The pfSense firewall is now setup and ready to go. However, there are some security features I would prefer to change (and recommend anyone change), before unleashing it on the network.
The first change I want to make has to do with the web browser login. By default, the firewall is setup to allow web browsers to save the login credentials. Seeing as the firewall is the gateway to the network, and can give access to all data and sensitive information on the network with a simple settings change, this setting makes me nervous. The reason for my anxiety is that if an intruder were to gain access to the administrators laptop or hook their web browser, they would have easy access to the firewall because of the browsers saved credentials. I’d prefer to avoid this risk.
To change this setting, in the WebGUI go to System > Advanced:
By default, WebGUI Login Autocomplete is checked. Uncheck it. Note that some web browsers will not respect this option and still offer to save credentials. If this is the case with your browser, then you may need to update your security policies to make sure network administrators know not to save their credentials in the web browser.
The next security concern has to do with the pfSense console. Most network administrators will access the firewall through the WebGUI (As will I, during this project), however it can also be accessed through it’s console. This means that anyone who has physical access to the pfSense machine (in a real-world scenario), can plug directly into it and gain root shell access.
To avoid this, keep scrolling down on the System > Advanced settings page until you get to the bottom:
By default, password protection is unchecked. Make sure it’s checked and then click save. Once this option is saved, go have a look at the pfSense console. You will notice you are now being prompted to login:
Now that the pfSense is ready, I can move on to setting up a web server that I will place in the Screened Subnet or DMZ.
