Posted on by and filed under Write-ups.

pfSense Logo

Hack@UCF (or more formally, the Collegiate Cyber Defense Club at UCF) now has a multi-server environment, but we started out with little to no inventory to speak of. Our club was founded about a year and a half ago, and we’ve slowly acquired more and more hardware for our strapping little environment. Some of our founding members already did IT and DevOps, and we brought our experience to bear in the Collegiate Cyber Defense Competition (CCDC), where we decided to do IT against professionals in the information security industry and get hacked… for fun!

There are a lot of tools that we use at CCDC, and I’ll be covering both Hack@UCF’s use and the CCDC team’s use of the open-source firewall, pfSense. It’s a capable little thing based on FreeBSD that can effectively act as a firewall, router, VPN concentrator, and more. However, pfSense is software, not hardware, and can be deployed on anything that understands x86. pfSense was fantastic news for a small technology club with limited hardware that was actually concerned about security, and even now that we actually have a little more than two old boxes on a rack, we still love it.

We use pfSense for our student club infrastructure and our CCDC practice environment with great effect, because with this we don’t need to buy or lean on any hardware routers or firewalls. Thanks to generous donations by Netgate, we’ve toyed with ideas like load balancing, point-to-point VPNs, wireless AP management, and labs focused on IPv6 magic. But honestly, we haven’t really wanted to put ourselves through those things yet.

Hack@UCF currently co-locates our club hardware with the University of Central Florida. With university networks being a frequent target of attacks and with more than one server in our responsibility, we decided to use pfSense as a solution to problems we both had and didn’t know we had! Used at Hack@UCF, pfSense currently protects our physical machines, virtual machines and networked storage as a border gateway, router, and firewall with only one real way to get internal remote access: a VPN solution baked into pfSense itself.

pfSense has the great feature of being a powerful OpenVPN solution. It can act as both an OpenVPN server and client, and the default deployment settings use UDP to avoid the TCP over TCP problem. We authenticate our OpenVPN clients with a RADIUS connection to an Active Directory server to administer and allow access to internal club services like our file store, authentication backend, and application servers.

pfSense RADIUS screenshot

We could keep distributing keyed clients… or we can have keys and user authentication!

When training for competition, we in the UCF Collegiate Cyber Defense Competition Team practice in a (mostly) walled-off network. pfSense is one of the outer layers of containment that makes sure that none of the awful stuff that we do to each other during practice leaks out onto the wider university network. You don’t want to accidentally spray Meterpreter via MS08-067 onto and accidentally get a shell somewhere in the university or send out port scans from an IP associated with the university’s hacking club and competition team, after all.

Unfortunately, during the actual regional and national competitions, our CCDC team usually has more imminent and horrible problems to worry about than trying to set up pfSense. From the broken *nix boxes to Windows servers sharing the entire C:\ drive on SMB to Solaris boxes… being Solaris, we are hard-pressed to get things going in a secure manner at all!

Hardware solutions still have their merits, especially during competition: knowing Junos/IOS is still a skill you can put in your resume, and configuring hardware like that can be much faster than configuring pfSense considering that you can sling around configs in a command line rather than a web GUI. But from experience, I can tell you that you’ll be sitting in front of that pfSense box for hours before it isn’t a piece of equipment smashing your uptime score into the ground.

Thanks to Netgate and UCF’s own Office of Undergraduate Studies for donating hardware to Hack@UCF, as well as the HEC IT staff at UCF for hosting our club infrastructure! Without the support of all of these guys, we really could not have created these cool environments. And a big thanks to Netgate for a donation of the pfSense 2.1 book, pfSense Gold, and a bundle of pfSense stickers!

pfSense Optiplex 755

Here’s one of the stickers on my own pfSense box – an old Optiplex 755. Who says pfSense can’t be a SOHO router and firewall solution?