Low cost firewall.

Using pfSense with SNORT for a firewall with intrusion

prevention.

What were going to cover

Why we chose pfSense over other options.
Other features offered and limitations.
What are pfSense & SNORT?
pfSense requirements.
Installation overview.
Using the GUI and console menu.
Important tweaks and gotchas.
Packet shaping.
Installing and using SNORT as an IDS or IPS.
False positives, backups and packet drops.
Questions?

More detail
This workshop is a quick overview of pfSense + SNORT.
A more in depth set of instructions is available on the
Oxford ITSS wiki and Ill upload them to a public web site
too.
Oxford ITSS wiki link
https://wiki.it.ox.ac.uk/itss/pfSense
Web site - http://users.ox.ac.uk/~clas0415/

Why we chose pfSense over other

options.
What we wanted for a new firewall:
Ability to scale above 100Mb/s up to 2Gb/s to match
TONE upgrade.
Ability to bridge rather than NAT as we host services.
Packet shaping & QoS to avoid congestion for critical
traffic (eg: Chorus/ICP & web sites).
Reliable (as opposed to the one it replaced).
Not too expensive.

Commercial options.
We found several commercial brands of firewall in use
within the university.
Recommended makes were:
Palo Alto
Fortinets Fortigate (with special pricing negotiated via
NSMS)
Dells Sonicwall series
Watchguards XTM series

Commercial firewalls
The good:
Ease of use (used Watchguard, saw Sonicwall & tried Fortinet)
Low maintenance.
Cost for 100Mb/s bandwidth capacity is affordable.
Works with little configuration, out of the box.
The downside:
Cost for 1Gb/s is much higher (around 10,000 over 5 years).
There can be vendor lock-in for 3-5 years on some contracts.
We found the two units from one manufacturer to be unreliable under long term use.

Open source pfSense firewall with

SNORT
The good
Low cost (Use existing server hardware or approx. 1700 for a unit built
for pfSense). Subscription cost for SNORT (0 for community rulesets or
260pa - 390pa for commercial subscriptions).
Use commodity hardware.
IDS/IPS as with commercial firewalls.
The downsides:
Requires more time to test & setup the IDS/IPS system initially.
Application monitoring and control not to easy to setup.
Not reported as working at 10Gb line speed yet.

Other features with pfSense

High availability/load balancing.
Packages to extend the system (SNORT, zabbix client, etc)
AD authentication, Captive portal, RADIUS auth support.
DNS service, DHCP service/relay, NTP service, SNMP, PPPoE,
WoL
Diagnostics ARP tables, pretty graphs, Logs with remote
logging, packet capture, firewall states, SMART status,
Sockets and packet limiter info, RRD graphs.
IPv6 support

Hang on what are SNORT and

pfSense?
pfSense is an extendable open source statefull firewall with
a web GUI and application package system.
SNORT is open source intrusion prevention/detection
system (which happens to be available as a package for
pfSense).
SNORT analyses network traffic in various ways to detect
bad traffic.
SNORT rules to define what is exactly is bad traffic (eg:
SQL injection attempts).
Subscriptions to SNORT rules are offered by the SNORT
community and commercially by SNORT/Talos and

pfSense requirements.
Running as a statefull firewall, pfSense alone requires only
a modest system:
PCIe bus, to ensure enough bandwidth for the NICs.
Enough NICs, preferably well supported NICs such as
Intel Pro.
Preferably a 64bit processor.
With the SNORT IDS/IPS package, 4Gb of RAM is
recommended as well as a good multicore processor.

Firewall networking view

Admin

Physical
NICS

em
0

NIC
aggregation
Virtual
interfaces

LAN
traffic

WAN
traffic
em
1

em
2

igb
1

igb
0

LAGG0

LAGG1

WAN

OPT
1

LAN

pfSense
Web GUI

BRIDGE

Diggory Gray (ITSS), Faculty of Classics, Oxford

University.

igb
2

Network
linking

Firewall installation steps

Console install & setup
Install from CD
Assign LAN IP
Turn off DHCP

Web GUI configuration

Change your password
and setup HTTPS
Assign NICs for LACP
groups.
Setup DNS, NTP & turn
off NAT.
Assign WAN and OPT
interfaces.
Setup firewall rules.
Tune your system for
network cards.
Add niceties such as
remote syslogging and
traffic shaper.

SNORT package
configuration
Install SNORT package
Setup an Interface to
use with SNORT
Subscribe to SNORT
rules sources.
Setup SNORT
categories.
Check SNORT rules for
each category and
monitor for SNORT
alerts.
Create white list and
suppression list.
When SNORT is ready,
test in non-blocking

Using the GUI and console menu.

Setting up aliases.

Add new
alias

Edit alias
Delete
alias

Firewall
rules

Move
selected
rules
before this
rule.

