CYBERSECURITY VIRTUAL LAB
BUILDING A VIRTUAL SECURITY LAB: PFSENSE FIREWALL
Virtulal Security Lab: Pfsense Setup, Interface Assignments and Configurations
What we will achieve
- Understanding firewalls
- Install and configure VirtualBox Guest Addition image
- Drawing out Network Architecture
- Configuring Host-Only Network Adapters on VirtualBox
- Pfsense Firewall Setup, Interface Assignments and Configurations
Requirements
- VM Basics
- Networking Basics
- Installed Pfsense and ParrotOS
What is a Firewall?
A firewall is a network security device that separates a trusted internal network from an external network deemed untrustworthy, such as the internet. It regulates incoming and outgoing network traffic based on preset security rules. Firewalls are paramount in shielding networks from unauthorized access, harmful activities, and potential threats, and can exist as hardware, software, software-as-a-service (SaaS), or public or private (virtual) cloud.
Firewalls scrutinize network packets and implement security policies, effectively barring unauthorized users or potentially harmful data from infiltrating or exiting a network. Notably, firewalls serve as gatekeepers, scrutinizing each network packet and deciding whether to permit or block it based on pre-set rules. This helps to ensure that only traffic deemed safe and legitimate is allowed through the firewall.
Types of firewalls
Packet filtering firewall: These firewalls scrutinize each packet of data that passes through them, and then filters them based on parameters like source and destination IP addresses, port numbers, and protocol types.
Proxy firewall: A proxy firewall is an early type of firewall device, serving as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality, such as content caching and security, by preventing direct connections from outside the network.
Stateful inspection firewall: Now considered a traditional firewall, a stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed.
Next-generation firewall (NGFW): A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall. Etc.
Virtual firewall: A virtual firewall is typically deployed as a virtual appliance. [1]
Pfsense Firewall
PfSense software is a stateful firewall, which means it remembers information about connections flowing through the firewall so that it can automatically allow reply traffic. This data is retained in the State Table. The connection information in the state table includes the source, destination, protocol, ports, and more: Enough to uniquely identify a specific connection.
Network Architecture Diagram
Below is the architure diagram we will be building for our virtual security lab. Making use of VirtualBox and Pfsense to achieve the desired result. We will be creating a LAN (192.168.56.0/24), DMZ (192.168.100.0/24) and Guest (192.168.200.0/24) Networks simulating a SME network.
Pfsense Setup
We will be using Parrot OS installed in VirtualBox to configure the pfsense firewall.
If you have not read my previous article where I showed how to install these virtual machines (Parrot OS and Pfsense) on VirtualBox, I recommed you do so here!
Configuring VirtualBox Extension Pack
In my previous article where I installed Parrot OS and other VMs, the screen sizing of Parrot OS was not filling up the entire host screen, making it hard to use. To make it full screen, you will need to download and install VirtualBox Extension Pack and add it to the VM. Follow the steps below to do so.
Download Oracle Virtual Box Extension Pack
Use this link to download the Extension pack.
After downloading, run the installer and it will open up VirtualBox. I have mine installed already.
Note: The Guest Extension Pack must be the same version as your VirtualBox.
After Installing Extension on VirtualBox, start the VM. When booted up, you will click on Devices on the menu bar and select Insert Guest Addition CD Image to install.
Upon successful Installation, you will need to restart the VM for changes to take effect. You will also need to Auto-resize Guest Display for it take effect. You might need to do that twice for it to work
Setting Up Network Adapters
To create additional Host-only Networks, click on Tools , click create button to add. Then setup the network as desired. Host machine will be required grant access right to create additional Adapter.
I have mine as follows:
VirtualBox Host Only Ethernet Adapter
IPv4 Address: 192.168.56.1
IPv4 Network Mask: 255.255.255.0
Server Address: 192.168.56.49
Server Mask: 255.255.255.0
Lower Address Bound: 192.168.56.3
Upper Address Bound: 192.168.56.50Follow the same step to create two more.
VirtualBox Host Only Ethernet Adapter #2
IPv4 Address: 192.168.100.1
IPv4 Network Mask: 255.255.255.0
Server Address: 192.168.100.49
Server Mask: 255.255.255.0
Lower Address Bound: 192.168.100.3
Upper Address Bound: 192.168.100.50VirtualBox Host Only Ethernet Adapter #3
IPv4 Address: 192.168.200.1
IPv4 Network Mask: 255.255.255.0
Server Address: 192.168.200.49
Server Mask: 255.255.255.0
Lower Address Bound: 192.168.200.3
Upper Address Bound: 192.168.200.50
Assigning Networks Adapters to Pfsense Interface
Select the Installed Pfsense, click the Settings button and Network tab.
