The good thing is: those security issues on OLD firmware versions have all been patched - thx to Fortinet to still do that for their customers and with assisted support. If you run (as you should) updated FortiIOS, you will fair better and are not subject to these.
Again, pfSense is good, but there are other firewall that do better - but for a price.
I thought TLS1.x (3 or 4) made detection of man in the middle a priority so that the browser would warn you if there was another certificate in the middle. I don’t remember the specific version, and only read about it in passing so I may have things wrong with this (and would appreciate the schooling right or wrong).
Absolutely agree. The communications world has become a minefield, and if companies like Nasa, LG, US Government and many many large names can be infiltrated having something that is updated rapidly is paramount to survival. I’m not knocking the major names aside from their licencing practices that are exorbitantly too expensive for small enterprises - and all need regular updates and someone policing them. pfSense is a great set of tools to help protect the smaller masses for a reasonable pricepoint (Supported) or for free.
That’s really done via certificate pinning, where the certificate signature is distributed via DNS alongside the IP, which itself is protected from MitM by DNSSEC. It’s not related to TLS version per se, although there might be improvements to it.
Doesn’t Cisco use Snort as IDS/IPS, they bought it a few years ago and you can license the good updated rules if you want to run them on pfsense with the Snort package. You can use the rules on Suricata too.
So what happens now with DNS over TLS/HTTPS? That seems to be implemented by all the major web browsers now, except maybe Safari. Firewalls won’t be able to see DNS requests anymore, right? At least not from those browsers if that setting is enabled.
DoT/DoH encrypt DNS queries. However, endpoints are still a toss-up (name server, tld, etc)
What can firewalls and IPS see exactly, in a pervasive encryption situation? IP addresses must still be exposed, right, in order to route traffic? What else is not encrypted when you have HTTP/2 with TLS, which I assume is on top of TCP and say IPv6, on top of Ethernet? What’s exposed in that scenario, beyond an IP address?
I would suspect like anything else that’s encrypted all the firewall can see is data, but not what the data is. Certainly the gateway firewall will be able to see what nodes (or hops) are sending and receiving data, but not necessarily what the data is. I.E You are accessing 8.8.8.8 which is google dns, but not if you are using it for DNS or why. With IPV6 it gets worse, because every user will be able to have a static IP assigned to them like a social security number if they decide to go that route.
In fact, I think there are so many addresses in IPV6, each DEVICE can have its own IP address.
It’s hard to tell what is and isn’t exposed based on the amount of variables. What protocols being used, for what services, against what firewalls hardware/software, and more.
I would always assume baseline “your (or your VPNs)” IP is being transmitted.
Honestly, I’m just laymen going off my understanding of what I have read over the years.
Of the choices the only “AAA” product I would recommend would be Palo Alto providing the client had very deep pockets.
Keep in mind that most businesses that budget for security are moving to zero trust networks. The days of relying on firewalls are long gone. I suggest if clients want to protect their infrastructure especially with cloud adoption and remote work they look at solutions like Zscaler. Spend less on the perimeter and shift their budget with end-point and authentication solutions.
I’m still struggling to grasp what the “Zero Trust” approach comes down to, beyond better auth like 2FA. It doesn’t seem to do anything about the gaping flaws in how the software industry builds software, the lack of innovation and any progress in programming language design, tools, testing methodology, etc. As long as software and OSes are built in a way where a human programmer’s typo or error can result in random strangers on the internet being able execute their own code on your computer or server, well we’re just whistling Dixie. Some of the Google security team’s reports are phenomenal, like the Norton enterprise endpoint garbage where you could just email the target a specially corrupted data file and the mere scan of that file by Norton tripped an overflow or something and allowed remote code execution. If that’s how bad even endpoint security software is, then it’s not really progress over firewalls.
We used to install PFSense quite a bit many years ago, I was playing with it when it was still in beta…as playing with various *nix firewalls was a hobby of mine back then. But for businesses, we prefer full UTM appliances. I’ve played with quite a few, and we got onboard with Untangle back around 2006 or so (when it was version 5). Became a reseller back then, and the features that full UTMs have, are features we want to help be one of the layers of protection for business networks. I know PFSense has a few “add-ons” which make it almost sorta a very basic entry level UTM…almost. But still, compared to a product that is designed to be a UTM first…PFSense can’t hold a candle.
I’m going to be the voice of dissent here. The “NG” in the name doesn’t really seem like it is “next” at all in my opinion (and please, please, please prove me wrong). The benefits you are supposed to be getting (single point AV, spam, and phish blocking) are only effective for non-tls communication, or if you are using a proxy with a site-wide trusted cert to MITM all communication (and don’t use Chrome + Google in that configuration). We don’t have a single customer still using on-prem Exchange and even if they did, we wouldn’t be accepting email over non-tls SMTP, so all of those email protections are immediately useless. All of our clients take their laptops off-site, so that single-point AV (requiring a major deployment initiative) is essentially useless as well.
I don’t have much experience with some of these vendors, but setting up firewall rules in SonicWall and Sophos are ridiculously difficult (define the service, define the host, define the end-point, create the rule), and make port auditing almost impossible. I mean, where do I find the list of all of the ports that are open? Oh, I forgot to go to the next page and missed several in my audit? Oh, I went back and forgot to go back to the first page and missed some more? Oh, I need to figure out what ports are assigned to that service? Oh, I need to figure out what host that port is pointed to? And don’t get me started on how huge a PITA it is to figure out what someone else did when they configured that firewall 2 years before you took over.
Finally, I’ll point out that pfSense makes it extremely easy to push all of my firewall logs to a centralized logging facility, so I can build a consistent set of reports for all of my clients (and do some fun comparison reports as well), making auditing and reporting across all of my client base easy-ish (not easy, I still have to build and manage the queries and dashboards, but once you’ve got that down…).
The basic point is that I’m not sure that I see any value in bells and whistles that don’t address the current state of the world. Those things would have been awesome in 2004. Today they don’t seem relevant.
1 Like
Just for fits and giggles I decided to download and install the latest OPNsense and install it. Damn, I think that’s one crazy confusing product (IMHO) as after using PFsense for so long I can’t get my head around OPNsense.
They say KISS for a reason…
Unless Sophos/Palo Alto/ Fortinet give a non-piecemeal product that I have to bolt on what I want, PFsense is still my goto…
1 Like
I managed a few Sophos firewalls a few years ago and I have to agree and will never recommend them. As a MSP point of view it was a nightmare for starters with licensing, wrong registration, etc, and their units were fragile and often DOA when we unpacked them to configure.