MOSHED-2020-9-22-0-26-39-min

If you work professionally in information security or in networking you more than likely know what a Next-generation Firewall (NGFW) is. NGFWs are mainly used in the enterprise world, the problem is, the costs of these NGFWs are also enterprise level. Hardware and license costs of these enterprise firewalls make them unfeasible for small/medium businesses and home network enthusiast. This all changes thanks OPNsense and Sunny Valley’s Sensei.

This blog post wont be extremely technical, I just feel that OPNsense and Sensei are not getting the attention they deserve and I wanted to make people aware of this amazing partnership that brings NGFW capabilities to small/medium businesses and the home.

What the Heck is a NGFW anyway?

The short and sweet, Next Generation Firewalls are relatively new compared to “traditional” network firewalls which are usually a stateful firewall. NGFWs bring a plethora of advanced security features which usually include: Web filter, App control, Intrusion Detection and Intrusion Prevention (IDS/IPS) and TLS/SSL Inspection and also provide more visibility into your network. This is not at all a definite list of capabilities, some NGFW vendors offer more or less features.

OPNsense

Now we get into the meat of it. OPNsense has been around for a while, they are a fork of the popular PFsense firewall software. OPNsense has a great doc listing the reasons for the fork, I can personally say I agree with every point listed on that doc.

I have been using OPNsense for about 3 months and have been loving it. OPNsense in my opinion has a stronger focus on making this firewall software more secure, capable and modern. I have used PFsense for a while before I switched to OPNsense, for some reason I’ve never fully enjoyed it to be honest. OPNsense also supports a fantastic ecosystem of plugins, this is how Sensei is installed which greatly enhances the core functionality of OPNsense, I will get into these features shortly.

My personal favorite benefits of using OPNsense.

Reasons I <3 OPNsense

  • Open Source
  • Installed on HardenedBSD
  • Supports WireGuard
  • Modern firewall capabilities
  • NGFW Capabilities with Sensei
  • Can be installed on almost any type of hardware
    • I have mine installed on a old Dell Optiplex

Sensei

Sensei is developed by Sunny Valley Networks and is installed on your OPNsense firewall via plugin, which then enables NGFW features. I believe they are planning on releasing on more platforms, but as of right now it is only on OPNsense.

Sensei does offer different levels of subscription tiers, each with its own additional features, but they do have free community edition, this is what I am currently using. To be honest the license for the additional tiers are priced pretty good for the features you get though.

Sensei Features

With Sensei installed you can now:

  • Block/Monitor, even at granular levels

    • Apps and app categories
    • Websites and website categories
  • View and receive great reports on network activity

    • Schedule reports to be emailed to you
    • See users/IP’s
    • See top categories
    • Get detailed session reports/logs
  • Sensei’s database of threats is periodically updated always giving you protection on newly observed threats.

Caveat

There is one caveat that I do want you to be aware of, I can be sure I will receive hate mail for not mentioning it. OPNsense is 100% open source, Sensei is not 100% open source, per their FAQ

"

Is Sensei open source?

Sensei consists of two modules:

  • PHP Code & Python Scripts which provide the Web User Interface Functionality. This part is open source.
  • The Packet Engine coded in C++. This part is closed source.

"

With that being said please don’t let this be the reason you will not use it. Sensei is a powerful feature-set that is available for free on a security focused open source firewall.

Pleas feel free to email me or DM me on Twitter if you would like to contact me.