Integration of Pfsense with Suricata, Snort & Squid to enhance network security!

Working in a company that helps you grow and lets you freely tinker around with the technology you want to learn and implement is the best work environment one can ask for. I don’t guess I could have asked for a better job as my first job. Well, enough of my ranting for today now let’s talk tech!

Backstory

I have just joined a new organisation where for the first time I have been seriously working on the blue team and setting up security measures while figuring out ways to find a loophole and then fixing it along the way. The previous week I was working on a combination of OSquery and ELK stack for enhancing the logging capabilities.

Once this project got completed then I began working on other projects and configuring the firewall was the next thing I wanted to try out. The best solutions that I came up with involved pfSense, so I thought why not set it up at my home and then experiment on it before deploying it in a live environment. ’Cause anyone who has used firewalls know that the rulesets and the tools used must be configured meticulously, if not then either it will generate too many false positives or it will just let next to all traffic pass and none of those conditions are actually useful to us.

Let’s begin!

So, now that it was decided that I will be working on pfSense, now comes the part to set it up on my virtual box environment and see if it works properly. The next plan was to look around the functionality pfSense provides by default once the setup was done properly.

Setting up pfSense

I already had VirtualBox downloaded and installed on my system. Now, after going through few videos regarding pfSense on YouTube I went ahead and downloaded the pfsense.iso file from their website. After downloading the file I made a blank Virtualbox environment for a 64-bit FreeBSD machine and then loaded on the .iso file. Now the thing to remember here is that pfSense needs two network adapters to function, now the question is why? pfSense needs these two different network adapters because it acts as a gateway between your LAN and WAN. To better understand have a look at the image below.

All the devices that are below the pfSense firewall are the devices on your local network, it can be your office computers, your home devices etc. and everything above the pfSense firewall is the wide area network ( internet ). A firewall needs to act as a gateway for your devices on your local network and the internet and only then it can monitor your internet traffic and safeguard your network properly. So now that the .iso file was loaded, I created two different network adapters for my virtual machine one of them I kept at NAT the one which will be facing the WAN and the one which will be facing the LAN I made it as an internal network. Now the hardware setting for the pfSense is done let’s boot it up.

Once the pfSense boots up for the first time we don’t have to do a lot, basically accept and press ok the basic stuff. Now on the second boot up we are presented with these sets of options, see below.

Now, comes the part where we are supposed to be doing the software configuration to properly set our pfSense and make it work properly. The configuration that we need to basically do is regarding setting IP addresses once that is done we can leverage the web gui interface to do the rest of the setting. So, here you can configure the WAN to be on DHCP i.e. the IP address will be dynamically provided to it but for the LAN you need to configure it to a static IP address and because we are using internal network so let us assign it 192.168.0.1/24. Now, that once you have assigned it the respective IP address we need to set up another virtual machine with a GUI, it can be Ubuntu, Windows whatever your requirement might be. I won’t go in detail regarding that you can watch the video here. Just keep in mind to change the network settings of this machine and keep it in the same internal network as assigned to the pfSense.

Configuring pfSense

Once, the virtual machine is up and running ping 192.168.0.1, it should ping without a problem and if it doesn’t do that then you need to re-configure the pfSense ’cause it might have been misconfigured. Now, considering that evrything works fine we need to open our browser and browse to this IP address. We will be greeted by a login page which looks something like this.

The default login credentials are username:admin and password:pfsense. Once you login you can then view the entire dashboard of pfSense. Feel free to venture around and look for the features pfSense provides by default before we begin with the installation of specific packages on top of pfSense.

Installation of Packages

pfSense can be extremely effective all by itself but for that you need to configure the rules properly. pfSense is a firewall but I wanted to built an intrusion detection and intrusion prevention solutions on top of that, for that I used Suricata & Snort. Then used squid proxy to monitor the traffic and only allow access to websites we have whitelisted. All you need to do to install packages is, click on “System” then click on “Package Manager” in the dropdown menu and then search for whichever package you want to install on top of pfSense.

• Snort & Suricata

They both are meant to do the same thing i.e. they are an IPS/IDS solution and they both work amazingly great. As all tools both of them do certain things better than the other and hence I installed both of them on my pfSense.

• Squid

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic.

Its utility is best described by Wikipedia and because of functionality I included it with pfSense, particularly for filtering traffic, blocking sites we deem unnecessary, not allowing users to browse web by using IPs to bypass the firewall rules etc.

• Bandwidthd

I added this to pfSense as well as it helps me monitor exactly which system on the network is consuming how much bandwidth and what type of protocol are they using http, ftp etc. It gives a graphical representation of the bandwidth used making it easier to point out any defaulters.

There are a bunch of various tools that we can integrate with pfSense depending on our needs.

Develop your own!

If after reading that you found that it would be really cool to make a setup like this for yourself, trust me you must try it out. You need to understand that firewall rules are the key essence to all the security they provide and they need to be written keeping in mind the needs of the organisation you are configuring it for.

Source: Medium

Happy learning folks