Opnsense:The “Open” Firewall for Your Datacenter
Total Page:16
File Type:pdf, Size:1020Kb
OPNsense: the “open” firewall for your datacenter @wefinet Werner Fischer DENOG10, 2018/11/21 Have you already tested an Open Source firewall? If yes, which? Feel free to vote, too :-) OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ Mobile WAN / WAN failover _ High availability _ Plugins _ pfSense or OPNsense? OPNsense started as a fork of pfSense® (Copyright © 2004-2014 Electric Sheep Fencing, LLC. All rights reserved.) a fork from m0n0wall® (Copyright © 2002-2013 Manuel Kasper). IPFire 2.21 pfSense® 2.4 OPNsense® 18.7 Based on Linux® Kernel 4.14 FreeBSD® 11.2 FreeBSD® 11.1 Stateful firewall ✔ ✔ ✔ Proxy cache ✔ ✔ Also for mobile ✔ LTE backup VPN ✔ ✔ ✔ with 4G modem IDS ✔ Also for VPN ✔ ✔ HA cluster roadwarrior ✔ ✔ (eg. Google Auth.) Multi-WAN ✔ ✔ Layer 2 (transparent) ✔ ✔ Two-factor auth. ()✔ ✔ pfSense® 2.4 OPNsense® 18.7 License AGPL 2.0 BSD Clause-2 IPS Snort, Suricata, no real inline mode multi-threaded Two-factor auth. mOTP available Native integrated via plugin via TOTP AES-NI CPU feature Yes, starting v2.5 No, never required Source: https://techcorner.max-it.de/wiki/OPNsense_vs._pfSense_-_Im_Vergleich OPNsense Versions 2018: UTM plugins anti-virus/-spam/..., ZFS 2017: PHP7, Let's Encrypt, application hardening 2016: Plugin support, 2-factor, HardenendBSD 2015: initial release, code cleanup, LibreSSL OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? 1969 Unnamed PDP-7 operating system 1969 Open source 1971 to 1973 Unix 1971 to 1973 Version 1 to 4 Mixed/shared source 1974 to 1975 Unix 1974 to 1975 Version 5 to 6 PWB/Unix Closed source 1978 1978 BSD 1.0 to 2.0 Unix 1979 Version 7 1979 Unix/32V 1980 1980 BSD 3.0 to 4.1 1981 Xenix System III 1981 1.0 to 2.3 1982 1982 Xenix 3.0 1983 BSD 4.2 SunOS 1983 1 to 1.1 System V R1 to R2 1984 SCO Xenix 1984 Unix 1985 Version 8 SCO Xenix 1985 AIX V/286 System V 1986 Unix-like systems BSD 4.3 1.0 R3 HP-UX 1986 SunOS 1.0 to 1.2 1.2 to 3.0 SCO Xenix 1987 Unix 1987 9 and 10 V/386 (last versions HP-UX 1988 BSD 4.3 System V 2.0 to 3.0 1988 from Tahoe R4 1989 Bell Labs) SCO Xenix 1989 BSD Net/1 V/386 BSD 4.3 1990 Reno 1990 BSD Net/2 1991 Linux 0.0.1 1991 SunOS 4 Minix 386BSD 1.x NexTSTEP/ 1992 OPENSTEP HP-UX 1992 1.0 to 4.0 NetBSD 6 to 11 Linux BSD 0.8 to 1.0 1993 SCO UNIX UnixWare 1993 0.95 to 1.2.x 4.4-Lite 3.2.4 1.x to 2.x 1994 FreeBSD & (System V 1994 1.0 to Lite Release 2 R4.2) 1995 2.2.x NetBSD 1995 OpenBSD OpenServer 1.1 to 1.2 1.0 to 2.2 Solaris 1996 5.0 to 5.04 2.1 to 9 1996 1997 1997 NetBSD 1.3 1998 FreeBSD 1998 3.0 to 3.2 OpenServer 1999 Minix Mac OS X 1999 2.x AIX m0n0wall5.0.5 to 5.0.7 → pfSense Server 2000 3.0-7.2 2000 2001 to 2004 2001 to 2004 Linux 2005 2.x UnixWare 2005 →7.x OPNsense 2006 to 2007 (System V 2006 to 2007 OpenBSD R5) 2008 2.3-6.1 Solaris 2008 Mac OS X, FreeBSD NetBSD 10 OS X, 3.3-11.x 1.3-7.1 OpenServer HP-UX 2009 macOS 6.x 11i+ 2009 10.0 to 10.12 DragonFly 2010 Minix BSD 2010 3.1.0-3.4.0 (Darwin 1.2.1 to 17) 1.0 to 4.8 OpenSolaris 2011 & derivatives 2011 (illumos, etc.) 2012 to 2015 Linux 2012 to 2015 3.x Solaris 2016 11.0-11.3 2016 Linux 2017 4.x OpenServer 2017 10.x ASLR / SEGVGUARD _ Fork from FreeBSD / Goal: Mitigation of exploits _ Address Space Layout Randomization (ASLR) _ Address space no longer predictable → Increases protection against buffer overflows _ Blind Return Oriented Programming (BROP) _ ASLR can be leveraged under certain circumstances _ BROP can generate ROP malicious code / Needs several attempts _ Application crashes if BROP is not successful and then restarts _ SEGVGUARD _ Fixes the above mentioned brute force method of BROP _ Prevents the restart of the attacked application Link: https://hardenedbsd.org/content/projects OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? STEP 1 Default settings: LAN → WAN all allowed STEP 2 Alias for IP lists like FireHOL, Spamhaus STEP 2 STEP 3 Create LAN → WAN rule, prevent access to malicious IPs STEP 4 prepare for IPS STEP 4 STEP 4 STEP 4 STEP 5 STEP 5 STEP 5 STEP 5 OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? Configure when backup link should get active OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? Common Address Red. Prot. pfSync (direct cabling) XMLRPC sync (conf. sync) Tip: configure HA, configure Firewall afterwards OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? Open source, Development in NL + DE no license fee Based on FreeBSD & Modern design HardenedBSD Tombola Win a Low Energy Server / SSD / Laptop bag Drawing tomorrow (last coffee break) Have fun with OPNsense! “Real” Open Source rocks ;-).