The Sensei plugin broke the commercial-only next-generation firewalls barrier and introduced the open source world to Zenarmor’s outstanding features. In this chapter, we will explore the Sensei plugin’s features and how to install and apply layer7 control to the network. Finally, you will deploy OPNsense as a next-generation firewall solution that extends OPNsense’s capabilities so that they’re at the same level as the premium commercial solutions, which filter packets in layer4 to layer7 in a few steps.
In this chapter, we will cover the following topics:
To complete this chapter, you will need to install plugins in OPNsense. Having OPNsense running with a host connected to its LAN interface will help with the steps we’ll cover.
As we have explored so far, OPNsense is a stateful firewall with some extra features, such as an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS), that can extend its filtering capabilities. But to compete head-to-head with the well-known commercial firewall solutions from giant cybersecurity tech firms, an open source firewall must have all the capabilities those solutions offer. There was a chasm between commercial and open source network firewalls due to the layer7 filtering feature being present only in the commercial ones. The ability to detect traffic, despite the TCP/IP port number, is a must-have feature these days, especially when malware tries to bypass stateful inspection by mimicking legitimate traffic.
The OPNsense project implemented some application control features, thus creating custom signatures for IPS, which we tested in the previous chapter. Still, its application control wasn’t at the same level as it was for the commercial firewall solutions. The game changed in 2018 when Sunny Valley launched the former Sensei plugin for OPNsense, a next-generation firewall plugin that enabled OPNsense to reach the next level of network security. Later, in 2021, Sensei was rebranded Zenarmor-sensei for copyrights reasons.
The Zenarmor plugin helped OPNsense become a leading open source next-generation firewall project, enabling a Transport Layer Security (TLS) protocol inspection and application control that left some commercial vendors behind, eating dust. The plugin’s frontend is open source, but its traffic engine inspection is proprietary with closed source code.
If you are a Linux user, you might be yelling: Iptables has been doing Layer7 filtering for years! OK! Calm down! I know it, but you must admit, Iptables does not do it the same way as commercial firewalls and Zenarmor does. You should probably become a Linux guru to keep a layer7 firewall based on it working, and a commercial solution does with tons of knowledge and lines of code. The commercial solutions ease this process, which means that a Linux-based firewall will also provide a decent firewall solution. Moreover, some of the most famous commercial firewall solutions run a Linux kernel. The big difference compared to OPNsense with Zenarmor and a Linux kernel with layer7 filtering enabled iptables is the way it is configured and maintained. Sunny Valley has made a significant effort to keep the layer7 filtering updated and working with newer applications. Besides that, they have cloud-enabled filtering that uses DNS, an artificial intelligence (AI)-enabled solution, and they are a company that makes money on it! Sometimes, it is better to count on a company that’s dedicated to supporting and improving an affordable product rather than trying to build it by yourself.
The following features are listed in Sunny Valley’s official documentation:
They also support other platforms such as FreeBSD, pfSense, and some Linux distribution flavors, but we will focus on OPNsense in this book.
The plugin has a free edition that is pretty functional and works great in most small network environments. Compared to the paid versions, it has some limitations, but most are features that are only required by complex networks that deserve a paid version subscription.
Before comparing the different available versions, let’s check the hardware requirements.
As IPS does, Zenarmor also uses the Netmap framework to inspect and filter network packets, so don’t enable it in the same configured network interfaces, as you would in IPS mode by going to Services | Intrusion Detection | Administration – Interfaces.
Reports are something else that Zenarmor has that demands more memory and CPU than a stock OPNsense installation. It is based on Elasticsearch, which requires significant memory and CPU power to process data and transform it into meaningful graphs. The plugin installation does a hardware requirements test to indicate how many devices the installation will support. To have a good user experience with this plugin, consider having at least 4 GB of RAM and a modern two-core CPU.
Now, let’s explore each subscription type. This will help you find out which suits your needs the most.
