Secure my network from inside

This is my first post. I would like to say first of all congratulation for excellent work especially for Videos. My native language is the Greek / Hellenic so sorry for my mistakes in English language.

I use pfSense for some years, i think since 2011 or 2012. I have used it as a firewall, proxy, OpenVPN Server and more abilities.
Now i want to secure and prevent my users in my network to send files or information to external storage as Dropbox, Google Drive, FTP’s and any other kind of cloud storage.
Is it possible to do with pfSense. Can i use it as web application firewall?
If yes what do you suggest me?
If not what WAF you using? Which of all do you suggest me? You are using this before or after pfSense?

Also there is anyone who has installed in pfSense

Thank you

pfsense does not have any easy way to do this. Each endpoint on your network would need to have a certificate installed and a tool such a squid setup to filter the connection. This will often cause issues with other web sites and will break TLS 1.3 as it implements perfect forward secrecy which blinds the proxy.

ModSecurity is a Web Application Firewall and I am unaware of any way to run it with pfsense. Also a WAF goes in front of a web server and is not designed to filter web traffic from users.

We are using this for our clients but there are other end point solutions available.

Yes always I had problem with Squid and TLS Interception and SSL Inspection.
Ιt is not convenient to install Certificate at any device even and guest’s mobile.

I’ll check your link / suggestion

Thank you Tom,
Good luck.

The easiest but most troublesome method is blocking TLD of the popular cloud providers. Sadly it is hard to know them all. Using pfBlocker you can accomplish this.

Other than using the providers you missed, there are some tricky ways around this that your more savvy users could use. If for example you allow external DNS lookups they could do that, or they could modify their hosts file with manual DNS entries.

The best way is controlling the endpoints on the network. Even an application firewall isn’t bulletproof, so far none of the places I’ve been (all using expensive solutions) has caught nextcloud. With the exception of where I work now, their endpoints have software monitoring at the O/S level down to browser level - preventing any sort of file uploads to non-whitelisted sites.

1 Like