Mastering pfSense,
eBook - ePub

Mastering pfSense,

David Zientara

Share book
  1. 450 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Mastering pfSense,

David Zientara

Book details
Book preview
Table of contents
Citations

About This Book

Install and configure a pfSense router/firewall, and become a pfSense expert in the process.

Key Features

  • You can always do more to secure your software – so extend and customize your pfSense firewall
  • Build a high availability security system that's fault-tolerant – and capable of blocking potential threats
  • Put the principles of better security into practice by implementing examples provided in the text

Book Description

pfSense has the same reliability and stability as even the most popular commercial firewall offerings on the market – but, like the very best open-source software, it doesn't limit you.

You're in control – you can exploit and customize pfSense around your security needs.

Mastering pfSense - Second Edition, covers features that have long been part of pfSense such as captive portal, VLANs, traffic shaping, VPNs, load balancing, Common Address Redundancy Protocol (CARP), multi-WAN, and routing. It also covers features that have been added with the release of 2.4, such as support for ZFS partitions and OpenVPN 2.4. This book takes into account the fact that, in order to support increased cryptographic loads, pfSense version 2.5 will require a CPU that supports AES-NI.

The second edition of this book places more of an emphasis on the practical side of utilizing pfSense than the previous edition, and, as a result, more examples are provided which show in step-by-step fashion how to implement many features.

What you will learn

  • Configure pfSense services such as DHCP, Dynamic DNS, captive portal, DNS, NTP and SNMP
  • Set up a managed switch to work with VLANs
  • Use pfSense to allow, block and deny traffic, and to implement Network Address Translation (NAT)
  • Make use of the traffic shaper to lower and raise the priority of certain types of traffic
  • Set up and connect to a VPN tunnel with pfSense
  • Incorporate redundancy and high availability by utilizing load balancing and the Common Address Redundancy Protocol (CARP)
  • Explore diagnostic tools in pfSense to solve network problems

Who this book is for

This book is for those with at least an intermediate understanding of networking. Prior knowledge of pfSense would be helpful but is not required.

Those who have the resources to set up a pfSense firewall, either in a real or virtual environment, will especially benefit, as they will be able to follow along with the examples in the book.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Mastering pfSense, an online PDF/ePUB?
Yes, you can access Mastering pfSense, by David Zientara in PDF and/or ePUB format, as well as other popular books in Informatica & Sicurezza informatica. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2018
ISBN
9781788993470
Edition
2
Topic
Informatica
Subtopic
Sicurezza informatica

Virtual Private Networks

Virtual private networks (VPNs) provide a means of accessing a private network over a shared public network such as the internet. Access to the private network is provided via an encrypted tunnel, and connecting to the network in such a way emulates a point-to-point link between the remote node and the network. Since the tunnel is encrypted, any packets that are intercepted are indecipherable without the encryption keys. Thus, VPNs provide a secure means of accessing a private network remotely.
Prior to the advent of VPNs, the only way of providing remote connections to a private network was through private WAN circuits. Private WAN circuits provide low latency, and in some cases, they may still be the best solution for connecting to a private network, but they also have high monthly costs. VPN solutions have grown in popularity, in spite of the fact that they often have somewhat higher latency than private WAN circuits, because they provide the same point-to-point connectivity at a much lower cost.
pfSense is one such means by which you can implement low-cost VPN connectivity. While establishing and maintaining a VPN tunnel is somewhat CPU-intensive—a computer that barely meets the minimum specifications for pfSense will be hard-pressed to maintain a VPN connection—with pfSense, you will be able to set up VPN connections much more cheaply than you would be able to with commercial equipment.
In this chapter, we will cover the following topics:
  • VPN fundamentals
  • Configuring a VPN tunnel in pfSense (IPsec, L2TP, and OpenVPN)
  • Troubleshooting VPNs

Technical requirements

To follow along with the examples provided in this chapter, you will need two fully functional pfSense firewalls (with one or more nodes behind each firewall), either on real physical networks or in a lab/virtualization environment. Installation and configuration of the ShrewSoft VPN client, described in the section on IPsec, requires a system running Microsoft Windows (Windows 2000, XP, Vista, 7, 8, or 10 will do). The examples presented in this chapter should not be particularly resource-intensive; however, setting up an encrypted VPN tunnel does tax the CPU somewhat. Therefore, running pfSense on hardware that barely meets the minimum specifications for pfSense is not recommended.

