Topology
Click the link below to view the network topology for this lab:
Topology
Introduction
A multitude of firewalls is commercially available in the market. Some organizations even build their own custom solutions. An organization might have a single firewall sitting on the only connection to the global Internet, or a sophisticated, defense-in-depth structure of firewalls that provides more protection for certain subnets than for others. Organizations might also establish internal zones that allow them to use firewalls to protect internal departments from each other and another system protecting the entire organization from outsiders. According to the 2013 Data Breach Investigations Report (http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf), 14 percent of all successful data breaches involve internal attackers.
Firewalls can be completely software-based and run on an endpoint or a server. They can be implemented in stand-alone hardware or a hybrid. Increasingly, vendors make their firewalls available as virtual appliances. In any case, the job of the firewall is fairly straightforward: to examine traffic going between the "outside" and the "inside," determine whether that traffic adheres to a set of rules, and decide what to do if it does not. Where most firewalls differ is in how they define the rules and determine what to do if the traffic does not meet the rules-not in the conceptual function, but in the implementation and the ongoing management of the device.
In this lab, you will delve into the configuration of the pfSense firewall to control client access to the Internet. The pfSense firewall is a current generation product that has most of the functionality and options that will be found in most firewall products, though the implementation may vary somewhat from firewall to firewall.
This lab has three parts which should be completed in the order specified:
Learning Objectives
Upon completing this lab, you will be able to:
Tools and Software
The following software and or utilities are required to complete this lab. You are encouraged to explore the Internet to learn more about the products and tools used in this lab.
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
Configuring a pfSense Firewall on the Client
Hands-On Steps
Note: This lab contains detailed lab procedures that you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.
If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.
Figure 1 "Student Landing" workstation
Part 1: Planning the Configuration
Note: There are two different approaches to configuring a firewall, or any computer software for that matter. The first, and most common, is to "dive right in" and trust that the process is fairly easy and straight-forward. The second approach is to plan the configuration steps in advance before implementing your choices. The "dive right in" approach is very common, especially in smaller shops or for individuals, but the more prudent, careful, and professional approach is to plan the configuration in advance. By documenting the configuration choices in advance, carefully considering each in the proper context, you streamline your process. Because even the most diligent planner can overlook something, by recording any changes that are made during the implementation process, you will have a starting point for replicating the configuration in the future-to assist in adding new firewalls or in replacing the existing one (in case of an outage).
In the next steps, you will complete the pfSenseFirewallPlanner spreadsheet. This spreadsheet contains two worksheets: Physical Configuration and Firewall Rules. The spreadsheet is designed to document answers to the questions prompted by the pfSense Firewall Setup Wizard, in the order you will be required to answer them. You will record the configuration settings for the pfSense firewall in this spreadsheet as you proceed through the lab. It is a good idea to scan Part 2 of this lab if you are unfamiliar with firewall configurations. Seeing how the questions are posed by the wizard might help you understand how the pfSenseFirewallPlanner spreadsheet works in conjunction with the wizard.
The first item on the Physical Configuration worksheet is Hostname. A hostname is the unique name of the computer (host) on the network capable of originating or responding to an interaction using the Internet Protocol.
This is how the pfSense firewall refers to itself.
Figure 2 Firewall Configuration worksheet
If the firewall uses DHCP to configure the WAN interface, then the DNS servers will be provided by DHCP.
This information should be provided by the network administrator (or your ISP).
Note: The pfSense firewall timestamps log entries; therefore, it is essential that all firewalls use the correct time and date so that logs can be easily correlated to security events. In production, a time server should ALWAYS be used.
This information has been provided by the network administrator.
According to the network administrator, this computer uses a static connection. The pfSense Firewall Setup Wizard offers a choice of DHCP, Static, PPPoE, and PPTP WAN interface types.
Figure 3 Firewall Configuration worksheet (continued)
If required by your network configuration, you would type the source MAC address in the Settings column.
