Kyle Goode - Network Security: It Just Makes pfSense

hey folks it's great to be here this is actually my first talk so you can feel free to throw things at me now later any point you know I've got some good reflexes so yeah um what we're going to be talking about today is PF sense I absolutely love this it is essentially a firewall and a router is the simplest way to explain this but you can make this out of literally anything so you can get some garbage Hardware off of eBay you can get professional net gear um Hardware you can build these out of virtual machines on your own um with professional like uh VMware you can do cloud-based Azure AWS any of it

um it started back in 200 for as an existing firewall project and it's free BSD based so for something like this it has had a long time to mature and really come to fruition so there's a lot of really great services and packages that we're going to be talking about today so it got its name from trying to make it as simple as humanly possible to to do stateful packet inspection on your firewall it's fully open source and it's actually my favorite kind of Open Source it's open source in the sense that you can just download it yourself like I said install it on your own hardware and then if you so decide get into paid

Support options so you can have full licensing from netgate where anything any kind of issue you can call them 247 so we're going to talk about why you would use something like this so every network is different so I can't answer for all of you why you would use something like this I know for me the reason I set out to build this on my own is to make sure I had a really good solid understanding of eating my own dog food when it came to SSL inspection having an IPS and setting all of my network traffic for VPN tunnel this cost me very little I mean I think I built the whole thing with the

tack light subscription so the pfSense Plus for like a hundred bucks so you really really can't beat that and what I love about it is it also gives me extremely granular control over everything on my network so we're going to talk a little bit about some of the packages that this offers so we've kind of already talked about how you get it basically what you're going to use is they have the official netgate is the company that actually maintains these kind of images so you can just go straight to their website they're going to have these for you and allow you to download it either the community or the professional Edition you used to be able to get the

plus totally free now is$ 1229 so basically all they're going to tell you from a support perspective is point you to the documentation it's a lot like um when I was in the fifth grade they would just say hey if you don't know the word look it up in the dictionary it's going to be the exact same thing if you go with that kind of subscription so for something like this if you're really wanting professional integrate Enterprise support you're going to have to go for a higher tier plan so that kind of gets us into the packages that pfSense offers because that's where a lot of the functionality comes out of um I really feel like cotta

is the crown jewel of this and when we're talking about detections and Mysteries there's nothing quite like something like Sur cotta that's going to allow you to look at all of your network traffic and make sure that you don't have a bunch of threats going on with it cot is absolutely fantastic in terms of just out of the box you can have these kind of free open-source um threat feeds from some of the most popular companies in the industry so just proof Point emerging thread snort and it's even it's snort subscriber you can just sign up for um doing SSL Blacklist your botn nets and all of this is completely updated via KRON jobs and never have to

look at this once having it set up so you're just fully able to pick and choose what you want and again you just have the flexibility of getting a paid threat feed for any of these for your snorts for your proof points all of that and it's not just an IDs it truly is that IPS mode to where you're seeing your alerts you're getting threats coming in and you're able to block and SLE that kind of traffic so it's absolutely fantastic and what I love is something like this three corack it's got to test my nids so basically this is a website that you can go go to and you can make sure that this is

working properly so you can throw a ton of traffic at yourself and make sure hey am I getting the alerting am I getting the blocking that I want I love doing that kind of thing proactively because then I've got so much that I'm already blocking so if that were to ever occur afterwards I'm going to see that's going to fully block it and so that's why I've got my nice meme about the meddling kids because I truly feel like this is one of the crown jewels of the product and one of its best features so that leads us to something called crowd suck this is a really interesting open- source project that is a great add-on to

pfSense because it's just further threat feeds for your pfSense firewall the link that I have in here it's showing you step by step how you can add this on to your pfSense firewall for additional threat feeds that are mostly from TCP IP based um real malicious threat actors so it has a very well curated Network block list and it's actually pretty cool in terms of being able to do things as prevent Port scanning I'd love having something like my net hunter that I can just throw at this thing do an in map scan whatever and it's going to shut it down immediately it is not going to have that it's not going to return me back the