Check Enable Network Adapter and select Host-Only Adapter and select the created network adapters accordingly. Make sure they are selected as desired (LAN, DMZ, and Guest).
Assigning Network Adapter to Parrot OS Interface
You will need to select the network interface you wish to configure as the LAN address in Pfsense as your network adapter for Parrot OS. This is to enable the VM have access to Pfsense.
Configuring the LAN Interface
Start pfsense. Pfsense comes default with the 192.168.1.1 network address on the LAN interface. Therefore, this will need to be changed to the same Network address as the assigned Interface.
Enter an option: 2
Press the enter button on your keyboard.
Enter the number of the interface you wish to configure: 2
Configure IPv4 address LAN interface vai DHCP? (y/n) n
No, because this will be the network IP that will be used to access the Web GUI and default gateway for the Network.
Enter the new LAN IPv4 address. Press <ENTER> for none:
>192.168.56.10
Enter the new LAN IPv4 subnet bit count (1 to 32):
> 24
We are not using IPv6, so no need configuring it.
Set up DHCP server on LAN. Use a desired range.
You can now access the Web gui via the address specified.
On default, Pfsense already have LAN have access to the WAN, so it means you can access the internet. However, you might not have access to the internet if the gateway IP address of Parrot OS is not the same as the web GUI IP address which is the default gateway.
Accessing Pfsense Web GUI via Parrot OS.
Default username and password is admin and pfsense respectively.
Initial Setup Wizard.
You can change the hostname or leave it as default. However you will need to setup DNS server address.
Select time zone
Setting up the WAN interface. It is on DHCP, however, if it is a production environment, your ISP might assign an IP and you will need to set up a static IP for the WAN
Leave all as default except the last two items, uncheck the box as leaving them will block access to private addresses (This is bad for this lab as the IPs are private addresses)
We have already done this, leave it as default from pfsense shell console.
Changing password.
Reload to save configurations.
After accepting, you will be greeted with pfsense dashboard.
System, then General Setup takes you a page to some general setup for pfsense where you can change some configurations which you made during the initial setup wizard and more.
Remember to hit save to effect any changes made.
System, then Advanced to go to advanced settings for pfsense.
I changed the default port which I access pfsense GUI, from port 80 & 443 to 1024. I also disabled the WebConfigurator redirect rule, so that it does not automatically redirect port 80 or 443 to 1024.
Note: This is not for security purpose as security by obscurity is NOT SECURITY. This is used for say, you have a proxy setup on port 80 or 443 and you will not want to always get redirected to pfsense when in real case you are trying to hit the HTTP or HTTPs proxy.
Remember to hit on save to effect any changes made.
Customizing Dashboard
Click the plus button to add some other widget to the dashboard. You can also drag and drop any widget to customize your dashboard. Hit the save icon to make the changes persist.
User Creation
For security purpose, you will want to create some other user for pfsense configuration and to disable login by the admin user.
Click on System, User Manager to setup a new user.
Click on the Add button
Input the new user details.
I am creating a new admin user, so I add this new user to the admin group. You can create new group if you do not want to add a user to the admin group.
Hit save
Login in with the newly created user.
Disabling login by the admin user.
Assigning Interfaces
Click on Interfaces, then Assignments
Click on the add button to add the other two interface. VirtualBox only allows Four (4) Network interfaces, so we can only add two extra.
Click on save when done
Click on the Added interface to configure the interface.
Setup the IP address and Netmask.
Save and Apply Changes
Whenever an interface is enabled, DHCP will need to be setup for that interface. Click on Services, then DHCP server
The LAN interface has already been enabled during the inital setup. However you can make changes to it. The focus is on the DMZ and Guest Networks.
Enable the DMZ interface. Configure the address range.
Click Save and Apply Changes
Do same with the Guest Network. Save And Apply Changes
Configuring Rules
Click on Firewall, then Rules
There is no defined rule yet on the WAN interface, however, any traffic will be blocked by the interface as per default.
On the LAN interface, there are three rules.
- The Anti-Lockout Rule: Which prevents you from blocking access to the firewall Web Configurator.
- Default allow LAN to any Rule: Which allows any IPv4 traffic to any on the LAN interface.
