Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using pfSense with SNORT for a firewall with intrusion prevention.

Similar presentations


Presentation on theme: "Using pfSense with SNORT for a firewall with intrusion prevention."— Presentation transcript:

1 Using pfSense with SNORT for a firewall with intrusion prevention.
Low cost firewall. Using pfSense with SNORT for a firewall with intrusion prevention.

2 What we’re going to cover…
Why we chose pfSense over other options. Other features offered and limitations. What are pfSense & SNORT? pfSense requirements. Installation overview. Using the GUI and console menu. Important tweaks and gotchas. Packet shaping. Installing and using SNORT as an IDS or IPS. False positives, backups and packet drops. Questions?

3 More detail This workshop is a quick overview of pfSense + SNORT.
A more in depth set of instructions is available on the Oxford ITSS wiki and I’ll upload them to a public web site too. Oxford ITSS wiki link – Web site -

4 Why we chose pfSense over other options.
What we wanted for a new firewall: Ability to scale above 100Mb/s up to 2Gb/s to match TONE upgrade. Ability to bridge rather than NAT – as we host services. Packet shaping & QoS to avoid congestion for critical traffic (eg: Chorus/ICP & web sites). Reliable (as opposed to the one it replaced). Not too expensive.

5 Commercial options. We found several commercial brands of firewall in use within the university. Recommended makes were: Palo Alto Fortinet’s Fortigate (with special pricing negotiated via NSMS) Dell’s Sonicwall series Watchguard’s XTM series

6 Commercial firewalls The good:
Ease of use (used Watchguard, saw Sonicwall & tried Fortinet) Low maintenance. Cost for 100Mb/s bandwidth capacity is affordable. Works with little configuration, out of the box. The downside: Cost for 1Gb/s is much higher (around £10,000 over 5 years). There can be vendor lock-in for 3-5 years on some contracts. We found the two units from one manufacturer to be unreliable under long term use.

7 Open source pfSense firewall with SNORT
The good Low cost (Use existing server hardware or approx. £1700 for a unit built for pfSense). Subscription cost for SNORT (£0 for community rulesets or £260pa - £390pa for commercial subscriptions). Use commodity hardware. IDS/IPS as with commercial firewalls. The downsides: Requires more time to test & setup the IDS/IPS system initially. Application monitoring and control not to easy to setup. Not reported as working at 10Gb line speed yet.

8 Other features with pfSense
High availability/load balancing. Packages to extend the system (SNORT, zabbix client, etc…) AD authentication, Captive portal, RADIUS auth support. DNS service, DHCP service/relay, NTP service, SNMP, PPPoE, WoL Diagnostics – ARP tables, pretty graphs, Logs with remote logging, packet capture, firewall states, SMART status, Sockets and packet limiter info, RRD graphs. IPv6 support

9 Hang on what are SNORT and pfSense?
pfSense is an extendable open source statefull firewall with a web GUI and application package system. SNORT is open source intrusion prevention/detection system (which happens to be available as a package for pfSense). SNORT analyses network traffic in various ways to detect ‘bad’ traffic. SNORT rules to define what is exactly is ‘bad’ traffic (eg: SQL injection attempts). Subscriptions to SNORT rules are offered by the SNORT community and commercially by SNORT/Talos and Emerging threats.

10 pfSense requirements. Running as a statefull firewall, pfSense alone requires only a modest system: PCIe bus, to ensure enough bandwidth for the NICs. Enough NICs, preferably well supported NICs such as Intel Pro. Preferably a 64bit processor. With the SNORT IDS/IPS package, 4Gb of RAM is recommended as well as a good multicore processor.

11 Firewall networking view
WAN traffic LAN traffic Admin em0 em1 em2 igb0 igb1 igb2 Physical NICS NIC aggregation LAGG0 LAGG1 Virtual interfaces LAN WAN OPT1 Network linking pfSense Web GUI BRIDGE Diggory Gray (ITSS), Faculty of Classics, Oxford University.

