GDPR and pfSense / OPNsense. How to operate in order to be comply.


The Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, in force since 25 May 2018, also known by the acronym G.D.P.R. that is “General Regulation on Data Protection”, was issued to adapt the previous regulations on the protection of individuals within the European Union, with regard to the processing of personal data, regardless of the place where they are processed , as well as the free circulation of such data, without distinction of the tools used to collect the aforementioned information.

The new regulation repeals Directive 95/46 / EC “General Regulation on Data Protection” and supports Legislative Decree no. 196/2003 Privacy Code which collects most of the provisions concerning privacy and data processing personal.

In cases of incompatibility between national and European legislation, it will be necessary to make the adjustments envisaged by the Ministerial Decree; where it is possible the coexistence between the aforementioned rules the Privacy Code will continue to be applicable going to define measures not bound by the “General Regulation on Data Protection” even if more stringent and limiting

2.Who is concerned and what does it involve?

The “General Regulation on Data Protection” obliges companies of any size to adopt a new set of processes, methodologies and policies, with specific derogation regarding the conservation of records for companies under 250, aimed at providing natural persons guarantees regarding the protection of personal data together with more protections and controls on how these data are processed, stored and protected.

The above will entail consequences, improchintable adjustments of the systems involved and used both for the management and protection of personal data, such as pfSense/OPNsense, so as to prove the strict compliance with the latest regulatory requirements, thus protecting the company and consequently the figures involved, from the employer to the top of the specific reality, up to the direct responsible for the processing of personal data, this latter figure is of fundamental importance in light of the effects produced by Regulation (EU) 2016/679.

3.Objective of this guide

This guide, to be intended as an example and not exhaustive, for obvious reasons can not treat the specificity of the individual company, which naturally requires a second level analysis personalized and in-depth, is intended to guide the reader by introducing the cardinal aspects of the new “General Regulation on Data Protection”, in light of the implementable implementations for the pfSense / OPNsense systems which, to date, have been developed to provide tools of primary importance, in order to allow the organization that adopts them to respect the obligations imposed by the legislator and operate fully, according to the new provisions envisaged.

As explained below in greater detail, Regulation (EU) 2016/679 will require specific configurations defined by the legislative provisions and of necessary implementation following careful evaluation.

It is not significant to ask whether products such as pfSense, OPNSense or similar are compatible with the “General Regulation on Data Protection”, given that, in reality, the main discriminant is the type of installation carried out, or to be carried out, to verify that it is more suitable and indicated for the organization’s activity.

The Regulation (EU) 2016/679 does not specify the specific measures to be taken to ensure the protection of personal data but provides general indications that, once implemented, will compete for the purpose promoted by the regulator. It is therefore necessary to assess, for the individual case, the minimum requirements to ensure the level of protection that can be pursued on the basis of the applicable technology and of the implementation costs proportionate to this purpose.

In the remainder of this article references will be made to specific hardware and functionality features of the pfSense/OPNsense systems. To facilitate reading, understanding and bring tangible benefits to the reader, it is advisable to study the following topics in greater detail, thanks to the following links:

4.Main innovations introduced by the “General Regulation on Data Protection”

Before analyzing in detail how to configure the pfSense / OPNsense systems with the related parameters, it is necessary to define what are the requirements / requirements introduced by the individual articles contained in Regulation (EU) 2016/679.
The main ones for the purpose of this guide, which mainly concern the configurations of pfSense / OPNsense are:

4.1 Article 4
The “violation of personal data” is defined as “security breach that involves unintentionally or unlawfully the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.”

4.2 Article 32: Security of processing
This article of Regulation (EU) 2016/679 is one of the most significant for the installation and management of a system based on pfSense and OPNsense as it reports concepts such as designing and / or choosing the most appropriate device for the purpose.

“1. Taking into account the state of the art and implementation costs, as well as the nature, object, context and purpose of the processing, as well as the risk of varying probability and seriousness for the rights and freedoms of individuals, the holder treatment and the controller shall put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which include, inter alia, where appropriate:

a) pseudonymisation and encryption of personal data; 4.5.2016 L 119/51 Official Journal of the European Union EN

b) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of the processing systems and services;

c) the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident;

d) a procedure for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to ensure the safety of the treatment.”

4.3 Article 33: Notification of a violation of personal data to the supervisory authority.
“In the event of a breach of personal data, the controller shall notify the competent supervisory authority in accordance with Article 55 without undue delay and, where possible, within 72 hours from the time he became aware of it, unless it is unlikely that the violation of personal data presents a risk to the rights and freedoms of natural persons”.

The organizations will therefore have to provide specific procedures for constant monitoring and subsequent reporting to the national supervisory authorities in case of violations of personal data such as unauthorized access.

4.4 Article 34: Communication of a violation of personal data to the interested party.
“In the event that the violation of personal data may entail a high risk for the rights and freedoms of individuals, the controller must communicate this violation to the owner of the data without undue delay”

Continuing the reading shows that the communication must be done only in some cases:

Communication to the owner of the data, as indicated in paragraph 1, is not binding if at least one of the following conditions is met:

a) the data controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the personal data object of the violation. Particular reference is made to those technologies that make personal data illegible for any person not authorized to access it, such as cryptography;

b) the controller has taken subsequent measures to ensure that the high risk for the rights and freedoms of persons, as indicated in paragraph 1, can not be realized;

c) involves a disproportionate effort. In this case there will be public or similar communication able to inform interested people in an equally effective manner.

