Netgate SG-1000 microFirewall

Author Topic: Russian Hacking  (Read 456 times)

0 Members and 2 Guests are viewing this topic.

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2360
  • Karma: +220/-12
    • View Profile
Re: Russian Hacking
« Reply #15 on: Today at 11:06:25 am »
Out of the box, pfSense is very secure on the WAN side. By default, all traffic towards the router is blocked if there is no matching outgoing state. There are only a few ways for a WAN side remote attack to compromise pfSense by default

1) Compromise a device on the LAN side and use this to attack the much less protected LAN rules
2) Attack the pf firewall/network stack, which are well reviewed and hardened and almost never have security issues
3) Attack a pre-existing state, in a stateful way, where the state is being used by pfSense. An example would be to forge packets that match a state from pfSense for the DNS service making external requests. There are few services on pfSense that contact the outside world and these services tend to be quite secure, but are the biggest part of the attack surface.

2 and 3 are the main things you want to watch for when security announcements happen. Generally, I don't care about 1, because I've already lost the war if a LAN device is compromised. The whole point of a firewall is to reduce the chance of this by closing off an attack vector. Once an internal device is compromised, the firewall is the least of my worries.

Offline roveer

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
Re: Russian Hacking
« Reply #16 on: Today at 02:02:37 pm »
Quote
Of course its not just the Russians.  I used those terms to provoke responses.  Hacking is coming from every direction, on every device, and can easily be brought into your network on a portable device (of the 17 devices showing in my network, nearly 10 of them come and go outside the network on a regular basis.  Just too darn many ways for bad things to happen.  That's why you can't just look at the strength of your firewall as if that's the most important safety measure.  You kid brings an exploit to the network, it clobbers your devices from the inside and we are all busy working about forwarded ports.  Nope, time to get a LOT smarter than that.  I think IDS is necessary no matter what's going on.  I have no forwarded ports on my router.  Well not really true, I have ipsec remote access set up so technically 443 is open, but I'm much more concerned about the other 5000 ways bad things can happen.  That being said, it's not possible to keep up with their devices so I would think IDS could at least give an insight to a possible exploit.  Either way.  It's basically the wild west if you run a tradition "home" network with devices coming and going.

If your worried about all those devices your kids and anyone else is bringing into your house, create another SSID on a different VLAN and create rules that won't allow say the GUEST Network from communicating with your Private network. Your AP may also support wireless isolation but keep in mind things such as Chromcast wont work.

Nothing wrong with implementing IDS but depending on how strict your rules are I've seen this cause unwanted issues. Also keep in mind, IDS's typically look for traffic that matches signatures so this is no sure thing.

Thanks for that suggestion.  I already implemented a guest wifi with no access to lan but didn't think to move my families devices to it.  This is a rally good suggestion.  Cuts way down on unnecessary exposure to lan and devices.  It's unfortunate that I have to think in such a paranoid way, but the sheer volume of attacks and the fact that just about every device is vulnerable makes it necessary to do something.  I've been very fortunate that I've never had anything really bad happen, but it seems like its really not a matter if, but when and its ugly when it happens.  I know people dealing with identity theft and its an all consuming thing once it starts.  I don't think people realize once bad stuff starts to happen it really does take over and can really impact your life.  I just don't need that happening and tightning things up may just help prevent it or at least delay it from happening.

Roveer

Offline roveer

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
Re: Russian Hacking
« Reply #17 on: Today at 02:08:47 pm »

Yeah, Mikrotik...  Read about them in January.  Hacked by government agents with code that can be activated some time in the future???  Yup...  That's what's got me worried these days.

The cause of the Mikrotik breach was folks not updating the routerOS.
[/quote]

Wait what???  That's kinda silly what you just said there.  The cause of the Mikrotik breach was flaws in the routerOS.  It affected people who didn't upgrade their router, but not upgrading the router was not the cause.  Let's place the blame in the right place here.

When I say its all getting to be too much, what I mean by that is a typical family has a few dozen electronic devices, then add another dozen that are appliances, vehicles etc.  All have firmware, many communicate in some way.  I would say that a large number of families don't even know how to upgrade firmware, but even if they do, it's probably in the high dozens of devices that need to be watched and upgraded on a regular basis.  Across a typical families that could be hundreds of upgrades (some automatic, some manual) and that still gives no assurance that you won't be compromised.  Are you seeing the point, it's all a little too much.  Life off the grid sure has its advantages.  But then again, I wouldn't have this really cool pfSense project so, never mind.  I'll stay on the grid for now.

Roveer
« Last Edit: Today at 02:12:47 pm by roveer »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5823
  • Karma: +710/-23
    • View Profile
Re: Russian Hacking
« Reply #18 on: Today at 02:21:07 pm »
Quote
Let's place the blame in the right place here.

Indeed.  The fault lies with Mikrotik for a bug in their code, and the user for failing to keep their device updated.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15736
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Russian Hacking
« Reply #19 on: Today at 02:42:01 pm »
So this was ChimayRed exploit still, that was fixed with 6.38.4 back in Mar of 2017 right?

If the user is running code on their security device over a year old - that is clearly on them and nobody else but them.

If the user is not going to take responsibility for keeping their security devices current, then they shouldn't be running such devices.  They should just let their ISP manage the edge device..

Only thing you could point blame to MikroTik might be them not pushing their userbase to update their code on their devices enough..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline NollipfSense

  • Full Member
  • ***
  • Posts: 137
  • Karma: +7/-1
    • View Profile
Re: Russian Hacking
« Reply #20 on: Today at 08:46:10 pm »

Yeah, Mikrotik...  Read about them in January.  Hacked by government agents with code that can be activated some time in the future???  Yup...  That's what's got me worried these days.

The cause of the Mikrotik breach was folks not updating the routerOS.

Wait what???  That's kinda silly what you just said there.  The cause of the Mikrotik breach was flaws in the routerOS.  It affected people who didn't upgrade their router, but not upgrading the router was not the cause.  Let's place the blame in the right place here.
Roveer
[/quote]

You appear to be a troll.