12 Firewall installation steps
Console install & setup Install from CD Assign LAN IP Turn off DHCP Web GUI configuration Change your password and setup HTTPS Assign NICs for LACP groups. Setup DNS, NTP & turn off NAT. Assign WAN and OPT interfaces. Setup firewall rules. Tune your system for network cards. Add niceties such as remote syslogging and traffic shaper. SNORT package configuration Install SNORT package Setup an Interface to use with SNORT Subscribe to SNORT rules sources. Setup SNORT categories. Check SNORT rules for each category and monitor for SNORT alerts. Create white list and suppression list. When SNORT is ready, test in non-blocking mode (IDS not IPS) first.

13 Using the GUI and console menu.

14 Setting up aliases. Add new alias Edit alias Delete alias

15 Firewall rules Move selected rules before this rule.
Firewall rules are applied for packets inbound to a specific interface. Each interface has it’s own rules. The rules are interpreted in order, ensure your order is correct. By default no traffic is passed by the firewall (a PASS rule is required).

16 Important tweaks and gotchas.
Remember to tweak your network cards and check it worked (eg reported mbufs size on dashboard). Don’t be too quick to turn on SNORT & with multiple rulesets – try the non-blocking mode first. When applying a large change to the firewall (eg. packet shaper configuration) you may need to reset the firewall state table (this will briefly disrupt traffic). Remove any IP addresses assigned on the bridged WAN and OPT interfaces. You may need to turn off ‘packet scrubbing’ and dropping of ‘do not fragment packets’ if you want to let through NFS traffic.

17 Using the packet shaper.
It’s important to note, that the traffic shaper has a bandwidth overhead on your main connection of around 10% - 18%. The traffic shaper links in with firewall ‘PASS’ rules to identify packet priority. Several types of packet shaper algorithms are available: HFSC – Most Complex & may be discontinued. CBQ – Like PRIQ but with a hierarchal structure and bandwidth limits for queues. FAIRQ – Based on CODELQ, but attempts fair allocation for each que. CODELQ – Used to avoid TCP buffer bloat problems through controlled delay. PRIQ – Different queues, each with a different priority & bandwidth.

18 Choosing your algorithm.
If you want to prioritise some traffic at the expenses of other types (such as VoIP), then you will want HFSC, CBQ or PRIQ. PRIQ is the easiest to setup, but can allow lower priority traffic to be starved of bandwidth completely. CBQ allows a hierarchal set of traffic queues to be created. HFSC is quite complex, but provides the most flexible shaping system.

19 Example of CBQ setup on our firewall
We setup a CBQ shaper and limited HFS backup traffic to 65% of our 100Mb link. Normally HFS backups from our servers can saturate our link, but the traffic graph below shows the packet shaper in action.

20 Firewall rules and traffic limiters
* Use a firewall ‘PASS’ rule to ‘select’ traffic, which can be passed to the correct traffic shaper que. The que settings are shown in the ‘advanced’ section of the firewall rule. For each traffic type, you’ll need two queues. A ‘que’ and an ‘ACKque’ aka outgoing and ingoing. Traffic limiters are separate from the shaper and can limit specific traffic (rather than prioritise) and to different time schedules.

21 Installing and using SNORT as an IDS or IPS.
Installing SNORT is easy. pfSense will download and install the package automatically for you. pfSense won’t start the SNORT service or configure SNORT to inspect any of your interfaces. The tricky bit is configuring the rules SNORT will use to monitor your traffic and tuning SNORT parameters.

22 Interfaces configuration
You can configure multiple instances of SNORT. Each instance will run independently with different rulesets and configuration parameters.

23 Signing up to ruleset subscriptions
There are several sources of SNORT rules: Snort VRT rules (paid (~$260pa) or free sign up versions) SNORT community rules Emerging threats open rules (free) Emerging threats Pro rules (paid only ~£390pa) Naturally paid versions offer more timely updates than free. Subscriptions should be available from approved suppliers such as Insight or PCS Systems.

24 Selecting the rulesets you need.
It’s best to select the ruleset directly, rather than use the ‘Snort VRT IPS Policy Selection’ – this way you can select only the rulesets you need and reduce the load on SNORT. Once enabled you can click on a ruleset to see the rules within it. Do not enable too many rules at once – you’ll be overwhelmed with the false positive alerts from SNORT. Check our the SNORT and ET websites for information on what some of rulesets do or check the type of rules in each ruleset as a guide. Test a rulseset before you use it…

25 Preprocessor configuration
Preprocessors add extra capability to SNORT and are required by certain rules. Enabling or disabling them is easy to do. Be aware that some preprocessors are a little too sensitive (such as ‘portscan detection’). The defaults on most preprocessors are adequate. If you have a rule which requires a disabled pre-processor, SNORT will generate a lot of syslog talk mentioning the problem. You can find all rule which use preprocessors in the <interface> Rules tab. Diggory Gray (ITSS), Faculty of Classics, Oxford University.

