CYBERSECURITY DETECTION & MONITORING LAB:- Part Five

PFSENSE NETWORK INTERFACE & FIREWALL RULES CONFIGURATION

Introduction

Welcome back to the blog series, ‘Cybersecurity Detection and Monitoring Lab’. Find the link to part four of the lab where we installed Security Onion to act as the engine of our lab that will sniff network packets and assist in generating alerts when malicious activities are suspected in our victim network.

Today, we continue with the work done in part two of our blog series and finish up configuring pfSense. We will define the interfaces for easier reference, then enable and configure the DNS and DHCP capabilities such that all our connected subnets can get IP addresses and access the internet. Finally, we will also define Firewall rules for the subnets we defined in our home lab. We will use the pfSense WebConfigurator to perform all the tasks in this lab, accessed via the Kali Linux machine because pfSense and the Kali VM are on the same LAN.

It is very critical to follow our guide here, the network topology diagram, as it will allow us to use the pre-defined IP address ranges and allow consistency throughout the series.

Configure pfSense interfaces

Let’s begin with the interfaces by following the steps below:

• On the Kali VM, navigate to the web browser and search for 192.168.1.1.
• Click on ‘Advanced’.

• Accept the risk and continue.

• Sign in to pfSense using the default credentials: admin & pfSense.

• The next page will be the pfSense ‘wizard/pfSense setup’ page.

• Click on next till you get to the ‘General information’ page. Here input your Primary DNS server as ‘8.8.8.8’ (Google DNS server) and your Secondary DNS server as ‘4.4.4.4’. Click on ‘next’.

• Select your timezone then click on ‘next’.
• Unblock the RFC1918 Networks and Block bogon networks checkboxes and click on ‘next’ until you get to the Admin password page.

• Change the default admin password. Click on ‘next’.
• Click on ‘reload’.
• Click on ‘finish’. Accept the Copyright and Trademark notices.
• Go to ‘System’, then ‘General Setup’. Change the theme to dark in the webConfigurator module.

The next step is to configure the interfaces as we had initially defined and named them. Go to ‘Interfaces’ to begin.

• LAN (vtnet1): Change description value to ‘Kali’, click ‘save’ then ‘Apply Changes’.
• OPT1 (vtnet2): Change description value to ‘SecurityAnalyst’, click ‘save’ then ‘Apply Changes’
• OPT2 (vtnet3): Change description value to ‘SecurityOnion’, click ‘save’ then ‘Apply Changes’.
• OPT3 (vtnet4): Change description value to ‘VictimNetwork’, click ‘save’ then ‘Apply Changes’.
• OPT4 (vtnet5): Change the description value to ‘SpanPort’ then click the checkbox to enable the interface. (The interface is not enabled because we didn’t give it an IP address during the initial pfSense setup). Click ‘save’ then ‘Apply Changes’.
• OPT5 (vtnet6): Change description value to ‘Splunk’, click ‘save’ then ‘Apply Changes’.
• Click on ‘Assignments’ to see the following setup.

• Click on ‘Bridges’ and click ‘Add’. (See highlighted area in preceding photo).
• For member interfaces, click on ‘VictimNetwork’ then click on ‘Display advanced’.
• For the Span Port, click on ‘SpanPort’. Scroll to the bottom of the page and click on ‘Save’.

By the above two steps, we have effectively configured our Span Port to copy and direct all traffic in and out of our Victim network to Security Onion.

Enable and Assign DHCP Ranges

• Go to ‘Services’, then click on DHCP server.
• Notice the Kali interface loads and it has the ‘Enable DHCP server on Kali Interface’ checkbox marked and the ‘Address Pool Range’ fields with IP addresses from the subnet range specified above the fields.

• Now, following the above convention, proceed to apply changes to the rest of the four interfaces. For example, the SecurityOnion interface would look like this.

DNS Resolver Service Optimization

• Go to ‘Services’, then select ‘DNS Resolver’.

• Scroll to the bottom of the page and enable the two following options.

• Scroll to the top and click on ‘Advanced Settings’.
• Enable the following options as well.

• Scroll to be bottom of the page and click on ‘Save’. Then ‘Apply changes’.

Configure the Firewall Rules

i. WAN Interface:

• Go to the ‘Firewall’ dropdown and click on ‘Rules’.
• Click on ‘Add a rule to the bottom of the list’.
• Amend the Protocol value to ‘Any’ and click ‘save’. The firewall rule allows all traffic through our pfSense firewall. This is certainly never going to be implemented in an enterprise environment. However, it does serve the purpose of allowing us to gather as much information as possible in Security Onion for our future exploitation activities. Click on ‘Apply Changes’.

ii. LAN Interface:

• Click on ‘Add a rule to the bottom of the list’.
• Set the same rule as above.

NB: Proceed to set the same rule for all the other network interfaces. Remember, we want our internal network as open as possible for initial exploitation before we begin to harden it.

Good job! We have completed the configuration of pfSense required to start the lab. It is important to note that whenever we start the lab, pfSense should always be the first VM booted because it also serves as our DHCP server. Next, we need to have our victim network set up. Catch this in the next episode here: part six. Happy Learning!