Setup

My plan was to use pfSense on my home network. I have an existing PC with two network adapters that is running VMServer. The plan was simple, replace my Netgear firewall with pfSense. Here is how I set up the network. For those of you not familiar with the underlying operating system of pfSense(BSD), le0 and le1, are the designations for the network adapters. On the Linux side they are known as eth0 and eth1. Under VMServer they are known as Ethernet 1 and Ethernet 2.

1. le0 is connected to Ethernet 1. VMServer calls this network /dev/vmnet0 and it is bridged to motherboard network adapter(eth0). This will be my LAN network. It uses a private network address(e.g. 192.168.x.x) and will be a DHCP server for this network in the final configuration. Until I finished setup and testing, DHCP was turned off.
2. le1 is connected to Ethernet 2. VMServer calls this network /dev/vmnet2 and it is bridged to a network adapter card(eth1) I installed. This will be my WAN network. In my case I will be using the static IP address assigned to me by my ISP in pfSense. One of my problems was that I was not sure what IP address to use for the VMServer side. In my testing I concluded that VMServer provides a “true” bridged network. I decided to use a private network address(192.168.x.x) on a different sub-network for eth1. I am pretty sure that this address is inaccessible from the outside world but I am going to lock it down anyway.

Before I started configuring pfSense I printed a copy of my Netgear configuration. While I was at it, I did a copy and paste routine to create a Netgear configuration document for my records. This document might save you a lot of time some day when your network has a really major problem. Once I had settled on a configuration the installation and configuration of pfSense was pretty easy.

1. I moved my WAN cable from the Netgear firewall to the WAN network adapter on my VMServer PC and booted pfSense. During my initial pfSense setup, I used my static IP address for the WAN adapter and an unused static IP address in my existing network for the LAN adapter.
2. Next I logged into the pfSense console via a web browser and confirmed that the LAN and WAN were working properly. Using my Netgear configuration document I completed setting up pfSense(i.e. port forwarding).
3. At this point the firewall is fully functioning but no one is using it. So I logged into my Netgear firewall and turned off the DHCP server. I went back to the pfSense console and turned on its DHCP server. The pfSense firewall is now ready and able to accept new connections. It has new network addresses for the gateway and the DNS servers but my computers will not connect to the Internet until they start using these new addresses.
4. To configure the computers that use DHCP for their network configuration, I went to each PC and forced them to renew the IP information. There are several ways to do this including rebooting. I used: ipconfig /renew
5. To configure the computers that use static IP addresses, I manually re-configured the gateway and DNS server addresses on the network adapter.

Performance

The network performance of pfSense was about what I expected. My WAN is the bottleneck so I was pretty sure I would not see a difference. An area of concern was the CPU requirements. I am running Groundwork Open Source in the other virtual machine and GW by itself wanted a more powerful computer than the  2.5 MHz CPU and 1 GB of memory I provided. I was pleasantly surprised to find that the RRD graphs were displayed quickly. This confirmed my suspicion that pfSense has pretty small hardware requirements and that my minimal system was adequate.

Security Philosophy

I have been running the firewall for about a week now and it has been stable and problem free. In today’s world a port blocking firewall like pfSense addresses a fairly limited scope of network threats.   Even though I have a fairly comprehensive security plan that includes robustness and redundancy, it is merely adequate at keeping pace with today’s rapidly evolving threats.  For me the greatest advantage of a firewall like pfSense is its ability to monitor the traffic and probe your defenses via IDS.

April’s meeting will feature the premiere of Fortify’s movie, The New Face of Cybercrime, followed by a reception and round table discussion.

• Source Code Reviews and Open Source Static Analysis Tools
• An Introduction to Web Proxies

The first presenter was Allison Shubert and she talked primarily about making the business case for increased usage of Static Analysis tools. It was a nice presentation and she reiterated a lot of truisms but I still think it is a chicken and egg problem. Management will go along with source code reviews and static analysis after you show the success on an existing project. She recommended googling for static analysis tools for your favorite language. After the meeting I checked out the tools for PHP and most of it was somewhere between alpha and beta. The best looking tool of the bunch was PHP-SAT.org. Its prerequisites are pretty ornery so I will need to do some planning if I ever find the time to play with it. It looks like the commercial folks dominate the static analysis sector for the Microsoft languages. I did not find that many open source static analysis options.

The second presenter was Blaine Wilson and he talked primarily about the OWASP tool called WebScarab. He talked mainly about using it to test web applications. I thought he was going talk about a Web Proxy. I saw a slick protocol analyzer with a lot of potential. Testing web application security is cool. You can get the same information with Wireshark or Netmon but this tool is much nicer and it looks like it is pretty good tool for testing web application security.

I was a little too shy to ask Blaine questions about WebScarab since my thoughts had gone immediately to creating test cases and a test framework. Basically I was thinking of ways to automate everything Blaine did by hand and generate a “Unit test like” output. Today I went to OWASP and reviewed the list they are requesting proposals for. Here are two of projects that caught my attention.

P008 – OWASP Security Test Automation

• Project description: Create a tool that generates, records, and plays back security test cases (think JUnit) to enable regression testing for security. This could be based on WebScarab, Selenium, HTTPUnit or something else. But it would create test cases that are custom for a particular application, not a generic scanner.

P009 – OWASP Security Unit Test Framework

• Project description: Create a wizard that will generate security-specific JUnit test cases for all the security controls in your security library. The tool should ask questions about security methods and generate appropriate test cases.

The Security Test Automation project is right up my alley except for the minor problem that I do not know what I am doing. I guess I will play around with WebScarab and see if I can get an old dog to do new tricks. I met Andy Erickson at the meeting. I would describe Andy as the IT evangelist for the Cincinnati area. He has a blog and it is worth reading. Maybe I will ask him for advice.

Session Topics:

• Source Code Reviews and Open Source Static Analysis Tools
• An Introduction to Web Proxies

The meeting starts at 6:30 PM and for more info go to the OWASP – Cincinnati chapter site:

http/www.owasp.org/index.php/Cincinnati

Every business has secrets that it would prefer to shield from both the public and from rank-and-file employees. These private documents can include marketing strategies, production processes, product formulas, and even the home phone numbers and addresses of company officers.

One of the common uses of disk encryption is to protect this confidential information. For people who have confidential information on their laptops the use of disk encryption is highly recommended if not mandatory. Recently a group at Princeton University published a paper called Lest We Remember: Cold Boot Attacks on Encryption Keys which presented a suite of attacks that exploit DRAM remanence effects to recover cryptographic keys held in memory. In the video and paper they show how easy it is to break into laptops under the “right” circumstances. Since I am a fan of TrueCrypt and to a lesser degree BitLocker this presents quite a conundrum. Can we continue to use and recommend these disk encryption programs? The answer is yes but there are some configuration settings you may want review to be safe.

1. The default setup for TrueCrypt does not cache passwords. A quick way to detect cached passwords is if the Wipe Cache button is grayed out. If you cache passwords you should probably check the box to wipe the passwords on exit or auto-dismount.
2. I auto-dismount the encrypted drives when I log off or enter a power saving mode. For additional security in a large office environment you may want to auto-dismount when the computer enters a screen saving mode or if data has not been written to it for some period of time.
3. I power off my laptop when I travel. This eliminates the primary exploit path in the Princeton method.