Manually Configured Private Network with DNS, UFW Rules, and Splunk for Intrusion Detection and Log Analysis

In this project, we configured a private network with a focus on both external and internal services, using pfSense for firewall and traffic management, and UFW to secure individual machines in a simulated environment. Here’s a breakdown of how it all fits together:

pfSense Firewall & Traffic Management:

1. pfSense acts as the primary firewall and handles port forwarding to the appropriate internal services, such as mail, web servers, and Splunk.

2. External traffic is carefully routed using port forwarding rules, ensuring services like SSH, HTTP, and mail are accessible securely from outside.

Mail & Web Servers:

1. The Mail server handles both internal and external email services, configured to manage POP3, IMAP, and SMTP protocols.

2. Web servers (WWW and WWW2) serve websites, with external access via HTTP(S) and SSH for administrative purposes.

3. Some services, like the WWW2 server, are exposed to external users, while others remain for internal use only.

Splunk for Network Monitoring:

1. Splunk is set up to monitor logs from all devices within the network. This acts as a Network Intrusion Detection System (NIDS), giving us insights into the security and performance of the entire infrastructure.

2. Each device forwards logs to the Splunk server for real-time analysis and threat detection.

   
   

UFW on Individual Machines:

1. While pfSense handles the overall network firewall, UFW (Uncomplicated Firewall) is deployed on individual servers and workstations to provide additional security.

2. Each machine enforces its own set of rules, ensuring only necessary traffic is allowed locally.

DNS Services:

1. We also set up internal and external DNS servers (NS1 and NS2) to handle domain name resolution. These ensure seamless internal traffic routing and external name resolution for public services.

   
   

Key Highlights:

This setup leverages pfSense for network-wide traffic control and Splunk for comprehensive monitoring, while UFW secures each machine individually. The architecture ensures secure, efficient management of internal and external services, with continuous logging and analysis through Splun

Splunk Logging Event

1. Splunk NIDS Event SSH attempt:

   

   Above you can see an attempt on an SSH port that occurred. While in my case, the connection was not allowed, it serves as a great reminder that botnet scans, probing for vulnerabilities, happen constantly—and more frequently than ever in various industries. A prime example is the 2021 T-Mobile incident, where an exposed router was left unprotected and accessible to the public, resulting in millions of customers' sensitive data being stolen.

   
   

   While I'm sure T-Mobile had some form of NIDS (Network Intrusion Detection System) installed at the time, this incident highlights that, without the proper personnel, monitoring, and services set up, a small oversight can lead to catastrophic consequences. This should act as a reminder of the importance of a well-configured, continuously monitored security infrastructure. A single vulnerability can cost much more than anticipated if left unchecked.

   
   

My Takeaway

Through this project, I gained practical experience in configuring network security using pfSense for firewall management, UFW for individual machine security, and Splunk for real-time network monitoring. I learned how to manage both internal and external services securely while understanding the importance of continuous monitoring to catch potential threats. This project reinforced the value of multi-layered security and proactive measures to prevent vulnerabilities from being exploited.