Secure Your OPNsense Network with Zenarmor NGFW!
Vložit
- čas přidán 10. 07. 2024
- I use OPNsense as my firewall of choice, and if you need an NGFW solution, or even just basic threat blocking (not DNS-based, but actually at the firewall), Zenarmor might be the solution for you!
Zenarmor Website:
www.zenarmor.com/
Zenarmor Free Trial:
dash.zenarmor.com/register/fr...
Support me on Ko-Fi if you enjoy my content and find it useful:
ko-fi.com/apalrd
Feel free to chat about my upcoming projects on Discord!
/ discord
Timestamps:
00:00 - Introduction
00:52 - NGFW
05:58 - Installation
09:05 - Devices
16:48 - Policies
24:22 - Blocking
28:34 - Analytics
32:55 - Rating - Věda a technologie
Can't wait for the IPv6-mostly OPNsense video - This is my primary goal for my new home network
Why may I ask? Serious question... I don't know what I don't know... I have not run out of IPs on my primary subnet... thx
@@l0gic23 1. Because I’m an early enthusiast of the current protocol;
2. I want my network to be simple yet powerful, versatile and in line with what the Internet intended to be (no NATs, no design limitations - other than the project size itself - nor any shenanigans imposed to fix problems that existed on the Jurassic stack); and
3. To test my gear against the actual Internet standard and improve/fix it by providing feedback to the manufacturers or replacing them altogether with stuff manufacturers ACTUALLY care about.
@@UnderEu I better rewatch this channels video on why IP6 in the home/lab. Thanks!
Everyone should hate TLS inspection. No point in breaking sites / application. You were right in identifying this. This applies even in work places as well.
Great Vid! Your graphics (while explaining) are helpful as well. Good job!
Thank you so much. I am a small Homelab and will not be using this like you even though it looks fantastic for larger institutions. Great professional presentation on this video.
Great video, very detailed and super specific, thanks a lot mister.
Excellent Video sir..... 10 out of 10
I work on one particular brand of NGFW in my day job and while the TLS inspection stuff is impressive in what it can do, you're right that it does cause a lot of problems in practice.
A lot of modern apps either distribute a trust list on their own (especially if they are containerized / some library is trying to be OS-agnostic), and as a developer it makes a ton of sense to be cert pinning to the CA that issues your certs, but it means it's a nightmare for users behind TLS inspectors.
exactly. Admins can install a trusted CA cert to the workstations and re-sign all their inspected traffic with a subordinate CA signed by the same root, so browsers "mostly" work (Aside from HSTS sites) but standalone apps that just happen to use TCP 443 and TLS are harder.
The authors of TLS and related specs are very concerned with MITM / privacy attacks and don't care to reduce the level of security they provide to make TLS inspection easier.
Sites *should* be deploying HSTS, apps using TLS *should* be validating their certs, asking them to do less so you can MITM their traffic isn't something they are interested in 'fixing'. The end result is the end users perpetually think IT has 'broken' something because the program tells them they are being attacked.
Nothing against you in particular, but I absolutely hate people who are trying to MITM TLS traffic. Thank god encrypted SNI is already on the horizon so you people can stop trying to filter the last clear text thing you have left.
eSNI (and it's successor ECH) has some issues with key distribution. It's a great concept but SNI is unencrypted for a reason.
Unencrypted SNI (and ALPN) is a thing is so the server can identify which certificate it should use (to properly deal with multi-tenant servers / CDNs / virtual hosts / ...). ECH needs to encrypt the ClientHello using the edge server's key, not the origin's key, so the client needs to know which CDN / server it's accessing and get the key for that server. CF's eSNI would publish their key (their one key, for all of CF) via DNS TXT records, which doesn't work if you aren't using a single CDN for all of your traffic, so it was rejected as a standard.
The current ECH version relies on DNS HTTPS records which are basically similar to an SRV. A single domain can have multiple HTTPS records, each of which points to an edge server, proto (http 1.1/2/3), and the edge server's key. But they still aren't widely deployed and supported.
Unfortunately, the free version is very limited in functionality
Zenarmor is just way too expensive. I mean why would I spend $500+ on subscription services for a $500 Firewall... if this were like a $100 a year subscription we might spring for it.
I tried and did no feel any need for it at home, and pricing is not ok either
can you use Devices on free version? i dont see that tab
Good video sir ! Keep them coming !!
Okay, fine.... Ill subscribe. i like this content
Thank you very much! any tips on how to minimize the RAM used by zenarmor?
Has someone tried the blocking of DNS over HTTPS wirh this? This seems to be a big unsolved issue in the industry with more and more browsers and devices using it to hide from traditional DNS. Unlike DNS over TLS is also uses the same port 433 so you can't even block it at a port level.
Great video! What physical host do you use for opnsense?