- Default allow LAN IPv6 to any Rule: Which allows any IPv6 traffic to any on the LAN interface.
No rule yet on the DMZ, which means all traffic is blocked on this interface.
No rule yet on the Guest, which means all traffic is blocked on this interface.
It is usually recommended to write out rules you want to implement before configuring them on a firewall to avoid mistakes and for proper documentation.
Note: Firewalls rules work from top to buttom, meaning, when a traffic is traversing a network interface, it is matched with the rules configured from the top down to the last rule (or to when a match is found) and action is based on the very first matching rule and other rules will not be checked. And if a rule is not matched, the traffic is dropped.
- Selecting the action to be performed when rule is met. Pass, Block or Reject.
2. Selecting Protocol
Selecting the Sourceand Destination of traffic.
Adding description helps identifying what a rule does.
Defining the rules below.
- Rule 1: Blocks access to all IPv4 traffic going to the Guest networks.
- Rule 2: Blocks access to all IPv4 traffic going to the LAN networks.
- Rule 3: Blocks access to TCP IPv4 traffic to the Firewall on port 1024. This is to make sure no user from the DMZ network can access the firewall WebConfigurator which is running on port 1024. But still having acces to DHCP and DNS services alike.
- Allows all traffic. (Not recommended in a production environment).
- Rule 1: Blocks access to all IPv4 traffic going to the DMZ networks.
- Rule 2: Blocks access to all IPv4 traffic going to the LAN networks.
- Rule 3: Blocks access to TCP IPv4 traffic to the Firewall on port 1024.
- Allows all traffic.
Blocking access to ICMP Echo Reply and Information Reply on LAN interface, so that hosts in the LAN networks can Ping outside the networks but do not respond to pings (Echo Reply).
Creating Alias
Aliases are used for simplifying network rules and other types of configurations. Let say, you have two or more private networks, so instead adding of every single rule to match the private networks, you can specify an Alias.
One good use case of Alias is that, when you get to update the Alias, any rule making use of that Alias is automatically update, so you need not to specifically add new rule(s) that will match the new update. This is usually not a problem until that rule is needed to be added in a lot of places.
Creating an Alias with my LAN subnet.
Adding an extra Network Subnet
Creating a rule and making use of Alias.
Creating Schedules
Schedules are used usually for access control. For example, you need to cut/control access to a resource at some specific time of the day or a day in a week or month.
Click on the add button to create a new schedule
Give the schedule a name and description.
Select date and time.
Click on the Add time button to add the selected date and time. If you wish to add some other time range, go ahead and do so.
When done, hit Save
To make use of a schedule, you will need to expand the Advanced Section of rule creation page. Select the created schedule and add it.
Hit Save and Apply Changes
Before hitting Save or before the schedule kicking in, I still have access to the internet.
After applying changes, it is seen that I have lost acces to the internet at the specicied schedule.
Disabling the rule.
Pfsense Packages
The package system in pfSense software provides the ability to extend the functionality of the software without adding bloat and potential security vulnerabilities to the base distribution. [2]
To see the packages installed or available for installation, click on System, > Package Manager
I have nmap installed already.
Click on the Available Packages tab to see other packages available for you.
To see or make use of installed package, click the Diagnostics tab on the Menu bar, Scroll and you will see the installed package, as for me, it is Nmap Click on it and you will rediected to a page for the package usage.
Nmap package usage page. Add IP address or subnets you wish to scan, select required scan type and Start
Help
Use the Help tab for any assistance required in using pfsense.
Logout
And always remember to logout of session whenever you are done.
Conclusion
So far we defined firewalls and some types, Installed and configured VirtualBox Extension pack, Draw out Network Architecture diagram, Configured Host-Only Network Adapters on VirtualBox, Interface Assignments and Configurations on Pfsense and Parrot OS, did some configurations on pfsense, set up rules, aliases, schedules and installed a package. In the next coming articles in this module, We will be configuring splunk on Ubuntu server and also install and configure sysmon and splunk universal forwarder on Windows Server and Windows 10 Machine to send logs to the splunk server.
Note: I kept running into issues with setting the WAN interface with
NATnetoworks on VirtualBox, the fix was to useBridged Adapter. If you run onto some other issues, try configuring static IP address, gateway and DNS address on Parrot OS. IP address should be in the range specified in the DHCP of LAN Interface, Gateway is the IP address of the LAN interface and DNS address should also be the LAN inerface IP.
