BEAST Attack Mitigation in pfSense

BEAST attack

Enabling BEAST attack protection in pfSense 2.1.3.

On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called Browser Exploit Against SSL/TLS (BEAST). A BEAST attack involves intercepting and decrypting HTTPS cookies. Whenever you log into an HTTPS page, after your authentication, you can see your autenticated page, and if you look carefully at the page’s URL, you can see the session ID. A session ID is a random number or combination of numbers and string that maintains the state of the page, it is assigned by the website server to the client browser. The session ID can be found in either the cookie or the URL of the web browser. Usually, session IDs will be encrypted to prevent hijacking of the session.

A successful BEAST attack entails first sending a malicious JavaScript to run on the victim’s machine. This can be achieved by several means: Cross Site Request Forgery (CSRF), social engineering, a download, or a web page containing JavaScript. This malicious script runs on the victim’s machine and can capture the entire header info and the encrypted cookie that is assigned from the web server running Transport Layer Security (TLS) 1.0 and can then send the information to the website.

Next, the attacker utilizes a vulnerability in SSL/TLS. In TLS 1.0, if there are two identical plaintext messages, then after encryption, the cipher text is the same. Thus, by comparing the encrypted session details and the unencrypted data sent by the script, the attacker can find the initialization vector. Once the attacker gets this information, it can decrypt future cookies sent from the web server.


Using this blueprint, Duong and Rizzo built the BEAST tool, which is capable of decrypting HTTPS cookies and hijacking browsing sessions in order to steal credentials. Major browser makers, except for Apple, addressed the issue on the client side by implementing a technique known as the 1/(1-n) split. The technique stops attackers from being able to predict the initialization vector blocks that are used to mask plaintext data before it is encrypted.

Enabling BEAST Attack Protection in pfSense

Fortunately, pfSense provides some measure of protection against BEAST attacks on your web configurator sessions. If you navigate to System -> Advanced, and click on the “Admin Access” tab, under “webConfigurator“, there is a “BEAST Attack Protection” check box. It is left unchecked by default because it does not work with Hifn cryptographic accelerators, and if it is used when such accelerators are being utilized, the web GUI will not work. If you are not using such cryptographic accelerators, however, you should be able to enable this option without having any issues.


External Links:

Not So Fast on BEAST Attack Mitigations at threatpost.com

BEAST vs. CRIME Attack at resources.infosecinstitute.com

pfSense Setup: Part Four (Setting up a DMZ)

DMZ

The optional interface configuration page in the pfSense web GUI (which is similar to the WAN and LAN config pages).

In the first three parts, I covered booting and installing pfSense, general configuration options in the pfSense web GUI, and configuring WAN and LAN interfaces (also with the web GUI). In this part, I cover using an optional interface to create a DMZ.

In networking, a DMZ (de-militarized zone) is a place where some traffic is allowed to pass and some traffic is not. The area is separate from the LAN and WAN. In simple terms, a DMZ looks like this in relation to the rest of the network:

Internet traffic | <- DMZ <- LAN

Unsafe Internet traffic is allowed to enter the DMZ, but not the LAN. To configure it, we will need an optional interface.

Configuring the DMZ

From the web GUI, browse to Interfaces -> OPT1. If “Enable Interfaces” isn’t checked, check it. Set “Description” to DMZ. Under “Type”, choose “Static” as the address configuration method. For “IP address”, enter an IP address and the subnet mask (the subnet should be different than the subnet for your LAN). For example, if your subnet for the LAN is 192.168.1.x, it could be 192.168.2.x for the optional interface.

For “Gateway”, leave this option set to “None”. The last two options are “Block private networks” and “Block bogon networks”. Ensure that these two options are unchecked; we don’t want the system to block access from the Internet to the DMZ. Finally save changes by pressing the “Save” button.


Now that the DMZ is configured, your DMZ will allow WAN access. Your DMZ will also allow access from the LAN, but it won’t be permitted to send traffic to the LAN. This will allow devices on the Internet to access DMZ resources without being able to access any of your LAN. This could be useful, for example, for setting up an e-mail or FTP server.

You could now attach a switch to your DMZ interface. This would enable you to connect multiple machines to the DMZ.

External Links:

Setting Up a DMZ in pfSense


The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Part Three (WAN and LAN settings)

Ad Links:


pfSense Setup: Part Two

pfSense Setup

The General Setup menu in the pfSense web GUI.

If you followed the setup instructions in pfSense Setup: Part One, pfSense should be running and accessible via the web interface at 192.168.1.1 (or another IP address if you assigned a different one). You should be able to log in using the default username (admin) and password (pfsense).

You will want to change some of the basic settings in General Setup. In the web interface, browse to System | General Setup. At “Hostname”, enter your hostname (the name that will be used to access the machine by name instead of the IP address.

Below this, enter your domain (Domain in the General Settings).

DNS Servers can also be specified. By default, pfSense will act as the primary DNS server. However, other DNS servers may be used, and the place to enter them are in the four boxes for DNS servers.

Check Allow DNS server list to be overridden by DHCP/PPP on WAN. This ensures that DNS requests that cannot be resolved internally are passed on to the WAN and resolved by the external DNS servers provided by your internet service provider.


Next, select the correct time zone; you probably want to leave the default NTP time server as it is.

Next is the theme, which allows you to change the look and feel of the pfSense web GUI. You can probably keep the default theme, pfSense_ng.

pfSense Setup

pfSense’s User Manager, which has been part of the pfSense web GUI since version 2.0.

NOTE: You probably want to change the admin password. You can do this under System -> User Manager. Here you can change the admin password, add new users, and delete users, including the admin.

That’s it for the General Setup within the web GUI. In pfSense Setup: Part Three, I will cover how to configure the WAN and LAN interfaces using the web GUI. Part four will cover configuring optional interfaces.


External Links:

Another useful guide on installing and configuring pfSense (from the iceflatline blog)

Ad Links:


© 2013 David Zientara. All rights reserved. Privacy Policy