Web and LAN Security

The Dangerous WEB

Web access is the most difficult part of a network system to secure. External intruders exist to crack your system from the outside or Wide Area Network. These intruders can range from adwares, hackers, worms, MITMs, packet sniffers, phishing sites, viruses backed by bot-nets, ddos attacks, malicious scripts, etc... These threats can degrade, expose, harass, leak or even result to system/s failure. To protect internal systems from such risks. firewalls are installed where sites, ports or networks are managed to secure your network.

Aside from the external barrage of pokers, there are threats that exist inside your own infrastructure and system. They can come from malware that are injected by removable storage devices or run from downloaded files (usually from deceptive emails). The biggest threat though are users and it could be because they are unaware, curious, irresponsible, non-compliant or as worse as vengeful. Some crafty users would even use external dns providers, web proxy sites and tunnel software just to bypass your web security. Another kind of threat is bandwidth abuse where certain users hog your internet or worse, your network bandwidth. Top bandwidth hogs are video sites (youtube) and torrents. And the most common abuse is time and data limit, where users use their time or your internet data limit for web activities not related to work or not permitted by your institution.

Enterprise level firewalls from Cisco, Fortinet, Spiceworks and other providers can manage web security with the right hardware and network engineer. But not all institutions can readily acquire these costly solutions, especially if your system is still in the design and layout stage where a lot can change in just months or weeks. On the other hand, with an old PC or a robust appliance, you can easily compete with enterprise-grade appliance by installing pfSense.

Acquiring Spider pfSense!!!

I am going to show you how to setup pfSense with an explicit proxy server using Squid, WPAD, web filtering by Squidguard, access logs and static ARP entries for DHCP. It is a setup I have reached to after studying pfSense for a year to find an open source solution to an Enterprise-level headache. With these, I have successfully managed web access even through SSL, filtered and logged web access and managed internal network accesses. This setup may still have vulnerabilities but it is a far better option than relying on company policies without polices. As soon as I have implemented this in our System, I have lowered bandwidth usage by up to 70%, regaining more bandwidth for more critical functions.

FOREMOST

If you knew, Good for you...If naught, Food for thought...
Brief and very simple introduction of the framework.

Squid is an open source proxy server included in pfSense as a supported package. A proxy server is in essence a proxy to web access. So when you access a website, you send your request to Squid then Squid sends your request to the actual destination thereby acting as our proxy to the web.
WPAD or Web Proxy Autodiscovery Protocol is the process used to easily propagate proxy configuration throughout your network.
Squidguard is another package supported by pfSense that acts as a filtering add-on. It runs on top of Squid and verifies requests for allowed or blocked resources. In short, it can allow or block Facebook, and other web or internal resources.
Static ARP or Static Address Resolution Protocol tells your network devices that a device with a physical address 'A' must have an IP address set for 'A', otherwise the firewall rejects it. These can prevent unauthorized access by foreign devices connected internally.

Getting Dirty
(I wrote the setup on a different post)

TODOs
Intensifying internal security can be done by using Static ARP entries at Data Switch and Access Point levels while using authentication services such as Captive Portals with LDAP, Active Directory and RADIUS.

Comments