pfSense Plus Logo White

It’s All in the Applications

pfSense Plus is a powerful product with a rich set of add-in packages that allow customers to tailor it to almost any edge or cloud secure networking need. We have conveniently grouped its capability set into the five most commonly needed applications.

Get pfSense+

Programmers working in a software development company office.

What is Attack Prevention?

Simply stated, attack prevention is stopping malicious actors from carrying out exploits and threats against your network infrastructure and proprietary information. Multiple layers of network security are required to do this effectively - at the network edge, within the network, at the device level, in the cloud, etc. 

The types of attack prevention that make sense at the network edge include:

  • Intrusion detection and prevention
  • Network traffic analysis
  • Deep packet inspection
  • Application blocking

pfSense Plus offers a suite of highly-regarded add-in packages to effectively address attack prevention

Technical Support Specialist and Software Developer Working on Computer in Monitoring Control Room with Digital Screens with Server Data
IDS/IPS
Snort-based Packet Analyzer
Layer 7 Application Detection
Multiple Rules, Sources, & Categories
Emerging Threats Database
IP Blacklist Database
Pre-Set Rule Profiles
Per Interface Config.
False Positive Alert Suppression
Deep Packet Inspection (DPI)
Application Blocking

Attack Prevention Features

IDS/IPS

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) analyzes packets as well, but can also stop the packet from being delivered, helping to halt the attack.

More information can be found in our documentation.

Learn More

Snort-based Packet Analyzer

Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.

More information can be found in our documentation.

Learn More

Layer 7 Application Detection

Layer 7, the OSI (Open System Interconnection) Model application layer, supports application and end-user processes, such as HTTP and SMTP. Attacks at this layer present a security challenge as malicious code can masquerade as valid client requests and normal application data.

More information can be found in our documentation.

Learn More

Multiple Rules, Sources, and Categories

Depending on choices around performance, security risk tolerance, and actual business applications in use, there are many ways to configure an IDS/IPS. pfSense Plus software supports the use of multiple sources of rules for both Snort and Suricata. Additionally, each of those packages have multiple categories for rules as well, including floating rules, interface group rules, and interface rules.

More information can be found in our documentation.

Learn More

Emerging Threats Database

An IDS/IPS solution can be configured to simply log detected network events, or both log and block them. This is performed through the use of detection signatures, called rules. Rules can be custom created by the user, or any of several pre-packaged rule sets can be enabled and downloaded. Pre-packaged rulesets offer added detection / protection against emerging threats in the wild.

More information can be found in our documentation.

Learn More

IP Blacklist Database

IP blacklisting filters out illegitimate or malicious IP addresses from accessing your networks. pfBlocker is a pfSense Plus software package that allows you to add IP block list and country block lists.

More information can be found in our documentation.

Learn More

Pre-Set Rule Profiles

pfSense Plus software is equipped with a number of automatically added firewall rules. Examples include anti-lockout, anti-spoofing, block private networks, block Bogon networks, IPsec protocol use and port access, default deny rule, etc.

Learn More

Per-Interface Configuration

pfSense Plus software allows each LAN or WAN interface to be independently configured with firewall rules and other per-interface functionality.

Learn More

False Positive Alert Suppression

Each IDS/IPS security admin must ultimately decide their own alert volume tolerance, as only you know the type of traffic that is normal on your network. pfSense Plus software enables you to select specific ruleset and alerting policies on a per interface basis, as well as offering detailed guidance about how to eliminate noisy false positives.

Learn More

Deep Packet Inspection (DPI)

Deep Packet Inspection (DPI) enables security analysts to capture and evaluate full packet header and payload information to identify protocol compliance, spam, virus, intrusion, and other anomalous or malicious traffic. Snort, Suricata, and NTOPNG packages each support DPI capabilities.

More information can be found in our documentation here (NTOPNG), here (Snort) and here (Suricata).

Application blocking

pfSense Plus software leverages Snort and OpenAppID to detect, monitor and manage application usage on your network.

Learn More

Who Needs Attack Prevention?

Rear view of young African man in shirt using computer while working in the office

Home Users

If your home network has externally facing servers, e.g., a hosted website, or if you need to access your home network when you are not at home), an IDS/IPS is probably unnecessary.

The stateful firewall functionality, core to pfSense Plus is probably sufficient, i.e., traffic flowing inbound will not be allowed in unless explicitly allowed to, but outbound traffic will be allowed to return - even without an explicit rule.

Where Should Attack Prevention Be Deployed?

Attack prevention solutions are commonly placed at the network edge, or in the case of cloud-based applications, at the Virtual Private Instance (VPI) edge. Consideration should always be given to the depth and breadth of rule sets in order to keep traffic performance to acceptable levels.

pfSense-Plus-Deployment-Diagram

What Makes pfSense Plus a Great Attack Prevention Solution?

easy-to-use

Easy to use

  • User-friendly web interface makes configuration and administration easy - even for users with limited networking knowledge
  • Observe key operating metrics like network utilization, CPU load and disk space usage with built-in Zabbix monitoring
  • Comprehensive documentation and a wealth of YouTube videos for specific assistance
features

All the features you need

  • Snort and Suricata IDS/IPS package options
  • Packet analysis, Layer 7 application detection, emerging threat management, alert suppression, deep packet inspection, application blocking and more
  • Not just an attack prevention solution, but also a full firewall, VPN and router solution
success-1

Proven reliability and resilience

  • Deployed on hundreds of thousands of Netgate appliances, 3rd party appliances, virtual machines, and cloud instances in every vertical on every continent
  • Highly lauded by customers for reliability and stability
  • Configurable as a High Availability (HA) cluster for business assurance
excellent-solution

Excellent overall solution value

  • Unbeatable combination of feature set (attack prevention, firewall, router, and VPN), price-performance and ease of use
  • Proven dependability for consumers, businesses and service providers 
  • World-class, highly-rated support options for business assurance