ports I find that to be a really really great feature for it and again this is fully autonomous so basically you just pick your feeds and that's all you have to do it's going to update those firewall rules for you and you're going to get all of that functionality out of it so very nice so if you want to put DNS in a showold um PF blocker NG is one of the other main crown jewels that I find for pfSense so I mean there are hundreds of threat feeds and I mean it's going everything from your crypto jackers your fishing your tour I think it's kind of funny CU they talk about like hey don't

enable these all at once so yeah 200 plus feeds not a good idea to enable all at once but yeah you've got like your spam hos your fish tank your Alien Vault and again it's just based on cron jobs so you're not going to have to do any maintenance to this other than just enabling the feed and that's it and not only for that you have something like this that you add you're automatically going to have that recursive DNS functionality of it so what's meant by that is you know for me as a millennial I still remember like the Yellow Pages that would show up to my door and like you know if you manually go through your

phone book and you're entering in you know you're looking for the pizza joint or whatever um that's how DNS normally works you're reaching out to some provider like Google and you're saying hey go find this thing for me not so with something like Unbound and a recursive DNS it's basically like having that caller ID so basically just having them saved as a contact and going straight there so huge win not necessarily A pfSense feature but if you combine something like this with a custom DNS like a pie hole or a Cisco unbrella or something like that you are going to have DNS secur like nothing else so that gets us into talking about squid so with those links that I have

there what we're looking at is basically a timeline of how netgate has chosen to respond to squid so what squid is is it's a catching forward and reverse proxy basically what you would do with this is this is how SSL inspection is done so malware these days is often encrypted everything's https um a lot of times you need to break that down and to see okay what am I actually connecting with what are my users clicking on things of that nature so squid is really the only main vehicle to do this for and what happened is back in October there was a eth hacker who had been working with Squid Squid's been around since like the 9s so he was

working with them pointing out the vulnerability saying hey we've got a ton of exploits here um he like these are nice folks you know we keep talking about this but basically revealed this to say hey they're not fixing the problem they don't have enough people he was trying to bring awareness to preserve this project that's been around for decades so he does this and neate's response to it other than helping is saying hey we're going to completely discontinue this this will be gone in the next upcoming version so with that um basically what the ethical hacker did what worked it got a ton of people to re-engage with the project and fix those vulnerabilities in newer versions uh

netgate chose not to do anything about that so the community itself updated squid so I've got the link there for the updated package to it and it works absolutely great just as the old one did so with them not fixing it I think that's a good time to talk about what a disappointment that is and how important it is for open- Source projects like this that for companies like netgate that profit from this they pitch in I mean we're in an age where Microsoft is actively contributing to Linux kernel uh that's a future I would have never predicted but is extremely extremely important to keep these kind of things alive especially when it's something that that particular

company can profit from so what that does is that takes us into the other side of proxying on pfSense so with pfSense we have the ha proxy so what this is mostly for is for being able to do load balancing on your firewall and for your applications so it's got a lot of great features um does an excellent job of health checks letting you know if something goes down um you know it does all types of rate limiting and improves performance through SSO SSL offloading so it's really fantastic dos protection and then it's compatible with certificate authorities such as less encrypt so another really great feature of pfSense is the captive portal so pfSense has really excellent captive

portal so if you're trying to make sure that you have a log of who's on your network restricting access to maybe certain bam liths or times pfSense is a great solution for that and then when we talk about how you can actually take these pfSense logs and use them for ingestion into like your sim your xdr um it really does allow you to go with just about anything via its remote CIS log feature so that should take care of all your big um your Sentinels your spunks you any of those professional grade um Sims but what I really want to highlight is how for these open-source Solutions such as your security onion your waza and