4.5 Implementation of a system of
In some cases, even if not expressly indicated on the legislation, we will have to allow the traceability of the operations carried out on personal data, that is accesses to the insertion, consultation, correction or cancellation of the aforementioned data.
The audit is not requested directly, but it is necessary to ascertain the title and for what purpose access to personal data is made.

Obviously, the auditing system on a pfSense / OPNsense router / firewall is strictly necessary only if, in some way, it represents a point of access to personal data as for connections in VPN to the company computer system or in case the firewall is placed to protect a cloud application that hosts personal data.

Should the notification procedure apply as per Article 33 or Article 34, the logs could be useful documentation accompanying the report to be sent to the supervisory authority.

Another non-secondary aspect that could emerge from the conservation of logs is the possibility that they represent personal data themselves. Userid, IP addresses, etc. they may leave traces that can correlate data to individuals. Therefore, appropriate assessments must be made in order to make this part compliant.

Also in this case pfSense / OPNsense provide the tools that allow us to design a system suitable to the needs of the organization and thus gives us the possibility to:

  • Host the logs within the system itself.
  • Redirect logs to an external system.
  • Install special packages for advanced log management such as syslog-ng which can also provide secure and encrypted storage of logs.

If you choose the solution to keep the logs in the system you can also buy one of our solutions with encrypted disk.

5.How and what to implement on pfSense/OPNsense.

To exclude a priori almost all the cases of having to send the aforementioned communication to the authority or to the interested party (as per point 4.4) and to avoid the sanctions provided (as per article 83), the pfSense devices will be properly configured / OPNsense.

5.1 Design or adapt a system based on Article 32.
As described in section 4.2, article 32 is one of the most important for the design of a firewall / router system and for this reason deserves particular attention.

In the event that our pfSense/OPNsense firewall is intended to protect a system that also manages personal data, it will be necessary to verify the punctual implementation of all the technical measures that can be pursued on the basis of the applicable technology and implementation costs.

Looking at the aforementioned article in greater detail, it is noted that the legislator does not go into the merits of specifying which technical impositions in detail to apply but rather states the nodal aspects to be considered in the evaluation, namely:

  • the state of the art;
  • implementation costs;
  • the context and the purposes of the processing;
  • the risk of varying probability and seriousness for the rights and freedoms of natural persons.

Once these evaluations have been carried out and only following them, it will be possible to “put in place adequate technical and organizational measures to guarantee a level of safety appropriate to the risk”.

The technical measures that we recommend to adopt are the following:

a) the pseudonymisation and encryption we will discuss in the following pages.

b) c) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of the processing systems and services.
the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident.

Terms such as availability and resilience, the concept of “ability to promptly restore data availability and access” indicate the legislator’s willingness to favor the use of technologies such as hardware redundancy of components, high reliability between appliances and redundancy connectivity to ensure that systems can always provide access to data.

How do you make an objective assessment to determine if an organization needs a completely redundant system or is it sufficient to have a simple system?

For example, if the inaccessibility of the data implies a risk to the individual, for his freedom or his health, then in compliance with the law I should at least propose all the technological solutions required to guarantee the service. Not only is there a need to guarantee the security of personal data, thus using advanced encryption and pseudonymisation as mentioned above, but it is also necessary to allow the individual identified by the collected data to access them, modify them and exercise the additional rights envisaged by Regulation (EU) 2016/679. The implementation of:

d) a procedure for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to guarantee the security of the treatment.

In this case too, from a technical point of view, the legislator refrains from clearly defining the methods to meet the requirements, leaving to the organizations the burden of evaluating the technical measures that guarantee the safety of the treatment.

It is clear to all IT and ICT experts that what is now considered safe (or more correctly “seems safe”) and in full efficiency, tomorrow may not be.

Point d) deals with this aspect that is becoming increasingly strategic for the security of organizations of all sizes. The possible solutions are obviously numerous and, starting from the implementation on the pfSense/OPNsense systems of packages that send the system status reports via email, passing through the analysis of the security performed by external systems that simulate real cyber attacks for provide a report on system security, we get to the implementation of external monitoring solutions using additional packages such as Zabbix that pfSense and OPNSense integrate within them.

It remains obviously at your disposal to study in detail all the possibilities offered by the pfSense and OPNSense systems.

Another important aspect that regards the IT service providers and the data controller are the assistance contracts that, stipulated with organizations that have technical skills in this regard, are intended to protect the controller in case of violations. In this regard, note recital (81) of the “General Regulation on Data Protection” which establishes the previous lines.

It is therefore necessary to provide the necessary assistance to the organization to define:

  • which apparatus to buy;
  • which technologies must be implemented in the device referred to in the previous point to ensure compliance with the Regulation (EU) 2016/679;
  • how to configure the device for specific reality;
  • what are the best procedures to test and verify the security of the system;
  • which data must be traced to verify that access to personal data is only performed by authorized and authorized persons.

