Intrusion Detection Using PFSense Firewall

Recently I had the need to re visit IDS/IPS systems, mainly to refresh my knowledge and bring myself up-to date with new developments etc etc.

I decided to use this opportunity to build myself a ‘Proper’ firewall for my home network, and give my trusty Netgear DG 834 a well earned rest.

I already had an old Compaq PC to run this Firewall on, nothing special just an old desktop pc with a 2ghz Celeron CPU and 2gb RAM – small and quiet.

I had to get me an ADSL modem to allow me to use the PC as a Firewall, so I bought a Netgear DM111P ADSL 2+ Modem, this is just an ADSL bridge and connects to the WAN side of the Firewall.

Anyways I first had to find me a Firewall distro, after what seem like an age, trawling the net, downloading ISO’s an running them up on VirtualBox to check them out and if they had the required functionality – I found this absolute gem of a Firewall distro pfSense.

This is as the websites says:-

pfSense is a free, open source customised distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organisations protecting thousands of network devices.

The ‘Package System’ allows the administrator to further enhance this already powerful firewall into a UTM, one of the packages is Snort IDS/IPS and this is were I begin.

Quote from the package manager in pfSense:-

Used by fortune 500 companies and governments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more.

First off there are two pfSense downloads, there is the Stable production ready 1.2.3 and the Non Production 2.0 Beta4.

I started off with the 1.2.3 version, but then went for an upgrade to the 2.0 Beta4 version cause it has some extra stuff, but this is in heavy development and should not be used for production environments. So I’m gonna show screen-shots from my 2.0 Beta4 set-up regardless as I’m not updating it with every new upgrade, (I kept the build of 2.0Beta4 on my VirtualBox system also and I test the newest updates there).

I’m not gonna run through the installation of the Firewall cause it so damn easy and there are some excellent Docs and How To’s on the pfSense Docs website here.

There is also a Snort set-up guide there too – here

Below are some screen shots of the various parts of the pfSense web interface associated with Snort.

The Dashboard:

Next click the services tab and select snort

The Snort Main Screen:

Some Alerts !!!!!!

As you can see someone or something tried to Port Scan my Network and something strange happened when I joined IRC channel !!!

Luckily my Snort is set to Block attackers

I hope these screen-shots are enough to whet your appetite and give this great Firewall a run out on your networks.

As you probably noticed from the services screen shot there a lot of extras available with pfSense and they offer some really powerful features, I have set-up the Proxy Server – Squid and the Web Filter – SquidGuard on mine.

Hopefully in the future I’ll do a post about Snort rules and maybe I’ll write 1 or 2 of my own.

Cheers for now.

Advertisements

2 thoughts on “Intrusion Detection Using PFSense Firewall

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s