sides of the debate present here. IETF cant take sides.

703 views • 33 slides
Improving QOS in IP Networks Principles for QOS Guarantees Improving QOS in IP Networks

Improving QOS in IP Networks Principles for QOS Guarantees Improving QOS in IP Networks

Improving QOS in IP Networks Principles for QOS Guarantees Improving QOS in IP Networks Principles for QOS Guarantees Thus far: making the best of best effort Example: 1MbpsI P phone, FTP share 1.5 Mbps link. Future: next generation

426 views • 6 slides
VIDEO AND WEB SERVICE QUALITY MONITORING USING ITU-T STANDARDS AT DEUTSCHE TELEKOM Werner Robitza

VIDEO AND WEB SERVICE QUALITY MONITORING USING ITU-T STANDARDS AT DEUTSCHE TELEKOM Werner Robitza

VIDEO AND WEB SERVICE QUALITY MONITORING USING ITU-T STANDARDS AT DEUTSCHE TELEKOM Werner Robitza 1 , Bernhard Feiten 2 , Alexander Raake 1 , Ulf Wstenhagen 2 , Peter List 2 , Steve Gring 1 , Rakesh Rao 1 1 Technische Universitt Ilmenau, 2

392 views • 16 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
COMMON: Coordinated Multi layer Multi domain Optical Network Framework for Large scale

COMMON: Coordinated Multi layer Multi domain Optical Network Framework for Large scale

COMMON: Coordinated Multi layer Multi domain Optical Network Framework for Large scale Science Applications (2010 2013) PI: Dr. Vinod Vokkarane Associate Professor, University of Massachusetts at Dartmouth (Currently on Sabbatical:

749 views • 48 slides

More recommend