How to Build a Robust Defense in Depth with Snort and pfSense

What is Defense in Depth 

Defense in Depth is a cybersecurity strategy that employs multiple layers of security controls throughout an organization’s IT environment to protect against potential threats. This approach ensures that if one layer of defense is breached, additional layers continue to provide protection, reducing the overall risk of a successful attack. The strategy includes various security measures such as firewalls, intrusion detection systems, antivirus software, encryption, and user training. Defense in Depth is designed to provide a comprehensive security posture by integrating different protective mechanisms at the network, host, application, and data levels. By overlapping and complementing each other, these layers create a more resilient defense against sophisticated cyber threats.

Why snort and pfSense

Using Snort and pfSense as part of a Defense in Depth strategy helps an organisation by providing both network-level protection and real-time intrusion detection and prevention. pfSense acts as a firewall, filtering and controlling network traffic to prevent unauthorized access, while Snort monitors the network for suspicious activities, detecting and alerting against potential intrusions or attacks. Together, they form two critical layers of defense: the firewall serves as the first barrier to block unwanted traffic, and the intrusion detection system identifies and responds to malicious activity that may bypass the firewall, enhancing overall security and minimizing vulnerabilities within the organization’s network infrastructure.

What is a Firewall

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet, to protect computers and networks from unauthorized access, data breaches, and various cyber threats. Firewalls can be implemented in both hardware and software, or a combination of both, and are a crucial component of a comprehensive security strategy.

Functions of a firewall.

Firewalls play an important role in network security by performing a range of operations that prevent unauthorized access, data breaches, and other cyber threats. Below are the primary functions of a firewall:

1. Secure Remote Access: Firewalls frequently feature VPN capabilities, which enable secure, encrypted connections between remote users and the internal network. This ensures that data communicated over the internet is private and secure from interception.
2. Logging and Reporting:

• Activity Logging: Firewalls keep detailed records of all traffic that passes through them, including approved and rejected connections. These logs are essential for tracking network activity, diagnosing problems, and investigating security occurrences.
• Alerts: Firewalls can generate alerts for suspicious activity or when particular criteria are met, allowing for timely reactions to possible threats.

3. Threat Detection: Some firewalls contain Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) e.g Snort, which identify and respond to possible security threats in real time. They examine traffic patterns and signatures to detect and prevent harmful activity before it causes harm.
4. Content Filtering: Firewalls can be designed to prevent access to specific websites, content types, or online services that are regarded as dangerous or irrelevant to the organization’s goals. This is especially effective for limiting access to phishing websites, malware distribution networks, and other potentially hazardous internet resources.

Types of Firewalls

There are several types of firewalls, including:

1.  Packet-filtering firewalls:Analyze packets at the network layer and make judgments using source and destination addresses, ports, and protocols.
2. Stateful inspection firewalls:Monitor the status of active connections and make judgments depending on the traffic context and specified rules.
3. Proxy Firewalls (application-level gateways): Acts as middlemen between users and the resources they utilize, evaluating data at the application layer for security flaws.
4. Next-generation firewalls (NGFW): Combines standard firewall capabilities with more advanced features like application awareness, integrated IDPS, and deep packet inspection.

Importance of Firewalls

Firewalls are critical components of network security, acting as the first line of defense against cyber attacks. They are critical for data security, preventing illegal access, and maintaining secure communication. 

1. Blocks Malicious Traffic and Controls Access: Firewalls monitor and restrict incoming and outgoing network traffic, blocking potentially hazardous content like viruses, worms, and unauthorized access attempts. They help prevent external attackers from exploiting network vulnerabilities and ensure that only authorized users can access specific network areas.

2. Segmentation and Traffic Management: Firewalls can partition networks into smaller, isolated segments and regulate traffic flow between different network zones. This reduces the risk of internal threats and limits potential breaches to specific parts of the network, enhancing overall security.