your blumera they just have a bunch of native Integrations for it and then taking those kind of CRA cotta alerts and being able to just forward that on is a huge win so what I link to in terms of the waza article that's even where you can just throw an agent on it so very very useful to get even EDR protection on your firewall so another interesting thing that I wanted to point out because when you talk about competitors to something like a PF sense is your fir Walla or an open open wrt so when we're talking about pfSense you don't have an app but what you do have is a really excellent mobile web page so I run all kinds of updates

from my phone just with the mobile web page um I do all kinds of network testing and responding to alerts from my phone with a mobile web page so not quite a fir Walla with its own app but very close with the mobile web page another interesting thing to talk about here is back in April they netgate released an article stating that hey we're going to move off of the free BSD platform that we've used for 20 years and we're going to move that over to the Linux kernel they decided to do this on April fools so hard to tell if that's an actual thing or or not and if anybody knows I would love to hear about that because

I'll be talking about this for a while um could go either way I think if anybody has had the pain of dealing with the free BSD ports and like the fresh ports a lot of things aren't supported so there could actually be some really great gains for them switching over to a Linux kernel and just some examples of that are other op source security packages such as like your OS query your tail scale even just elastic agents to be able to get other EDR agents onto your firewall so some resources that I recommend to get started with this is networkchuck is a YouTuber that has a great video on pfSense giving you great explanations of all the things that you

can do with it and how to set it up Lawrence systems is a company that does professional pfSense installs with netgate Hardware so even if you have a multi-wan environment Lawrence systems can absolutely help you out and they have tons of YouTube videos on this like I was saying about the dictionary um the docs are often the best place to go for when you're getting started or trying to first get familiar with projects or with the different products for pfSense a lot of times I've got to say AI has been extremely helpful especially when you're getting confused about configuration or what certain things do and how packages interact with each other you know your Bings your chat gpts

your Geminis and if you're weird anthropic um all super super helpful in Breaking these Concepts down into bite-sized pieces that help make sense of what it is you're doing there's a great Reddit community in terms of pfSense and of course netgate has its own forms where you can reach out to other community members get help get better understanding and support one another and with that that is another mystery solve

[Applause] scoop so uh that was super interesting I am um personally uh an open ciris person so I'm always excited to see uh you know when people talk about technologies that are on non-linux platforms but of course what always comes up is this issue of like well you know we can some cool things in the kernel but then like you said about ports like you know the user space stuff can be a little out of date and lacking and things aren't supported um what do you see you mentioned some of the advantages of moving to Linux do you know or what do you see as some of the disadvantages of maybe moving that out of FreeBSD where it has lived for so

long well FreeBSD is honestly like the Cadillac of security just in terms of like you have SE Linux as opposed to like app armor when you're talking about a Unix platform like that that has been maintain for decades switching to a new platform is always a risk in terms of opening up new vulnerabilities and such a learning curve to make such a big change uh if anybody has got any questions for Kyle um come up to the front and you can use this microphone and that way we can get it recorded as well because if you holler from the back I'll have to retranslate into the microphone and I might screw up your

question yeah yes please um I I'm just curious if you mess with open sense as well and compared the two I have some experience with it uh again I just prefer PS sense because it the amount of time they've spent with it and all the Integrations that it has because you're not going to find the same level of say those kind of sim Integrations as you would with pfSense I mean security onions integration with it you get all those beautiful dashboards out of all your different alerts and things you're just not going to find that with open wrt any other questions your first slide here let me let me get you into the microphone I'm sorry I meant to mention

that but yeah I can go back to that or maybe okay okay yes here I well I don't want to take it too far into the audience because the feedback um oh I can okay never mind I misunderstood okay so I recently started swapping out pfSense for smaller 40 Gates just for because of EAS of Fleet Management through things like 40 manager did pfSense add anything for like multiples I know Lawrence system had some videos but was there any like multiple um management like if I need to clone the management across pfSense to multiple sites or multi yeah yeah my suggestion would be checking them for that specific use case as well as just reaching out to the netgate folks

they're going to let you know in terms of a multi-wan solution you know where they're at with things anybody else okay thank you Kyle that was excellent Round of Applause please [Applause]