26 Logging and whitelisting.
You’ll need to decide if an instance of SNORT is going to block hosts or not. Blocking hosts will turn SNORT into an IPS (Intrusion Prevention System), otherwise it’s merely a detection system (IDS). SNORT should send alerts to the syslog service, so they can be centrally processed (handy if you have a dedicated syslog server). Passlists are essential. You can specify a ‘home net’ which isn’t inspected & a ‘pass list’ which is inspected (but not blocked).

27 Alerts & false positives
When you have SNORT running with some rules, you’ll need to check the ‘alerts’ tab (or your syslog server) for SNORT alerts. The SNORT alerts will tell you when a rule has been triggered (and possibly a host blocked). NB. You can resolve hostnames from this screen by clicking in the blue ‘i’ icons.

28 Positive? The resolving of host names can help determine host names.
The rule descriptions will give you the rule which triggered the attack, as well as the ‘SID’ number. Look out for rules which say ‘possible’ in the wording. If you think the host may be genuine and the rule suspect, check the source IP and destination port and IP carefully. Use online IP reputation website to look up known bad IPs as a second source of reference (such as IP Checker , IP Void or others).

29 IP Blocklisting, rule suppression and disabling
Once you’ve found a false positive alert, you’ll want to remove the IP from the blocklist (if you are using blocking). To prevent a reoccurrence you can supress or disable the SNORT rule. Supress alerts for this rule from this IP Remove this IP from the block list. Supress alerts for this rule to this IP Supress all alerts for this rule Disable this rule and delete it!

30 Suppression vs disabling
If you have the option, supressing an IP will give you more flexibility – allowing you to add an exception to a rule for a destination or source IP. You can modify any exceptions you make in the suppression list (which is a list of SNORT suppression rules). Disabling a rule will reduce the load on SNORT slightly, but is a last resort and will mean SNORT will not monitor future occurrences. It is better to disable rules in the interface ‘rules’ tab, rather than delete them in the alerts tab (just in case you change your mind).

31 Trying to avoid the impact of false positives.
Setup another SNORT instance without blocking to test new rulesets. (or use another server purely for SNORT ruleset testing). Make sure you have a good ‘pass list’ and ‘home net’ lists setup. Check the rules and documentation (if any) in rulesets before activation. Review your logs for SNORT alerts in the few weeks after installation of SNORT or ruleset changes. Don’t use rules which use the ‘portscan’ pre-processor – it’s to touchy (even on ‘low’).

32 Backups and packet drops.
pfSense backups are quite good and you can backup all pfSense settings in a small file. Note: if you select individual areas for your backup, the package specific settings (such as those for SNORT) are ignored. If you restore an entire backup to different hardware, you may need console access to fix any problems with interface mixups. Packet sniffing may help identify problems with packet drops. pfSense can sniff packets and save these in a file readable by Wireshark.

33 Diggory Gray (ITSS), Faculty of Classics, Oxford University.
Questions? Diggory Gray (ITSS), Faculty of Classics, Oxford University.

34 Reference General pfSense guides: pfSense main documentation wiki
Smallnet builder – building your own IDS firewall with pfSense (book) pfSense 2 Cookbook (ISBN: ) – bit thin in places (eg traffic shaper). (book) pfSense: The Definitive Guide (ISBN: ) – old, but detailed. Traffic limiting guides: SNORT specific: pfSense Documentation on SNORT Techrepublic – using snort for intrusion detection Emerging Threats ruleset information (free e-book) SNORT cookbook (O’REILLY commons) pfSense Tweaks pfSense support and suppliers pfSense – Supply hardware, support and develop software. Deciso – EU based supplier. Supply and support pfSense hardware. On Oracle system as a supplier as of 2015.


Download ppt "Using pfSense with SNORT for a firewall with intrusion prevention."

Similar presentations


Ads by Google