There are different paid subscriptions. Each one was designed with the size and complexity of the network environment it will protect in mind. For example, the available plans are Home, SoHo, and Business. These names easily define which type of network they are suitable for, as described here:
The main differences between these versions are based on the number of policies you can create, resource reporting, authentication integration (for example, Active Directory), malware protection, and so on. The product had a fast evolution, and at the time of writing, new features will probably be added to the product. Look at the plans page and pick the best option for you!
Important Note
To check the available plans, from free to business, go to https://www.sunnyvalley.io/plans.
Now, let’s learn how to install and configure the Zenarmor plugin.
To install the Zenarmor plugin, we will follow the same steps we used for OPNsense’s other plugins:
Important Note
Remember that the plugin was called Sensei before it was rebranded as Zenarmor, so the package’s names will remain as *-sensei* for ease of use. The maintainers may update the package’s name to *-zenarmor* in the future.
After the hardware tests, you should see something similar with the following screen:
Important Note
If the interface you’ve chosen is being used by IDS, the configuration process will not move on. As a simple rule of thumb, while using IDS and Zenarmor together, only keep IDS watching for traffic on WAN interfaces and Zenarmor on the LAN interfaces.
On the Cloud Reputation & Web Categorization page, the wizard will pick a better location while using network latency as a parameter. If you have an internal domain, you can set it in the Local Domains Name To Exclude From Cloud Queries box to avoid local domain requests from being forwarded to Sunny Valley’s servers. The Cloud Reputation & Web Categorization features will filter DNS queries based on the locally configured policies:
Important Note
If you need to revise the configurations you have set in the configuration wizard, you can go to Zenarmor | Configuration | General and set the configurations that your network needs.
To start using the Zenarmor plugin, go to the Zenarmor | Dashboard menu and check out the graphs for app categories, top local hosts, top remote hosts, and so on. It may take a while for helpful information to appear. Now, it’s time to go to OPNsense’s LAN-connected host and do some web browsing to generate traffic:
On the Zenarmor | Status page, we can check the engine, rules versions, cloud node status, protected interfaces, and the services’ statuses. It is also possible to set the services to start on boot, stop, restart, and so on. Something that might be helpful while you’re troubleshooting outgoing traffic blocks is setting the Zenarmor packet engine to bypass mode, which will bypass all the traffic without blocking or reporting it. You can enter bypass mode by clicking the Enter Bypass Mode button. Warning: this mode will not survive a reboot:
Another thing that’s great about Zenarmor is its reporting feature. You can check the available reports by going to Zenarmor | Reports. I recommend that you invest some time exploring the available reports and options – it’s worth it!
In the Zernarmor | Policies menu, it is possible to set up protected network policies. Note that in the free version, only one policy will be available, so if you select two different networks – for example, to protect using Zenarmor – they will use the same rules that were defined in this policy. If you need different policies for different users or networks, I recommend checking out one of the paid subscription options.
Following we will edit the default policy:
Here, you can select which malware categories will be blocked on the protected networks.
Important Note
Some options are paid exclusives.
Application control can be configured under the App Controls tab. By clicking on it, you can check out all the available applications and select the ones you want to block. By default, all are allowed:
You can also make the categories block specific web browsing filtering by clicking the Web Controls tab. The preset profiles that are available in the free version are Permissive, Moderate Control, and High Control. To customize these web categories, you will need a paid subscription.
To allow and block domains for web filtering, go to the Exclusions tab and set your own white or blacklists.
Important Note
The Policy Configuration tab is only customizable if you have a paid subscription version.
As we’ve seen, the Sunny Valley team did an outstanding job integrating Zenarmor with OPNsense webGUI. They created a turning-table product that has led open source firewall projects such as OPNsense to compete with commercial firewall solutions at the same features level.
In this chapter, you learned how to install the Zenarmor plugin and enable next-generation firewall capabilities on OPNsense. Now, you can deploy OPNsense as a firewall, just like any other commercial solution, with application inspection and control, DNS and web filtering, excellent reports, and the outstanding cloud-enabled threat detection provided by Sunny Valley. In the next chapter, we will discuss the high availability of firewalls.
18.117.188.138