securedrop icon indicating copy to clipboard operation
securedrop copied to clipboard
verified publisher icon freedomofpress

Automatically update the firewall from the monitor server

Open psivesely opened this issue 9 years ago • 1 comments

Instructions on updating the pfSense firewall are presented in our docs:

Periodically, the pfSense project maintainers release an update to the pfSense software running on your firewall. You will be notified by the appearance of bold red text saying “Update available” in the Version section of the “Status: Dashboard” page (the home page of the WebGUI).

If you see that an update is available, we recommend installing it. Most of these updates are for minor bugfixes, but occasionally they can contain important security fixes. If you are receiving support from Freedom of the Press Foundation, we will inform you when an important security update is available for your pfSense firewall. Alternatively, you can keep appraised of updates yourself by checking the pfSense Blog posts with the “releases” tag.

I think it's a fair estimation that a not insignificant proportion of organizations are not regularly updating their firewall--it's easy to forgot when the rest of the system auto-updates, and as a news org tech admin you likely have dozens of other machines to worry about.

Not having extensively thought about this yet, it seems that a process on the monitor firewall could update it periodically (perhaps ideally when the monitor server is also going to be updated/restarted). The program could be shipped via a .deb package, that existing system administrators would just have to install once, and that we could automatically install on the monitor server for future installs.

This process cannot run on the application server because if the application server were compromised, the secrets the process would require could be used to change the firewall rules to block outgoing OSSEC alerts (temporarily or permanently). If the admin's email address for OSSEC alerts was also somehow discovered by the adversary, the fact the OSSEC alerts are unsigned (#966) may allow an admin to spoof them.

It could run on the pfSense, but the deployment story doesn't sound fun.

psivesely avatar Sep 26 '16 04:09 psivesely

Ongoing work to improve the firewall config/management story is happening in #6384

zenmonkeykstop avatar Sep 08 '22 15:09 zenmonkeykstop