I use a Protectli FW4B at home
Great
Is it possible to restrict ZenArmor to a specific VLAN? I ask because while I would be happy to use this for work devices, I cant help but agree that the TLS inspection could cause alot more work than I'm ultimately willing to put into it if I had to deploy this across my entire home network. Thanks for the great content!
Zenarmor doesn't intercept TLS, it only looks at the unencrypted headers.
But you choose as a global setting which interfaces to operate on, and beyond that you can choose which interfaces apply to a policy.
Thank you very much for the quick reply! Looking forward to deploying this next week!
Okay, unrelated question. What browser are you using in the video? It doesn't look familiar and I couldn't find anything like it.
Edge or Firefox
Could you make a video on how to do a basic OPNSense setup with a UDR?
I basically only want to use the UDR as a wifi and protect controller
I would also like to see a video on how to do this most efficiently!
What are your thoughts on opnsense being behind on security updates? I know they have a beta with the new openssl, but still, historically looking, it's not the best in response.
It depends on the context. In general they are pushing security updates regularly, but large changes to the codebase take time, and OpenSSL continued 1.x security updates through the end of 2023 which OPNsense was including in their releases. AFAIK 24.1 will include OpenSSL 3.x.
With Zenarmor OPNsense becomes NGFW [ as per Sunny Valley ] How it is comparable with other NGFW like Sophos / Fortigate ?
More control, less user friendly. Thats opnsense. On sophos youve got your beautiful insights and easy configuration whereas opnsense requires more expertise but has similar - if not better results and is free
The support and hardware, and every vendor has its own Theat İntelligence platform. Plus enterprises are moving to ZTNA
Is there a point in running this and crowdsec at the same time?
They both really different things and are used to protect different things. This is primarily focused on the destination of traffic (going out to the internet, from a client), Crowdsec is focused on incoming traffic to a server and sharing blocklists of simple attackers similar to fail2ban on a larger scale.
So it relies on TLS headers to categorize encrypted traffic? How else?
Btw i think w11 has random MaC address as a built in security feature that you can enable
Apple-everything is both randomizing the MAC per-network and also no longer sending the hostname via DHCP, so tracking Apple devices is a challenge. They still respond to mdns if queried, but don't immediately advertise it. Zenarmor has caused me to raise eyebrows at some traffic and then spend 10+ minutes identifying the unknown client, only for it to be a sus mobile game on a modern iphone which is doing a good job at hiding its identity.
But also, some things can be detected by their known protocol headers (i.e. VPNs), TLS has to send at least SNI and ALPN unencrypted (since the server needs to know the SNI to present the right cert), and more traditional IP-based ranges can also be used as well.
@@apalrdsadventures did you take any next steps related to the sus games?
Your t-shirt with cyrillic dog breed name Лайка :), also in russian slang it can be feminine of internet “like”. Thank you for interesting video!
Neat! Лайка was the name of the first dog in space, hence the shirt.
Thank you for your video's, it is very interesting. However I am very disappointed in this one because as other's mentioned the free version is very limited. You suggest you can do almost the same as in your video without subscription but that is not the case. I will rollback OPNsense before Zenarmor. For the rest keep up the good work!
Are you telling me that OPNsense's IDP/IPS is "just" check marks if ZenArmor is not installed? - and I will be better of keeping my well administrated VyOS with a PiHole runing?
OPNsense's 'native' IDS/IPS solution uses Suricata.
Zenarmor gives you curated feeds for a fee vs administering all of the feeds and rulesets manually for Suricata. Both options can be used (potentially at the same time, on different interfaces) in OPNsense.
I like the video but did not get a tab for devices, I don't know what I missed here
Yeah me too
u need the home version for it (can use the free 15 day trial)
Pretty cool.. but I don't want to spend $10 on this for home use haha, maybe small business.
Me again. How about a video / videos on CLAT addresses, 464XLAT & DHCP Option 108?
Doing the NAT64 / Option 108 on OPNsense (mostly v6-only + macos), Linux CLAT comes later.
@@apalrdsadventures Looking forward to it. 👍
I still prefer NetBSD with it's npf.
Way more control to the user/admin.
Suricata? Seeing as it's sort of built into OPNsense.
Suricata is a very manual solution to manage and curate block lists, and is very prone to false positives (and presumable also missing a lot of things, but you'll never know) if you don't put the work in to manage these block lists.
That's largely what you get with a Zenarmor subscription, better feeds that they have curated and keep up to date.
@@apalrdsadventures not to mention suricata is VERY CPU intensive which can result in massive slowdowns.
@30:35 who else was expecting pornhub to be a top traffic driver
To expansiv
All of this is fun, but I just whip out shadowsocks and laugh at your firewall all day long.
Don't whip it out in public or you will go to jail.
If your looking for a free version don't waste your time with this as everything is locked behind premium subscription so it's practically useless unless you subscribe