The pfSense Store

Author Topic: It's always nice reading these things about your favourite firewall  (Read 3664 times)

0 Members and 1 Guest are viewing this topic.

Offline Ozzik

  • Full Member
  • ***
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Quote
Heffner also called on router vendors to build in DNS Rebinding mitigations into their routers directly.

"The only router software that I know of that does this now is pfsense," Heffner said. "They contacted me when my Black Hat talk abstract went up."

http://www.esecurityplanet.com/features/article.php/3895851/Millions-of-Home-Routers-at-Risk.htm

Offline mhab12

  • Hero Member
  • *****
  • Posts: 649
  • Karma: +0/-0
    • View Profile
Re: It's always nice reading these things about your favourite firewall
« Reply #1 on: July 30, 2010, 11:39:54 am »
Agreed - the interaction between the devs and community here are about as good as it gets.  Thanks for all that you do.

Offline HiTekRedNek

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: It's always nice reading these things about your favourite firewall
« Reply #2 on: August 03, 2010, 12:13:12 pm »
And just how does PFSense mitigate against this type of attack compared to competitors?

Offline David Szpunar

  • Full Member
  • ***
  • Posts: 165
  • Karma: +0/-0
    • View Profile
    • David Szpunar
Re: It's always nice reading these things about your favourite firewall
« Reply #3 on: August 03, 2010, 01:14:54 pm »
Well, the main way is by not allowing webGUI access using a hostname other than the one assigned to pfSense in version 2.0. There is an exception list for other hostnames used if needed, or IP address can be used without restriction, as that is not a security risk with DNS Rebinding attacks. These protections are on by default in 2.0 beta currently, even when upgrading from 1.x. It's always recommended to change the default administration password for the webGUI as well, and if you do this and are not logged into the webGUI (or are not logged into the same web browser used for other tasks), even attempts at DNS Rebinding attacks are unlikely to succeed because they would need to rely on a flaw in the LAN administration code to authenticate/change the firewall (this is the case even in 1.x). So the main recommendations beyond the build-in protections are: 1) use a different web browser for administration than for web browsing, and 2) change the default password to something secure (do this anyway!).

At least that's what I'm familiar with. I'm sure someone else may have information about additional precautions taken.
David Szpunar
I use pfSense wherever I can, and I break the rule about not using 2.0 beta in production, because it's so cool :-)