Whether you are protecting a traditional corporate network, cloud resources, or increasingly common – both in a hybrid setting, implementing a security appliance at each perimeter is essential to safeguarding your internal & external services and endpoint devices. A network security appliance, which may either be a virtual machine or a physical device, provides at a minimum, functionality such as: stateful firewall, NAT translation, intrusion detection, remote access, and site-to-site VPN. With the help of a vast plugin library, modern firewall appliances like OPNsense can also do much more. OPNsense can be configured with the HAProxy or NGINX reverse proxies and ModSecurity web application firewall (WAF) rules as a secure gateway to your Internet-facing applications. To counter advanced persistent threats inside your network, a next generation firewall (NGFW) called Zenarmor can also extend an OPNsense appliance with capabilities such as TLS decryption and deep packet inspection (DPI).
Advantages of an Open Source Network Firewall Appliance
If you are still relying on an ISP-provided router or cloud provider security groups alone to protect your on-prem or virtual private cloud network, it may not be adequate in today’s evolving threat landscape. A proper network security appliance like OPNsense goes far beyond simple “allow” or “deny” firewall rules that provide port forwarding to internal services. OPNsense is a fork of pfSense, a router OS which is popular in many home labs, but which has increasingly limited the feature set of its community edition for business reasons. Like pfSense, OPNsense is based on the FreeBSD operating system – BSD operating systems are renowned for their stability, security, and ability to maintain a long uptime.
Prevent Ransomware Attacks & Avoid Becoming Part of a Botnet
It is possible to download & create custom blocklists based on up-to-date threat intelligence to drastically reduce the attack surface by filtering traffic by country, ASN, or URL pattern. More importantly, security patches are regularly published for OPNsense – preventing the exploitation of newly discovered vulnerabilities. This is unlike consumer or SOHO routers that frequently go unmaintained by their manufacturers during their service life. An insecure network gateway can be an enormous liability for an organization, leaving them exposed to business-crippling ransomware attacks, or discovering that their network has been surreptitiously commandeered by a botnet to perpetuate malicious & illegal activities against others.
There have been situations in the past where “white hat” hackers at law enforcement agencies such as the FBI, or US Computer Emergency Response Team (CERT) of the Department of Homeland Security had to hack into vulnerable routers themselves to patch them in order to stop an ongoing attack from continuing to spread. Other times, the only way to disrupt an attack is for law enforcement to seize control of the command-and-control (C2) servers which a strain of malware is “phoning home” to. The CERTs of other jurisdictions outside the US typically act in more of an advisory role, disseminating information by numbering CVEs and publishing advisories to assist system administrators in mitigating threats. You can help prevent your company from becoming affected by running a properly configured firewall appliance across all your networks, and keeping it regularly updated.
For cloud deployments, a virtual network security appliance is ideal as it can simply be deployed on a supported VM, typically with two or more VNICS representing the WAN and LAN interfaces. At some major cloud providers, there is the option to subscribe to a pre-built image of OPNsense in their respective Marketplace at an additional hourly cost to the machine itself. We typically recommend uploading a custom image instead, giving you the flexibility to customize your install to a greater extent, and avoiding the licensing cost for the AMI over the lifetime of the machine. After all, OPNsense is free, open source software and all the bits are available on the official project website, https://opnsense.org/. If you wish to support Deciso, the lead maintainer of the project, you can purchase a license from their webshop for the Business Edition (BE) and upgrade at any time. Each version of the BE has a longer support lifespan, providing enterprises with more time to plan and roll out upgrades.
OPNsense Consulting and Professional Services
As an independent firm providing consulting and professional services relating to OPNsense, Autoize Data Protection & Cybersecurity can architect a secure VPC architecture incorporating OPNsense at the edge – with any cloud provider that meets the technical requirements. Since 2016, Autoize has been in operation as a trusted extension of our clients’ internal IT departments. We are not officially affiliated with Deciso Sales B.V., the OPNsense project, nor Zenarmor so we can provide you with impartial advice without the pressure of tiers and quotas that a traditional channel partner would have to meet. Whether you already have services deployed in the cloud (brownfield) and need a smooth transition to protecting them with OPNsense and its features, or are considering an entirely brand new cloud deployment (greenfield), our cloud architects are ready to assist you with planning and implementation.
Choosing a Virtual vs. Hardware OPNsense Appliance
Most of our work pertains to cloud deployments of OPNsense as a virtual appliance, but we can also assist your team with speccing out appropriate hardware in conjunction with an integrator in your country to protect your traditional, on-prem networks. For this option, you may require an on-site point of contact with sufficient expertise to boot the OPNsense ISO and install the operating system on the machine (some integrators will handle this for a fee prior to hardware shipment) and make it available on the network for us to configure over the SSH console and the WebGUI.
OPNsense is a sophisticated security platform with advanced features that can protect access to virtually any application or service on your on-prem or cloud-based network. At the same time, incorrect or incomplete configuration of the firewall, proxy, or IDS/IPS features can leave gaping holes exposed to the outside world, or result in unexpected downtime – putting your organization at risk.
It can be worthwhile to hire an OPNsense consultant to recommend (or review) your OPNsense configuration for accessing applications from within or outside of the corporate network. We can recommend the most secure and convenient way to accomplish your objective, by leveraging the core features of OPNsense or by using additional plugins. Out of the box, OPNsense supports IPsec tunnels for site-to-site VPNs, in addition to remote access over the OpenVPN and Wireguard protocols. An organization with a “hybrid cloud” environment might for instance, deploy an OPNsense virtual appliance at the edge of their AWS VPC or Azure VNet peered through an IPsec VPN with an OPNsense hardware appliance residing on their on-prem network.
High Availability OPNsense in AWS and Other Clouds
To maintain optimum uptime in production, it is often advisable to deploy a set of highly available master and backup OPNsense firewalls in your environment, keeping configuration synced up between the two instances, and using a floating IP (also known as Elastic IP in AWS) to reroute traffic in case of a failover. This requires OPNsense to make a call to the AWS REST API to reallocate the Elastic IP to the functioning instance, as multicast IPs with CARP are not supported by cloud providers. One of the significant benefits of this setup is that it allows you to accomplish zero downtime, rolling upgrades of OPNsense.
We offer a flexible scope of work tailored to your needs, from a one-time install of OPNsense, architecting a secure (virtual) network, to support hours, and ongoing maintenance. Ask us for details about our OPNsense consulting and professional services.
