SmallNetBuilder

Follow SmallNetBuilder
Follow SmallNetBuilder on TwitterConnect On Facebook Google+Get the SmallNetBuilder RSS Feed
You are here: Security Security How To Build Your Own IDS Firewall With pfSense

Build Your Own IDS Firewall With pfSense

Print E-mail
Prev - Page 1 of 4 - Next >>

Introduction

Don't let the bad guys in

Hear that sound? That is someone rattling your doorknob. If they are able to break in, they will ransack your home, rifle through your private papers, correspondence, bank statements, photos, and if lucky they’ll find your club memberships and credit cards - your identity. They may even plant listening devices. If you lived in a bad neighborhood, you’d put in high quality locks and maybe an alarm system. The problem is, on the net, everywhere is a bad neighborhood.

What stands between you and this happening on the internet is generally your router, which is designed more as a doorway than a lock. Consumer grade firewalls, either software or hardware, can act as a lock or gatekeeper. But to truly turn back the faceless attacks (even if they would just find pictures of your kids), you need a dynamic firewall with intrusion detection; the kind of 1U firewall server appliances usually found only in corporate data centers (read: expensive). Devices that generally start at about $3K; a Cisco PIX firewall starts at nine.

We’ll show you how you can put together your own firewall/router with all of the capabilities of high-end gear using open source software and inexpensive components. There are a significant number of open source distributions available for homebrew router/firewall builds. We chose pfSense for its outstanding built-in functionality, active support forums, first class documentation and overall maturity. Most significantly, beyond rich routing functionality, pfSense offers firewall and intrusion detection/prevention well beyond that of the mere mortal router.

Firewall vs. Intrusion Detection/Prevention

To understand the advantages offered by pfSense over your router or a firewall, we need to understand the difference between what a router/firewall offers and what an Intrusion detection system (IDS) provides.

A firewall, in the most general sense, works at the connection level of your network traffic, looking at the envelope of a network connection:  Where is it coming from? Where is it going? What is the origin and/or destination address/port?

Figure 1 is as real firewall log, notice the aforementioned doorknob rattling:

A real firewall log showing network probes

Figure 1: A real firewall log showing network probes

An intrusion detection system goes beyond and below firewall filtering. Beyond, by looking at the pattern of network connections, recognizing port scans, specific threat signatures and denial of service attacks. Below by looking at the actual contents of each packet, recognizing executable code, badly formed packets, buffer overflow attempts, and things like plain-text credit card numbers.

Figure 2 shows a real log from the IDS tool Snort for the same period as above:

Snort log

Figure 2: Snort log

Note:  The IP addresses have been obscured to protect the innocent and the network the router/firewall protects. These logs are from a developer’s (my) home network, with no P2P traffic or other dodgey activity that might advertise the WAN IP address.

pfSense

pfSense is a free, mature open source project that runs on top of FreeBSD, for firewall/router installations. It has been around since 2004, when it was spun-off from m0n0wall. Where m0n0wall is designed for embedded systems, pfSense is geared toward x86 commodity hardware.

Like any modern router, pfSense is administered through a comprehensive Web GUI (Figure 3). At no point do you need to drop to a shell window, unless you want to further customize your router.

PFsense Dashboard

Figure 3: pfSense Dashboard

The out-of-the-box functionality is impressive, and too long to go into here, but includes full routing capabilities across multiple interfaces, graphical traffic monitoring, firewall filtering, VPN Support (IPSec, OpenVPN, PPTP ), Captive Portal login handling, Quality of Service traffic shaping, load balancing across multiple interfaces, ISP & Router failover,  and network logging. Over the top functionality.

In addition, Table 1 shows a few of pfSense's add-in integrated packages adapted to pfSense’s Web GUI, providing a surprising array of functionality.

Snort Eminent packet filtering rules engine, providing intrusion detection and prevention, allows for policy enforcement, and IP blocking. With custom and regularly updated dynamic rules.
Squid High speed caching web proxy, can run transparently
SquidGuard Squid Proxy Add-on for Content Filtering
HAVP HTTP antivirus scanning proxy, a front-end to ClamAV
IP-Blocklist IP blocking based on various published IP address lists from iBlockList.com
Table 1: pfSense packages

Beyond the integrated pfSense packages, FreeBSD offers a rich set of network tools and open source packages, including EtherApe, PFTop and Tarpit that can run in conjunction with and alongside pfSense.




Related Items:

Build Your Own UTM With pfSense - Part 4
Build Your Own UTM With pfSense - Part 2
Build Your Own UTM With pfSense - Part 1
Build Your Own UTM With pfSense - Part 3
Snort vulnerability found