eBook - ePub
Mastering pfSense,
David Zientara
This is a test
Compartir libro
- 450 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Mastering pfSense,
David Zientara
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
Install and configure a pfSense router/firewall, and become a pfSense expert in the process.
Key Features
- You can always do more to secure your software – so extend and customize your pfSense firewall
- Build a high availability security system that's fault-tolerant – and capable of blocking potential threats
- Put the principles of better security into practice by implementing examples provided in the text
Book Description
pfSense has the same reliability and stability as even the most popular commercial firewall offerings on the market – but, like the very best open-source software, it doesn't limit you.
You're in control – you can exploit and customize pfSense around your security needs.
Mastering pfSense - Second Edition, covers features that have long been part of pfSense such as captive portal, VLANs, traffic shaping, VPNs, load balancing, Common Address Redundancy Protocol (CARP), multi-WAN, and routing. It also covers features that have been added with the release of 2.4, such as support for ZFS partitions and OpenVPN 2.4. This book takes into account the fact that, in order to support increased cryptographic loads, pfSense version 2.5 will require a CPU that supports AES-NI.
The second edition of this book places more of an emphasis on the practical side of utilizing pfSense than the previous edition, and, as a result, more examples are provided which show in step-by-step fashion how to implement many features.
What you will learn
- Configure pfSense services such as DHCP, Dynamic DNS, captive portal, DNS, NTP and SNMP
- Set up a managed switch to work with VLANs
- Use pfSense to allow, block and deny traffic, and to implement Network Address Translation (NAT)
- Make use of the traffic shaper to lower and raise the priority of certain types of traffic
- Set up and connect to a VPN tunnel with pfSense
- Incorporate redundancy and high availability by utilizing load balancing and the Common Address Redundancy Protocol (CARP)
- Explore diagnostic tools in pfSense to solve network problems
Who this book is for
This book is for those with at least an intermediate understanding of networking. Prior knowledge of pfSense would be helpful but is not required.
Those who have the resources to set up a pfSense firewall, either in a real or virtual environment, will especially benefit, as they will be able to follow along with the examples in the book.
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Mastering pfSense, un PDF/ePUB en línea?
Sí, puedes acceder a Mastering pfSense, de David Zientara en formato PDF o ePUB, así como a otros libros populares de Informatica y Sicurezza informatica. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Virtual Private Networks
Virtual private networks (VPNs) provide a means of accessing a private network over a shared public network such as the internet. Access to the private network is provided via an encrypted tunnel, and connecting to the network in such a way emulates a point-to-point link between the remote node and the network. Since the tunnel is encrypted, any packets that are intercepted are indecipherable without the encryption keys. Thus, VPNs provide a secure means of accessing a private network remotely.
Prior to the advent of VPNs, the only way of providing remote connections to a private network was through private WAN circuits. Private WAN circuits provide low latency, and in some cases, they may still be the best solution for connecting to a private network, but they also have high monthly costs. VPN solutions have grown in popularity, in spite of the fact that they often have somewhat higher latency than private WAN circuits, because they provide the same point-to-point connectivity at a much lower cost.
pfSense is one such means by which you can implement low-cost VPN connectivity. While establishing and maintaining a VPN tunnel is somewhat CPU-intensive—a computer that barely meets the minimum specifications for pfSense will be hard-pressed to maintain a VPN connection—with pfSense, you will be able to set up VPN connections much more cheaply than you would be able to with commercial equipment.
In this chapter, we will cover the following topics:
- VPN fundamentals
- Configuring a VPN tunnel in pfSense (IPsec, L2TP, and OpenVPN)
- Troubleshooting VPNs
Technical requirements
To follow along with the examples provided in this chapter, you will need two fully functional pfSense firewalls (with one or more nodes behind each firewall), either on real physical networks or in a lab/virtualization environment. Installation and configuration of the ShrewSoft VPN client, described in the section on IPsec, requires a system running Microsoft Windows (Windows 2000, XP, Vista, 7, 8, or 10 will do). The examples presented in this chapter should not be particularly resource-intensive; however, setting up an encrypted VPN tunnel does tax the CPU somewhat. Therefore, running pfSense on hardware that barely meets the minimum specifications for pfSense is not recommended.
VPN fundamentals
VPNs enable a remote user to securely connect to a private network or server over a remote connection. To the end user, it is as if data sent is being sent over a dedicated private link. Another common usage is for network-to-network communication. For example, a branch office of a corporation may need to connect their local network with the network at corporate headquarters. In this case, the internet is logically equivalent to a WAN. In both cases, those using the VPN benefit from the fact that the connection is implemented as an encrypted tunnel. This enables end users to use the public internet as a private tunnel for a virtual point-to-point connection.
