Mastering pfSense,
eBook - ePub

Mastering pfSense,

David Zientara

Buch teilen
  1. 450 Seiten
  2. English
  3. ePUB (handyfreundlich)
  4. Über iOS und Android verfügbar
eBook - ePub

Mastering pfSense,

David Zientara

Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben

Über dieses Buch

Install and configure a pfSense router/firewall, and become a pfSense expert in the process.

Key Features

  • You can always do more to secure your software – so extend and customize your pfSense firewall
  • Build a high availability security system that's fault-tolerant – and capable of blocking potential threats
  • Put the principles of better security into practice by implementing examples provided in the text

Book Description

pfSense has the same reliability and stability as even the most popular commercial firewall offerings on the market – but, like the very best open-source software, it doesn't limit you.

You're in control – you can exploit and customize pfSense around your security needs.

Mastering pfSense - Second Edition, covers features that have long been part of pfSense such as captive portal, VLANs, traffic shaping, VPNs, load balancing, Common Address Redundancy Protocol (CARP), multi-WAN, and routing. It also covers features that have been added with the release of 2.4, such as support for ZFS partitions and OpenVPN 2.4. This book takes into account the fact that, in order to support increased cryptographic loads, pfSense version 2.5 will require a CPU that supports AES-NI.

The second edition of this book places more of an emphasis on the practical side of utilizing pfSense than the previous edition, and, as a result, more examples are provided which show in step-by-step fashion how to implement many features.

What you will learn

  • Configure pfSense services such as DHCP, Dynamic DNS, captive portal, DNS, NTP and SNMP
  • Set up a managed switch to work with VLANs
  • Use pfSense to allow, block and deny traffic, and to implement Network Address Translation (NAT)
  • Make use of the traffic shaper to lower and raise the priority of certain types of traffic
  • Set up and connect to a VPN tunnel with pfSense
  • Incorporate redundancy and high availability by utilizing load balancing and the Common Address Redundancy Protocol (CARP)
  • Explore diagnostic tools in pfSense to solve network problems

Who this book is for

This book is for those with at least an intermediate understanding of networking. Prior knowledge of pfSense would be helpful but is not required.

Those who have the resources to set up a pfSense firewall, either in a real or virtual environment, will especially benefit, as they will be able to follow along with the examples in the book.

Häufig gestellte Fragen

Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Mastering pfSense, als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Mastering pfSense, von David Zientara im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatica & Sicurezza informatica. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.

Information

Verlag
Packt Publishing
Jahr
2018
ISBN
9781788993470
Auflage
2
Thema
Informatica
Thema
Sicurezza informatica

Virtual Private Networks

Virtual private networks (VPNs) provide a means of accessing a private network over a shared public network such as the internet. Access to the private network is provided via an encrypted tunnel, and connecting to the network in such a way emulates a point-to-point link between the remote node and the network. Since the tunnel is encrypted, any packets that are intercepted are indecipherable without the encryption keys. Thus, VPNs provide a secure means of accessing a private network remotely.
Prior to the advent of VPNs, the only way of providing remote connections to a private network was through private WAN circuits. Private WAN circuits provide low latency, and in some cases, they may still be the best solution for connecting to a private network, but they also have high monthly costs. VPN solutions have grown in popularity, in spite of the fact that they often have somewhat higher latency than private WAN circuits, because they provide the same point-to-point connectivity at a much lower cost.
pfSense is one such means by which you can implement low-cost VPN connectivity. While establishing and maintaining a VPN tunnel is somewhat CPU-intensive—a computer that barely meets the minimum specifications for pfSense will be hard-pressed to maintain a VPN connection—with pfSense, you will be able to set up VPN connections much more cheaply than you would be able to with commercial equipment.
In this chapter, we will cover the following topics:
  • VPN fundamentals
  • Configuring a VPN tunnel in pfSense (IPsec, L2TP, and OpenVPN)
  • Troubleshooting VPNs

Technical requirements

To follow along with the examples provided in this chapter, you will need two fully functional pfSense firewalls (with one or more nodes behind each firewall), either on real physical networks or in a lab/virtualization environment. Installation and configuration of the ShrewSoft VPN client, described in the section on IPsec, requires a system running Microsoft Windows (Windows 2000, XP, Vista, 7, 8, or 10 will do). The examples presented in this chapter should not be particularly resource-intensive; however, setting up an encrypted VPN tunnel does tax the CPU somewhat. Therefore, running pfSense on hardware that barely meets the minimum specifications for pfSense is not recommended.