Obviously there can not be a univocal and generalized solution that meets all the requirements set out in this article. How much will certainly be provided to the customer, depending on whether you are in the shoes of an IT consultant or a data controller, is the appropriate documentation to prove, according to the criteria set out above, the fulfillment of the requirements set by the “General Data Protection Regulation” based on the choices made and technological solutions appropriately provided and implemented.

5.2 Recital 81 (need only be used by controllers with sufficient guarantees)
“The data controller should only use data controllers who provide sufficient guarantees, in particular in terms of specialized knowledge, reliability and resources, to implement technical and organizational measures that meet the requirements of this regulation, including for the security of the treatment.”

“The performance of processing by a controller should be governed by a contract or other legal act under Union or Member State law which restricts the controller to the controller.”

pfSense/OPNsense, through solutions specifically designed for the customer, together with continuous checks on the security of the systems installed with particular reference to personal data, will allow to prove, through periodically updated documentation, full compliance with the obligations established by Regulation (EU) 2016 / 679 and which will be the subject of the contract between the controller and the data controller.

5.3 Data contained in the firewall / router file system.
You can proceed to analyze which personal data could be present in a pfSense / OPNsense type system.

Given the definition of “personal data” in Article 4:

“«Personal data»”means any information concerning an identified or identifiable natural person (“«concerned»”); an individual is identified as identifiable, either directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychological, economic, cultural or social ”

we can face the different cases of which, for example, the first could be the name assigned to a user and / or the digital VPN certificate of a possible road warrior. In this case the “General Regulation on Data Protection” recommends using the suggested pseudonymisation also in Article 25 and Article 32 paragraph a.

Also from Article 4:

Pseudonymisation: the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures designed to ensure that such personal data are not attributed to an identified or identifiable natural person; ”

A theme of primary importance concerns the configuration of a Captive Portal created with pfSense/OPNsense. In a system configured to carry out this task, the issue becomes more complicated as the personal data of the users could reside on the system.

This is the only case, to date reasonably conceivable, in which in a system such as pfSense/OPNsense personal data of users may be present. The main action to be taken is to once again resort to pseudonymisation so that, if there is a violation, the attacker can not correlate the data that he has acquired to the natural person to whom these data belong.

If the situation requires it, it will also be possible to purchase a firewall router with encrypted disk inside.

5.4 What data transits in a firewall/router?
Being a firewall or a pfSense / OPNsense router a system that by definition combines two or more network segments, it is important to direct attention to the type of data that could transit between two or more segments. It is obvious that information of various kinds could transit , such as personal data, biometric data, genetic data, etc … all covered by Regulation (EU) 2016/679. This type of information must therefore be secured as efficiently as possible and feasible on the basis of the applicable technology and implementation costs.

As described in point 4, within the Regulation there are numerous references to cryptographic data useful to provide a further and important guideline to be adopted for the configurations of our appliances.

It must be assumed that in order to secure a system, any connection should take place using an encrypted protocol.

It is an example to encourage the use of VPNs to the detriment of external RDP ports that before the entry into force of the GDPR already represented an abomination on the information security and from today will no longer be in line with the new requirements.

Similar reasoning can be applied to all protocols such as, just to mention some of the most famous, http, ftp, pop3, imap, smtp, etc … which, remember, have their own version “safe” and then encrypted.

Fortunately, at international level, those services that are not based on cryptography will be abandoned in the short term: for example, Google will no longer trust sites that do not implement the https protocol and consequently the problem will have to be dealt with globally.

5.5 Access to the system:
Although not provided by Regulation (EU) 2016/679 explicit indications, the organization, after appropriate evaluation, may find the need to regulate and / or limit access and activities of administrators and users on device pfSense/OPNsense.

It is common practice for IT to use admin access without discriminating against the individual accessing the system. PfSense / OPNsense offer the appropriate features for limiting information on the administration panel by defining different users with various access permissions.

It will therefore be possible to define which users access the information and what the nature will be the same to integrate a system of operations auditing.

5.6 Use of IDS
Both pfSense and OPNsense integrate tools that can help IT staff understand if there has been a violation. These are the IDS or Intrusion Detection System.

In our specific case, an IDS is a software tool or package that can be installed within our pfSense / OPNsense system used to identify unauthorized access to computers, servers or local networks.

Specifically, pfSense adopts SNORT as an IDS and Suricata system, while on OPNsense it integrates Suricata within it

5.7 Fines and penalties
Criminal consequences and fines of up to 20 million euros or 4% of company turnover.

5.8 Conclusions.
The “General Regulation on Data Protection” is not just a step forward for Europe in the protection of personal data and rights of the individual to whom it belongs, but requires a rather large effort on the security of each organization in order to to contribute to a general improvement of the whole network.

As analyzed, therefore, the law does not impose precise technical requirements, but the purpose of the legislator is to set the principles by which to act and to which each organization must comply to reach the most appropriate solution to the specific case.

  ti posso interessare anche