VPN fundamentals

VPNs enable a remote user to securely connect to a private network or server over a remote connection. To the end user, it is as if data sent is being sent over a dedicated private link. Another common usage is for network-to-network communication. For example, a branch office of a corporation may need to connect their local network with the network at corporate headquarters. In this case, the internet is logically equivalent to a WAN. In both cases, those using the VPN benefit from the fact that the connection is implemented as an encrypted tunnel. This enables end users to use the public internet as a private tunnel for a virtual point-to-point connection.
As noted earlier, private WAN circuits were the only way of connecting to a private network securely before there were VPNs, and in some cases, such private circuits may still be the only way to meet bandwidth and/or latency requirements. Latency is a big factor. A private WAN circuit will usually provide latency of 3 ms or less, whereas with VPNs, you will get that much latency just with the first hop through your ISP. Running ping tests will allow you to get a better idea of the latency of VPN connections, but in general, VPN connections have latencies of 30-60 ms. This can vary greatly based on two factors: the type of connection being used, and the distance between the remote node and the private network being accessed. One of the ways of minimizing latency is to use the same ISP on both ends of the connection, although this is not always possible. In some unusual cases, using a VPN may decrease latency rather than increase it. For example, if your ISP employs traffic shaping, encrypting traffic may result in the ISP not throttling it, and therefore latency will decrease.
Otherwise, you may find it necessary to research the types of applications you are likely to use over a VPN connection and find out how well they perform over connections with latency. Online games, for example, can be affected by higher latency. Microsoft file sharing (SMB) and Microsoft Remote Desktop Protocol (RDP) are also latency sensitive. Obviously, there is a cost-benefit analysis involved. You may find that the performance improvement justifies spending money on a private WAN circuit. Or you may find that the performance degradation involved in using a VPN is justified by the savings. In addition, it may be possible to alter your network settings to improve VPN performance.
If you decide to implement a VPN, you can choose from several different forms of VPN deployments. The most common ones are the following:
  • Client-server: In this scenario, a VPN tunnel is used to connect one or more mobile clients to the local networks. The encryption provided by the VPN guarantees that data privacy is maintained. This is probably the most likely deployment scenario that you will be using if you configure a VPN with pfSense.
  • Peer-to-peer: In this scenario, a VPN tunnel is created between two networks; for example, the main corporate office and a satellite office location. The general idea is that setting up a VPN is cheaper than a leased line between the two locations. Instead of having a router on one end and a mobile client on the other end, there is a router on each end of the tunnel. We will demonstrate an example of peer-to-peer by showing how to configure a site-to-site VPN with IPsec.
  • Hidden network: This is not as common as a deployment scenario, but is nonetheless worth mentioning. In some cases, data may be too sensitive to place on the main corporate network, and this data may reside on a subnet that is physically disconnected from the rest of the network. If this is the case, a VPN can provide us with a means of connecting to this subnet.
We can also use VPNs to provide an additional level of security on wireless connections. By requiring wireless clients to log in through a VPN, we can force these clients to provide additional authentication, and the VPN connection itself will provide another layer of encryption in addition to the encryption that the wireless protocol provides.
There are several VPN protocols that can be used, and each VPN technology has its own advantages and disadvantages. In this section, we will focus on the VPN protocols currently supported by pfSense: IPsec, L2TP, and OpenVPN.

IPsec

IPsec, as the name implies, is a protocol suite that operates on the Internet layer of the four-layer network model (and the Network layer of the OSI model). It is the only protocol of the three discussed here that operates on this layer. Because it operates on the Internet/Network layer, it is capable of encrypting and authenticating the entire IP packet, thus not only ensuring privacy for our data, but also ensuring that the packet's final destination is kept private as well. Thus it differs from both OpenVPN (which offers encryption, but operates on the Application layer) and the Layer 2 Tunneling Protocol (which does not encrypt data at all).
As a protocol suite, IPsec is actually a group of protocols, which in combination provide the functionality we require. These protocols can be divided into three groups:
  • Authentication Headers (AH): This header is 32-bits long and provides authentication and connectionless data integrity.
  • Encapsulating Security Payload (ESP): This portion of the IPsec protocol suite provides authentication, as well as encryption and data integrity. It also exists in authentication-only and encryption-only modes, which provide either authentication or encryption, but not both. ESP is responsible for encrypting at least the payload (transport mode), and in some cases, the entire packet (tunnel mode).
  • Security Association (SA): The Security Association is the set of security attributes (for example, encryption algorithm, encryption key, and other parameters) that are used in a connection.
SAs are established through the Internet Security and Key Management Protocol (ISAKMP). Key exchange is typically done through Internet Key Exchange (IKE) versions 1 or 2, but other protocols are available, such as Kerberized Internet Negotiation of Keys (KINK), which uses the Kerberos protocol for key negotiation. Currently, the only methods supported by pfSense are IKE and IKEv2.
There are two different modes for establishing an IPsec connection:
  • Transport mode: In this mode, the payload of the IPsec packet is encrypted, but not the header. This mode does not support NAT traversal, so if you are configuring an IPsec connection that must traverse more than one router, it is not a good choice.
  • Tunnel mode: In this mode, the entire packet is encrypted. This mode supports NAT traversal.
IPsec supports a number of encryption algorithms. Advanced Encryption Standard with a key size of 256 bits (AES-256) is the most commonly used option, but other options are available. Since some ...

Table of contents