I'm running a PFSense firewall that is doing load balancing to a number of IIS servers. I'd like to host the SSL Certificate on the pfsense firewall instead of the individual IIS servers. I'd also like to be able to restrict clients that can connect to the https server on a certain public IP address to a list of client certificates (managed by pfsense). Looking at the web gui, it appears to only allow rules certificate rules if the client is connected to the VPN.
Is this possible? Thanks in advance
Best Answer
PFSense is a modular firewall distribution based on Freebsd. It can be extended via either Apache, Mod_security, Squid, or Openvpn (and others).
I'd use:
As you can access the x509 certificate functionality in above products, yes, it is possible. You can read over some of the x509 client TLS vpn information at
http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
There is also a way to use Squid to do traffic interception, called SSLbump
http://wiki.squid-cache.org/Features/SslBump
I'd recommend using an offline CA for some of the PKI specific ideas, and evaluating the PFsense compatibility list with crypto offload devices (HSMs).
There are ethical considerations in traffic interception that are greater for external clients than are for internal employees. Employees can easily be addressed via a standard - we can read everything, intercept everything, etc type of EULA click through, such as the one that DoD uses, e.g. https://dod411.gds.disa.mil/
Because I am lazy and security paranoid, I'd prefer to do something a little different than what you mentioned: multiple tunnels & Out of Band Management
Multiple tunnels
client ---- Network device <<<<<< Tunnel 1, IPSEC >>>>>>> PFSense ---- IIS
client -------- Tunnel 2, IPSEC -------- IIS
Keep in mind that IPSEC is more complex than TLS, with better security, at a cost of usability. You can also use TLS and IPSEC vpn types together.
Out of Band management
Create another network specific to management, and isolate it from production (data) traffic. Enable incoming management only via the management interface. Disable all but production traffic on the production side. Make your rules rigid, via a gradual tightening process. Enforce least privilege on your IIS servers with the bare minimum (HTTP or HTTPS) talking on the production network side.
While this is more work than what you asked in the question