For compatibility with the widest range of networks, pfSense allows us to specify an MTU size.
If you receive an Excel error trying to type the / character, type ‘/24 to force Excel to accept the / character as a character and not a symbol.
Figure 4 Physical Configuration worksheet (continued)
Normally this is provided by your ISP and will be the default route to the Internet.
A DHCP hostname is not required in this configuration, though some Internet Service Providers require it (for security and verification reasons).
The PPPoE connection used by the virtual lab is established as a permanent connection and requires no specific configuration.
The virtual lab does not use Point-to-Point Tunneling Protocol.
On a production "Internet-facing" firewall, you will almost always block RFC1918 Private Networks. In the lab environment, this setting will erroneously block addresses you use.
Note: RFC1918 is an Internet Activity Board document, called a Request for Comment-which is as close as one gets to a "standard" on the Internet-that describes what addresses can be used for private networks, or, more accurately, re-used for all private networks. Under normal circumstances, these addresses are never seen on the Internet. Hackers often use traffic with these address ranges in an attempt to confuse hardware and or software in a variety of ways. It is a good idea to force the firewall to block this traffic on a production firewall.
Note: Packets with addresses in address spaces not yet assigned by the Internet Assigned Names and Numbers Authority (IANA), but are not described in RFC1918, are referred to as bogons, or packets with bogus addresses. By setting this configuration option to "Don't block," you are allowing traffic with those addresses. The IANA assigned all of the IPv4 address blocks as of mid-2011, eliminating the possibility of bogus address blocks, even though there is no assurance that addresses in those blocks are valid.
This information comes from the network administrator. Note that the password has the following characteristics: an uppercase character, at least one special character (the ampersand, which is the symbol &), and numbers (in this case, 9999). Passwords are admittedly poor tools to secure our assets, but are still used extensively on the Internet and by security tools.
Note: Up to this point, you have planned for the administrative configuration of the local firewall using the pfSense Firewall Planner spreadsheet. Now, you will complete the Firewall Rules worksheet.
The first consideration you will encounter is the order of your definition lists. You can compare the process of defining firewall rules to the process of defining most Access Control Lists (ACLs). In both cases, the simplest approach is best. These are not sophisticated programs with conditional branching logic, but rather simple lists of rules that are evaluated in order, and when there are two conflicting rules, the first rule in the list that applies is used. For example, if the line 3 of the definition, says "don't allow X for a certain condition," but in line 22, you decide to "allow X for a certain condition," the first rule that matches "a certain condition" is in line 3, so that is the rule that will always be followed.
The second consideration is whether the firewall is, by default, permissive or restrictive-that is to say whether everything is allowed by default (permissive) or not allowed by default (restrictive). In the first case (permissive), very few support calls are generated, and users are usually happier because everything that they wish to do is allowed by default, as rules exist only for known security problems, which rarely interfere with what a user wants to do. However, this approach also leaves the door open for a wide variety of security risks. The restrictive approach says that, by default, everything is restricted unless it is specifically allowed. From a security standpoint, this is the preferred approach, though it requires more thoughtful configuration of the rules. The second approach, restrictive, is applied by the pfSense firewall: Every type of packet that is not explicitly passed is blocked by default. In other words, every packet that comes into the computer is evaluated by the firewall rules and is blocked by the firewall if it is not explicitly allowed (or passed).
In the next steps, you will use the Firewall Rules worksheet to plan the configuration of a local firewall for this virtual computer. You will allow specific actions and block everything else. You will begin by deciding which actions to allow. You must recognize that any actions you allow may have security implications in and of themselves, but to be useful you have to allow the computer to do some actions and have some interactions with the network.