As noted earlier, private WAN circuits were the only way of connecting to a private network securely before there were VPNs, and in some cases, such private circuits may still be the only way to meet bandwidth and/or latency requirements. Latency is a big factor. A private WAN circuit will usually provide latency of 3 ms or less, whereas with VPNs, you will get that much latency just with the first hop through your ISP. Running ping tests will allow you to get a better idea of the latency of VPN connections, but in general, VPN connections have latencies of 30-60 ms. This can vary greatly based on two factors: the type of connection being used, and the distance between the remote node and the private network being accessed. One of the ways of minimizing latency is to use the same ISP on both ends of the connection, although this is not always possible. In some unusual cases, using a VPN may decrease latency rather than increase it. For example, if your ISP employs traffic shaping, encrypting traffic may result in the ISP not throttling it, and therefore latency will decrease.
Otherwise, you may find it necessary to research the types of applications you are likely to use over a VPN connection and find out how well they perform over connections with latency. Online games, for example, can be affected by higher latency. Microsoft file sharing (SMB) and Microsoft Remote Desktop Protocol (RDP) are also latency sensitive. Obviously, there is a cost-benefit analysis involved. You may find that the performance improvement justifies spending money on a private WAN circuit. Or you may find that the performance degradation involved in using a VPN is justified by the savings. In addition, it may be possible to alter your network settings to improve VPN performance.
If you decide to implement a VPN, you can choose from several different forms of VPN deployments. The most common ones are the following:
- Client-server: In this scenario, a VPN tunnel is used to connect one or more mobile clients to the local networks. The encryption provided by the VPN guarantees that data privacy is maintained. This is probably the most likely deployment scenario that you will be using if you configure a VPN with pfSense.
- Peer-to-peer: In this scenario, a VPN tunnel is created between two networks; for example, the main corporate office and a satellite office location. The general idea is that setting up a VPN is cheaper than a leased line between the two locations. Instead of having a router on one end and a mobile client on the other end, there is a router on each end of the tunnel. We will demonstrate an example of peer-to-peer by showing how to configure a site-to-site VPN with IPsec.
- Hidden network: This is not as common as a deployment scenario, but is nonetheless worth mentioning. In some cases, data may be too sensitive to place on the main corporate network, and this data may reside on a subnet that is physically disconnected from the rest of the network. If this is the case, a VPN can provide us with a means of connecting to this subnet.
We can also use VPNs to provide an additional level of security on wireless connections. By requiring wireless clients to log in through a VPN, we can force these clients to provide additional authentication, and the VPN connection itself will provide another layer of encryption in addition to the encryption that the wireless protocol provides.
There are several VPN protocols that can be used, and each VPN technology has its own advantages and disadvantages. In this section, we will focus on the VPN protocols currently supported by pfSense: IPsec, L2TP, and OpenVPN.
IPsec
IPsec, as the name implies, is a protocol suite that operates on the Internet layer of the four-layer network model (and the Network layer of the OSI model). It is the only protocol of the three discussed here that operates on this layer. Because it operates on the Internet/Network layer, it is capable of encrypting and authenticating the entire IP packet, thus not only ensuring privacy for our data, but also ensuring that the packet's final destination is kept private as well. Thus it differs from both OpenVPN (which offers encryption, but operates on the Application layer) and the Layer 2 Tunneling Protocol (which does not encrypt data at all).
As a protocol suite, IPsec is actually a group of protocols, which in combination provide the functionality we require. These protocols can be divided into three groups:
- Authentication Headers (AH): This header is 32-bits long and provides authentication and connectionless data integrity.
- Encapsulating Security Payload (ESP): This portion of the IPsec protocol suite provides authentication, as well as encryption and data integrity. It also exists in authentication-only and encryption-only modes, which provide either authentication or encryption, but not both. ESP is responsible for encrypting at least the payload (transport mode), and in some cases, the entire packet (tunnel mode).
- Security Association (SA): The Security Association is the set of security attributes (for example, encryption algorithm, encryption key, and other parameters) that are used in a connection.
SAs are established through the Internet Security and Key Management Protocol (ISAKMP). Key exchange is typically done through Internet Key Exchange (IKE) versions 1 or 2, but other protocols are available, such as Kerberized Internet Negotiation of Keys (KINK), which uses the Kerberos protocol for key negotiation. Currently, the only methods supported by pfSense are IKE and IKEv2.
There are two different modes for establishing an IPsec connection:
- Transport mode: In this mode, the payload of the IPsec packet is encrypted, but not the header. This mode does not support NAT traversal, so if you are configuring an IPsec connection that must traverse more than one router, it is not a good choice.
- Tunnel mode: In this mode, the entire packet is encrypted. This mode supports NAT traversal.
IPsec supports a number of encryption algorithms. Advanced Encryption Standard with a key size of 256 bits (AES-256) is the most commonly used option, but other options are available. Since some ...