VPN fundamentals

VPNs enable a remote user to securely connect to a private network or server over a remote connection. To the end user, it is as if data sent is being sent over a dedicated private link. Another common usage is for network-to-network communication. For example, a branch office of a corporation may need to connect their local network with the network at corporate headquarters. In this case, the internet is logically equivalent to a WAN. In both cases, those using the VPN benefit from the fact that the connection is implemented as an encrypted tunnel. This enables end users to use the public internet as a private tunnel for a virtual point-to-point connection.
As noted earlier, private WAN circuits were the only way of connecting to a private network securely before there were VPNs, and in some cases, such private circuits may still be the only way to meet bandwidth and/or latency requirements. Latency is a big factor. A private WAN circuit will usually provide latency of 3 ms or less, whereas with VPNs, you will get that much latency just with the first hop through your ISP. Running ping tests will allow you to get a better idea of the latency of VPN connections, but in general, VPN connections have latencies of 30-60 ms. This can vary greatly based on two factors: the type of connection being used, and the distance between the remote node and the private network being accessed. One of the ways of minimizing latency is to use the same ISP on both ends of the connection, although this is not always possible. In some unusual cases, using a VPN may decrease latency rather than increase it. For example, if your ISP employs traffic shaping, encrypting traffic may result in the ISP not throttling it, and therefore latency will decrease.
Otherwise, you may find it necessary to research the types of applications you are likely to use over a VPN connection and find out how well they perform over connections with latency. Online games, for example, can be affected by higher latency. Microsoft file sharing (SMB) and Microsoft Remote Desktop Protocol (RDP) are also latency sensitive. Obviously, there is a cost-benefit analysis involved. You may find that the performance improvement justifies spending money on a private WAN circuit. Or you may find that the performance degradation involved in using a VPN is justified by the savings. In addition, it may be possible to alter your network settings to improve VPN performance.
If you decide to implement a VPN, you can choose from several different forms of VPN deployments. The most common ones are the following:
  • Client-server: In this scenario, a VPN tunnel is used to connect one or more mobile clients to the local networks. The encryption provided by the VPN guarantees that data privacy is maintained. This is probably the most likely deployment scenario that you will be using if you configure a VPN with pfSense.
  • Peer-to-peer: In this scenario, a VPN tunnel is created between two networks; for example, the main corporate office and a satellite office location. The general idea is that setting up a VPN is cheaper than a leased line between the two locations. Instead of having a router on one end and a mobile client on the other end, there is a router on each end of the tunnel. We will demonstrate an example of peer-to-peer by showing how to configure a site-to-site VPN with IPsec.
  • Hidden network: This is not as common as a deployment scenario, but is nonetheless worth mentioning. In some cases, data may be too sensitive to place on the main corporate network, and this data may reside on a subnet that is physically disconnected from the rest of the network. If this is the case, a VPN can provide us with a means of connecting to this subnet.
We can also use VPNs to provide an additional level of security on wireless connections. By requiring wireless clients to log in through a VPN, we can force these clients to provide additional authentication, and the VPN connection itself will provide another layer of encryption in addition to the encryption that the wireless protocol provides.
There are several VPN protocols that can be used, and each VPN technology has its own advantages and disadvantages. In this section, we will focus on the VPN protocols currently supported by pfSense: IPsec, L2TP, and OpenVPN.

IPsec

IPsec, as the name implies, is a protocol suite that operates on the Internet layer of the four-layer network model (and the Network layer of the OSI model). It is the only protocol of the three discussed here that operates on this layer. Because it operates on the Internet/Network layer, it is capable of encrypting and authenticating the entire IP packet, thus not only ensuring privacy for our data, but also ensuring that the packet's final destination is kept private as well. Thus it differs from both OpenVPN (which offers encryption, but operates on the Application layer) and the Layer 2 Tunneling Protocol (which does not encrypt data at all).
As a protocol suite, IPsec is actually a group of protocols, which in combination provide the functionality we require. These protocols can be divided into three groups:
  • Authentication Headers (AH): This header is 32-bits long and provides authentication and connectionless data integrity.
  • Encapsulating Security Payload (ESP): This portion of the IPsec protocol suite provides authentication, as well as encryption and data integrity. It also exists in authentication-only and encryption-only modes, which provide either authentication or encryption, but not both. ESP is responsible for encrypting at least the payload (transport mode), and in some cases, the entire packet (tunnel mode).
  • Security Association (SA): The Security Association is the set of security attributes (for example, encryption algorithm, encryption key, and other parameters) that are used in a connection.
SAs are established through the Internet Security and Key Management Protocol (ISAKMP). Key exchange is typically done through Internet Key Exchange (IKE) versions 1 or 2, but other protocols are available, such as Kerberized Internet Negotiation of Keys (KINK), which uses the Kerberos protocol for key negotiation. Currently, the only methods supported by pfSense are IKE and IKEv2.
There are two different modes for establishing an IPsec connection:
  • Transport mode: In this mode, the payload of the IPsec packet is encrypted, but not the header. This mode does not support NAT traversal, so if you are configuring an IPsec connection that must traverse more than one router, it is not a good choice.
  • Tunnel mode: In this mode, the entire packet is encrypted. This mode supports NAT traversal.
IPsec supports a number of encryption algorithms. Advanced Encryption Standard with a key size of 256 bits (AES-256) is the most commonly used option, but other options are available. Since some ...

Inhaltsverzeichnis