3. Defense in Depth and Compliance: When combined with other security measures like intrusion detection systems (IDS), antivirus software, and encryption, firewalls provide a comprehensive Defense in Depth strategy against a wide range of threats. They also help organizations comply with regulatory requirements, such as HIPAA and PCI DSS, by securing sensitive information.

4. Content Filtering and Policy Enforcement: Firewalls can be configured to block access to inappropriate or dangerous websites, reducing exposure to phishing, malware, and other online threats. They also enable organizations to define and enforce security policies tailored to their specific needs, such as restricting access to certain websites or blocking specific applications.

How to Install and Configure pfSense: Step-by-Step Guide

pfSense is a firewall/router computer software distribution based on FreeBSD, it is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.

pfSense software is a stateful firewall, which means it remembers information about connections flowing through the firewall so that it can automatically allow reply traffic. This data is retained in the State Table.

By default, firewalls have two interfaces; The WAN and the LAN. LAN is used to connect to a local network of endpoints,It is a default role for new interfaces. WAN is used to connect to the public internet.

Tools used:

1. pfSense : Download pfSense iso image using this link, https://www.pfsense.org/download/ 
2. Windows 10 VM

Setup PfSense and Windows VM

Step 1: Setup your network, and add an extra network adapter. The NAT network adapter will be for our WAN interface, the second network adapter will serve as the LAN.

Choose a custom(vmnet1) host only for the NIC 2.

After creating your virtual machine, power it and follow the prompt to correctly install pfsense.

You should have a screen like this:

Step 2: We have to ensure our lan is on a private network (host only adapter) and our WAN on either bridged or NAT interface

Upon starting of our pfsense VM, our WAN interface wasn’t receiving an IP address, so we needed to switch from auto bridging to bridging from our host computer.

Step 3: Confirm that pfsense can reach the network by pinging the google dns service. 8.8.8.8

Step 4 : Verify that your windows VM can receive an IP address from pfsense. 

Before switching on the VM, make it connected to the host only adapter.

Power on the VM and enter ipconfig on the command prompt, confirming the IP address is in the same class as pfsense.

Step 5: Access pfsense from the vm by using the LAN ip address. Also confirm it can connect to the internet.

Default login : admin/pfsense

Our VM can reach the internet.

How to Configure PfSense Firewall rules.

Firewalls read rules from top to bottom, so we have to structure our rules properly. There’s a default rule on the WAN that blocks all IPs from the bogon network.

A bogon is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR).

Rules

1. Allow access to WAN GUI from outside the VM
   1. First, head to Interfaces and disable the Block private networks and loopback addresses options and click Save.

2. After that, click the Add Firewall Rule option under the Rules tab. Next, enter the following Firewall Rule settings:

Action: pass

Interface: WAN

Address Family: Ipv4

Protocol: TCP

3. Then set the Source Settings as Any. After that, we have to set the Destination Settings as seen below:

Destination: WAN Address

Destination port range: HTTP (Or the custom port)

Now, click Save and Apply changes to add the firewall rule.

Disabling packet filter

First, open the shell.

Then, enter the following command and press enter:
pfctl -d
This command disables the packet filter entirely> Hence we get access to the web interface from any interface.

Try to access the WAN web GUI from outside the network.

2. Block malicious IP addresses known with Phobos Ransomware from accessing the WAN

“”The Nigeria Computer Emergency Response Team (ngCERT) detected increased ransomware attacks by the Phobos ransomware group, specifically targeting critical cloud service providers in Nigeria.

Since 2019, Phobos ransomware has targeted critical infrastructure sectors, with attacks resulting in the successful encryption of data and ransom demands totaling millions of dollars. Phobos operates as a ransomware-as-a-service (RaaS) model, facilitating various extortion campaigns that cause significant financial harm to victims.”

Some IP addresses used by the Phobos according to the FBI are:

1. Create an Alias for the phobos Ransomware group with all the IPs

Firewall>Aliases>Add

Save and Apply changes.

2. Create a firewall rule that blocks the created alias from accessing the WAN

Firewall>Rule>WAN>Add (up arrow) 

Note: We are adding the rule above the other created rule, so this one would be applied first before the others.

