Unfortunately a firewall isn't going to offer much protection against these sorts of social engineered attacks. As the real weakness here is the neural network behind the keyboard and not the computer network. The best thing you can do is educating the employees about social engineering. And implement a good on going security program. It's all about managing your risk and exposure. There's no real magic bullet that will make the threat disappear.
The firewall isn't completely useless and there are few things you can do from pfSense at the network edge. Force all web traffic through a proxy and use squidguard to enforce company policy on what sites users are allowed to access and HVAP to scan the web traffic for known viruses. However I've found HVAP to be a bit touchy and blocks a lot of legitimate files like the important Adobe Flash update that closes some known vulnerabilities. If possible use country block to block countries that your business has no interaction with. Snort can also help as it can alert you to traffic going to known command and control servers and other known hacked systems. The other main attack vector for social engineered attacks is email so make sure you are scanning inbound email for known viruses. This is normally done on the email server(s) or email relay in the DMZ depending on how your email infrastructure is setup. Internally your security program should include: vulnerability assessment, patch management, system hardening (best practices), centralized AV on the desktops, strong security policies (password policies, etc), log correlation and analysis, and employee education. Patch management should include the desktop applications. Especially Adobe Reader and Flash as this is typically what's being used to deliver these targeted attacks. Most of all know your network and what traffic is normal. Employee education plays an important part of your security posture these days. Employee's should know how IT will and won't communicate with them. Things like IT will never ask a user for their password. They should be educated on company security policies. These policies should be enforced if possible. They need to know common since things like don't share your password and don't plug in that thumbdrive that they found in the parking lot into their desktop. Better yet disable USB mass storage devices using Group Policies. They need to be educated about general web and email safety. Things like they should not open attachments or click on urls in emails from people they don't know and/or weren't expecting. Avoid clicking on shortened urls unless you know where they are going, etc. And most of all IT should have a good report with the employees so that they feel comfortable coming to the IT team if they think something is suspicious. Overall network design can come into play too. Proper segmentation and vlans, etc can act as bulkheads on your network to contain any breach. And not so common sense things like if your public facing servers are behind a load balancer and you have a way to manage system updates from an internal source, such as an internal repository mirror or WSUS, then your servers no longer need a default gateway in their routing table. They just have routes to be able to get to your update server and the load balancer and any backend systems that support them. So even if someone were to successfully hack your web server they wouldn't be able to get a reverse shell or leverage it in any way since the traffic would not have any route back to them. There are a lot of commercial UTMs and End Point Protection products out there that may be better suited to dealing with the threats your business faces so don't get too tunnel visioned on pfSense. pfSense is a great firewall, routing, and VPN platform and it can do some UTM type functions if you leverage the available 3rd party packages. But as UTM platform it's not at the same level as a good commercial UTM solution. Which can do things like allow employees to access to gmail but disallow uploading attachments. And include technologies like DLP (Data Leak Prevention) that can block documents that include things like social security numbers from leaving your network. Most of these also allow you to setup your own rules so if the company has a policy that any internal only document use a certain word template you can make sure that they are blocked from leaving your network. If you need to secure web and database servers then their are application firewall products, both commercial and opensource that can help. Wow that rambled on longer than I had expected. So I guess that's my 3 cents. -- David On Thu, Aug 4, 2011 at 7:33 AM, mayak-cq <[email protected]> wrote: > hi all, > > i have deployed pfsense since its earliest versions and it has simply proven > to be one of the best pieces of software that i have ever used. i have had > several calls now from clients asking me questions about network security in > light articles like this one: > > http://finance.yahoo.com/news/Report-Global-cyberattack-apf-4118716199.html > > > and the obvious question is how to protect a network against such an attack. > assuming that i have configured pfsense correctly and that i have an > additional firewall on my servers, and that i have tcpwrappers and selinux > running, what else can one do? > > i am aware of snort, etc, but these attacks appear to be related to > specially crafted e-mails that infect the workstation (unbeknownst to the > antivirus) and start accessing and sending files over the wire on legitimate > ports. other than snort, are they things that i should be doing (most > notably inbound lan rules) in order to defend against threats? > > many thanks > > m > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