Figure 5 Firewall Rules worksheet
Column |
Column Title |
Description |
A |
Action |
Action indicates the action you wish the pfSense firewall to take when it encounters a certain type of network traffic. The choices are pass, block, or reject. The difference between block and reject is important. In the case of block, the questionable incoming packet is blocked and discarded (or logged, based upon the setting for that option). There is no indication to the sender that the packet has not reached the intended destination. If reject is chosen, then a packet is returned to the senderindicating that the packet or packets they sent were not accepted. There are numerous cases of rejected packets being used by malicious software and malicious individuals to verify that a computer exists at a designated IP address, and then to attempt additional infiltration. It is, therefore, recommended that traffic be rejected only in very specific cases. |
B |
Disabled |
Disabled allows a rule to be disabled but not deleted. This can be used for testing purposes or to temporarily allow a certain action. |
C |
Interface |
Interface allows a firewall rule to be applied only to a specific interface (WAN or LAN) or type of tunnel in the interface (PPPoE, PPTP, or IPSec). |
D |
Protocol |
Protocol allows rules to be applied only to certain types of packets, which use a specific protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). |
E-H |
Source IP Address |
Source IP Address allows inverting the address comparison (if NOT is marked) and the specification of the IPv4 address and CIDR (/n) indicator. |
I-J |
Source Port Range |
Source Port Range allows the rule to be applied only to specific source port ranges or to any source port ranges. Because the source computer uses the ephemeral ports (usually port numbers from 49152 to 65535) as the source port and can use any available ephemeral port, this option is usually left blank or "Any." |
K |
Source O/S |
Source O/S enables traffic to be allowed by a certain rule only from specific operating systems and only for Transmission Control Protocol (TCP) traffic. |
L-O |
Destination IP address |
Destination IP Address allows inverting the address comparison (if NOT is marked) as well as specification of the IPv4 address and CIDR (/n) indicator. |
P-Q |
Destination Port Range |
Destination Port Range allows the rule to be applied only to specific destination port ranges or to any source port ranges. |
R |
Log |
Log indicates if the packets handled by this specific rule should be logged. |
S |
Description |
Description allows a brief alphanumeric description of each rule to be entered. |
You will create a rule to allow browsing of the Internet according to the following definition: Pass (Column A) all traffic on the LAN interface (Column C) using TCP protocol (Column D) from any type of address with any value with any subnet mask (Column E-H) for the standard port range for Hyper Text Transport Protocol (HTTP) (Column I-J) for any Destination IP Address (Column L-O) for the HTTP port range (Column P-Q), and there is no need to log the traffic (Column R).
Firewall Rule |
Protocol |
Destination Port Range |
Allow SMTP |
TCP |
Any-Any |
Allow FTP |
TCP |
Any-Any |
Allow DNS |
TCP |
Any-Any |
Allow ICMP |
ICMP |
Any-Any |
Part 2: Configuring the Firewall
Figure 7 pfSense firewall Login
Figure 8 pfSense firewall System Overview
Figure 9 pfSense Setup Wizard initial configuration screen
Figure 10 pfSense configuration settings
Figure 11 pfSense Firewall Setup Wizard Reload prompt
While reloading, the pfSense firewall will display a progress meter. When the process is completed, the pfSense firewall System Overview screen will be displayed.
Notice that there is already a rule on the LAN tab: "Default LAN -> Any." This rule allows any traffic that originates on, or goes through, the Local Area Network (LAN) to which the computer is attached. It is common for organizations to allow unrestricted outbound access and the pfSense firewall adds this unrestricted rule by default. However, from a security standpoint, you should allow only the type of access you want your users to have (and block everything else). This is what LAN (outbound) rules are for: limiting access from a trusted network to an untrusted network.
Figure 12 Delete the default permit rule.
Figure 13 Confirm
Figure 14 Apply Changes
Figure 15 Add new rule button
You will notice that there are additional fields in this screen (Advanced Options, State Type, No XMLRPC Sync, and Schedule and Gateway). Do not make any changes to those fields for the purposes of this lab.
Figure 16 New Firewall Rules: Edit screen
Figure 17 Completed pfSense Rules table
Figure 18 Apply changes button
After the settings have been applied, the red message bar will change to indicate that fact.
Figure 19 Confirmation message
Follow Us