Configuring OPNSense to be hacker proof

[CommonSense]

How do I configure OPNSense to make it very difficult to hack, (by hack I mean, hacker should not get access to LAN)

Would 2 OPNSense boxes help in this case? which would be 2 layers of firewall.

Is there any hardware device I can place after/before the OpnSense server that would further harden the setup?

[bartjsmit]

Stick to general principles:

- do not host services on your firewall. DNS, DHCP, Proxy, etc. can all run on external servers
- minimise the number of inbound firewall rules. Use a VPN for external access where possible
- split your network into segments that don't interact outside the firewall. E.g. clients, IoT, guests, servers and management
- patch all network clients and servers with security updates. Try them on test servers for important services

OPNsense already has a hardened base OS, so you have a head start.

Bart...

[CommonSense]

Stick to general principles:

- do not host services on your firewall. DNS, DHCP, Proxy, etc. can all run on external servers
Would this mean that I would need 2 boxes one runninng opnserve and the other running all the other services like DHCP, proxy, antivirus etc.
How would the 2 boxes be wired up then, will the internet cable directly be connected to the firewall box, and then the lan cable of the firewall box be connected to the other server where the services are running?

- minimise the number of inbound firewall rules. Use a VPN for external access where possible
For this do you mean that I should only keep port 80 open and block other ports? Is Opnsense configured like so by default? VPN is one of the features that can be enbaled in OPNSense, so I guess you are saying that I could enable and use that on the same box as the firewall.

- split your network into segments that don't interact outside the firewall. E.g. clients, IoT, guests, servers and management
ok, got it

- patch all network clients and servers with security updates. Try them on test servers for important services
Would I need to manually check for security updates or does OPNsense do that periodically.

OPNsense already has a hardened base OS, so you have a head start.
Good to know that,

Bart...

[bartjsmit]

The OPNsense box needs interfaces to all the segments of your network. You can do this in several ways:

- Have separate NIC's connect to separate switches (expensive)
- Use VLAN separation on the managed switch(es) and possibly OPNsense
- Virtualise the firewall and present different virtual switch interfaces

It is up to you which services you want to run on the firewall. You will need other devices if you want to self host. Raspberry Pi servers are fine for small networks. Your servers are best protected in their own segment but you could have them on the LAN as well if there you trust your LAN based clients.

Do not run anything on port 80 if you can help it, other than to redirect clients to 443. There's a whole raft of HTTP exploits that are fixed by HTTPS. Letsencrypt reduced the certificate cost to just effort.

The default port for VPN depends on the choice of software. OpenVPN is a good compromise between available documentation and client OS support. It can also share a port with an HTTPS connection to overcome restrictive client-side firewalls.

A very long time ago I wrote a script that emails you when there are OPNsense updates but it is much more fun to follow this forum ;-) The OPNsense twitter feed also notifies of patches.

Bart...

[CommonSense]

The OPNsense box needs interfaces to all the segments of your network. You can do this in several ways:

- Have separate NIC's connect to separate switches (expensive)
- Use VLAN separation on the managed switch(es) and possibly OPNsense
- Virtualise the firewall and present different virtual switch interfaces

It is up to you which services you want to run on the firewall. You will need other devices if you want to self host. Raspberry Pi servers are fine for small networks. Your servers are best protected in their own segment but you could have them on the LAN as well if there you trust your LAN based clients.

Do not run anything on port 80 if you can help it, other than to redirect clients to 443. There's a whole raft of HTTP exploits that are fixed by HTTPS. Letsencrypt reduced the certificate cost to just effort.

The default port for VPN depends on the choice of software. OpenVPN is a good compromise between available documentation and client OS support. It can also share a port with an HTTPS connection to overcome restrictive client-side firewalls.

A very long time ago I wrote a script that emails you when there are OPNsense updates but it is much more fun to follow this forum ;-) The OPNsense twitter feed also notifies of patches.

Bart...

Thanks for the info, some profound points in there that would need some thinking and understanding since I'm just a noob in this domain.
I've yet to understand certain concepts pertaining to software firewalls and the other components they bring in, like proxy, vpn etc.
Although I do understand the terms I can't currently visualize the flow of data for instance between firewall, proxy and vpn.
I guess its time for some home work!
Thanks again.

[bartjsmit]

Here's an example: https://drive.google.com/file/d/1vNyLuFWnku423MEqsKbbHKVKQsowMQOg/view?usp=sharing

The VPN client uses (dynamic) DNS to find the IP address of your ISP router which is best set to modem mode, so that OPNsense has a public IP address (non-RFC1918). They establish a tunnel with a separate subnet which puts the client on a par with the other VLAN's and allows traffic flows to the servers, printers, etc.

Good intro on VLAN's: https://www.theregister.com/2017/06/30/vlans_at_20/

Happy exploring!

Bart...

[CommonSense]

Thanks for the tips,
I did some thinking on how the system works and wanted to confirm if the flow of data is like so

1. Client Browser or Any app running on PC that needs internet access
2. Proxy with Caching and Filtering
3. Firewall
4. VPN
5. Internet

Is the flow of data in OpnSense from 1 to 5 and then gets back 5 to 1.

[bartjsmit]

Mind that internet is more than just web - email, VoIP, IM, etc. The proxy is for web sites only (by and large).

internal clients: 1-2-3-5 for web, 1-3-5 for other services
external clients: 1-4-3-2-3-5 for web, 1-4-3-5 for other services

in other words, you'll always use the proxy to get to web sites and the VPN to get to your internal LAN. The firewall enforces your security policy and can host the VPN server, proxy and a few other services.

Bart...

[samefredd]

Not sure that you will be able to make any server hacker-proof. Eventually, they will find a way to get it if they need to.
It is quite easy to find a professional hacker for hire online nowadays. If someone needs to get into your stuff, they will find a professional to find or make a breach.
The only thing you can do now is to make your server not interesting to those hackers by adding more and more obstacles. They will have to apply much more effort to hacking than the profit they will get from hacking the server. It is how I see it for now.

[Demusman]

Two years later...