Important tweaks and

gotchas.
Remember to tweak your network cards and
check it worked (eg reported mbufs size on
dashboard).
Dont be too quick to turn on SNORT & with
multiple rulesets try the non-blocking mode
first.
When applying a large change to the firewall
(eg. packet shaper configuration) you may
need to reset the firewall state table (this will
briefly disrupt traffic).
Remove any IP addresses assigned on the
bridged WAN and OPT interfaces.
You may need to turn off packet scrubbing
and dropping of do not fragment packets if
you want to let through NFS traffic.

Using the packet shaper.

Its important to note, that the traffic shaper has a bandwidth overhead on
your main connection of around 10% - 18%.
The traffic shaper links in with firewall PASS rules to identify packet priority.
Several types of packet shaper algorithms are available:
HFSC Most Complex & may be discontinued.
CBQ Like PRIQ but with a hierarchal structure and bandwidth limits for
queues.
FAIRQ Based on CODELQ, but attempts fair allocation for each que.
CODELQ Used to avoid TCP buffer bloat problems through controlled
delay.
PRIQ Different queues, each with a different priority & bandwidth.

Choosing your algorithm.

If you want to prioritise some traffic at the expenses of
other types (such as VoIP), then you will want HFSC, CBQ
or PRIQ.
PRIQ is the easiest to setup, but can allow lower priority
traffic to be starved of bandwidth completely.
CBQ allows a hierarchal set of traffic queues to be
created.

Example of CBQ setup on our

firewall

Firewall rules and traffic limiters

Installing and using SNORT as an

IDS or IPS.
Installing SNORT is easy. pfSense will download and
install the package automatically for you.
pfSense wont start the SNORT service or configure
SNORT to inspect any of your interfaces.
The tricky bit is configuring the rules SNORT will use to
monitor your traffic and tuning SNORT parameters.

Interfaces
configuration

Signing up to ruleset subscriptions

There are several sources of SNORT rules:
Snort VRT rules (paid (~$260pa) or free sign up
versions)
SNORT community rules
Emerging threats open rules (free)
Emerging threats Pro rules (paid only ~390pa)

Selecting
the rulesets
you need.

Preprocessor configuration

Diggory Gray (ITSS), Faculty of Classics, Oxford

University.

Logging and whitelisting.

Alerts & false positives

Positive?
The resolving of host names can help determine host
names.
The rule descriptions will give you the rule which
triggered the attack, as well as the SID number.
Look out for rules which say possible in the wording.
If you think the host may be genuine and the rule
suspect, check the source IP and destination port and IP
carefully.
Use online IP reputation website to look up known bad
IPs as a second source of reference (such as IP Checker ,
IP Void or others).

IP Blocklisting, rule suppression and

disabling

Supress
alerts for
this rule
from this IP

Remove
this IP from
the block
list.

Supress
alerts for
this rule to
this IP

Supress all
alerts for
this rule

Disable this
rule and
delete it!

Suppression vs
disabling
If you have the option, supressing an IP will give you more
flexibility allowing you to add an exception to a rule for a
destination or source IP.
You can modify any exceptions you make in the suppression list
(which is a list of SNORT suppression rules).
Disabling a rule will reduce the load on SNORT slightly, but is a
last resort and will mean SNORT will not monitor future
occurrences.
It is better to disable rules in the interface rules tab, rather
than delete them in the alerts tab (just in case you change
your mind).

Trying to avoid the impact of false

positives.
Setup another SNORT instance without blocking to test
new rulesets. (or use another server purely for SNORT
ruleset testing).
Make sure you have a good pass list and home net
lists setup.
Check the rules and documentation (if any) in rulesets
before activation.
Review your logs for SNORT alerts in the few weeks
after installation of SNORT or ruleset changes.
Dont use rules which use the portscan pre-processor
its to touchy (even on low).

Backups and packet

drops.
pfSense backups are quite good and you can backup all
pfSense settings in a small file.
Note: if you select individual areas for your backup, the
package specific settings (such as those for SNORT) are
ignored.
If you restore an entire backup to different hardware,
you may need console access to fix any problems with
interface mixups.
Packet sniffing may help identify problems with packet
drops. pfSense can sniff packets and save these in a file
readable by Wireshark.

Question
s?
Diggory Gray (ITSS), Faculty of Classics, Oxford
University.

Reference
General pfSense
guides:
Traffic limiting
guides:

pfSense main documentation wiki

Smallnet builder building your own IDS firewall with pfSense
(book) pfSense 2 Cookbook (ISBN: 978-1-849514-86-6) bit thin in places (eg traffic shaper).
(book) pfSense: The Definitive Guide (ISBN: 978-0979034282) old, but detailed.

http://blog.allanglesit.com/2011/08/traffic-limiting-with-pfsense-2-0-rc3/
http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/

SNORT specific:

pfSense Documentation on SNORT

Techrepublic using snort for intrusion detection
Emerging Threats ruleset information
(free e-book) SNORT cookbook (OREILLY commons)

pfSense Tweaks

http://wiki.abadonna.info/doku.php?id=pfsense:tricks

pfSense support and

suppliers

pfSense Supply hardware, support and develop software.

Deciso EU based supplier. Supply and support pfSense hardware. On Oracle system as a supplier as of
2015.