Use the parameters below:

Action: Block

Interface: WAN

Address family: IPV4

Protocol: TCP

Source as Address or Alias, start typing the name of the alias on the space after and it’ll pop up.

Destination as WAN address, Range as http.

Add description, check the box for logging all incidents concerned with this rule.

Save and apply changes

How to Enforce Organization Policies by Blocking Websites using DNS Override

Organizations often implement policies to restrict access to certain websites for their employees. To enforce these policies, administrators can configure their network settings accordingly. In this lab, we will demonstrate how to block access to facebook.com by configuring the DNS resolver.

Using a domain override, you can instruct the DNS resolver to map a specific domain, such as facebook.com, to an incorrect IP address. As a result, when employees attempt to access facebook.com, the DNS will direct them to an invalid IP address, rendering the site inaccessible. This method effectively blocks access to the specified domain without needing to configure individual devices.

Step 1: Navigate to the Services > DNS Resolver > General Settings on your pfSense software.

Step 2: Scroll down to the DNS Overrides pane.

Step 3: Click +Add button to add a new DNS override.

Step 4: Type the domain name that you want to block into the Domain field, such as facebook.com.

Step 5: Type the loopback address, 127.0.0.1 into the IP Address field.

Step 6: Fill in the Description field, Blocking Facebook.

Step 7: Try to access the website now.

How to Integrate Snort IDS/IPS in pfSense

Snort is a free open source network intrusion detection system and intrusion prevention system that is capable of detecting and blocking incidents.

1. Access the Pfsense System menu and select the Package manager option.

On the package manager screen, access the Available packages tab.

2. On the Available packages tab, search for SNORT and install the Snort package.

Wait for the Snort installation to finish.

3. Access the Pfsense Services menu and select the Snort option.

4. On the Global settings tab, locate the Snort Subscriber Rules and perform the following configuration:

Enable Snort VRT – Yes

Snort Oinkmaster Code – Enter you OikCode

If you don’t have an Oinkcode, access the Snort website, create an account and get a free Oinkcode.

5. Locate the Rules Update Settings area and perform the following configuration:

• Update Interval – Select the desired update interval ( best practice is every 12 hours )
• Update Start Time – Set the desired time to update the Snort rules

6. On the Updates tab, Click on the Update rules button to download the Snort rules.

7. Click the Snort Interfaces tab and then the +  icon to add a new Snort interface.

A new Interface Settings tab will open with the next available interface automatically selected. The interface selection can be changed using the Interface drop-down if desired. A descriptive name can also be provided for the interface. Other interface parameters can also be set on this page. Be sure to click the SAVE button down at the bottom of the page when finished.

Locate the Alert Settings area and perform the following configuration:

• Send Alerts to System Log – Yes
• Block Offenders – Enable if you want to block offenders
• Kill States – Yes
• Which IP to Block – BOTH

Save your interface.

8. Select which types of rules will protect the network

Click the Categories tab for the new interface.

The three Snort VRT IPS Policies are: (1) Connectivity, (2) Balanced and (3) Security. These are listed in order of increasing security.

9. Click on the Use IPS policy and select connectivity.

Be sure to click SAVE when finished to save the selection and build the rules file for Snort to use.

10. Starting Snort on an interface

Click the Snort Interfaces tab to display the configured Snort interfaces. Click the icon (shown highlighted with a red box in the image below) to start Snort on an interface.

Conclusion

In this blog, we successfully configured pfSense and integrated Snort to enhance organizational security, demonstrating how these tools can be leveraged to enforce security policies effectively. The importance of implementing a Defense in Depth strategy cannot be overstated. By layering multiple security measures, such as firewalls and intrusion detection systems, organizations can protect their networks against a wide range of threats, reducing the risk of successful cyberattacks. This comprehensive approach ensures that even if one layer is compromised, other defenses remain in place to protect critical assets. As cyber threats continue to evolve, maintaining a robust Defense in Depth strategy is essential for safeguarding organizational data and infrastructure.