OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: Wellenmann on February 13, 2019, 04:26:20 pm

Title: HTTPS Inspection
Post by: Wellenmann on February 13, 2019, 04:26:20 pm
HTTPS Inspection is order of the hour. But this is not trivial at all, since there are sites which do not allow Man in the Middle intermission, and they change everyday! Commercial firewall manufacturers, like Fortinet, address this by a dynamic bump list they distribute. If we don't manage this - it can lead to loss of clients. I would pay for such external bump list service, if it works.
Title: Re: HTTPS Inspection
Post by: mimugmail on February 13, 2019, 07:46:26 pm
It's more communication problem between client and you. I'm not aware of such lists, sorry
Title: Re: HTTPS Inspection
Post by: The_Sage on February 14, 2019, 07:42:32 am
Hey Wellenmann,

This is my experience with MITM.

I have tried MITM now and nearly had it working for everything on my network.

I use the transparent option.

The main issue I found was services like Netflix still refused to work as it detected the proxy. This may be just the fact  that it is in transparent mode. Other services like game consoles dont work, so I bypass the NAT rules for these hosts. This just complicates the firewall rules also. In saying that, I have not tested this in a work environment, but I am assuming I would find more Apps, software etc NOT liking the MITM proxy..

I have resigned to the fact that it is quite hard to implement correctly and keep it maintained, as it is actually breaking the rules of HTTPS that is designed to stop this.

My approach is to use just the SNI option and monitor web usage via Light Squid.

We can block sites form remote access control lists. We can create our own as well. Using Spamhaus eDROP / GEO IP we can then stop access from most known malicious networks.

I have not fully looked into it, but the Snort Rules have application (Layer 7) Next Gen firewall type detection.

The only thing I can see missing from the Man in The middle, is content filtering, and virus filtering. as said before, using UT1 can block Categories of sites, but NOT actual content.

I then have to trust that the anti Virus installed on the work stations will pick up any viruses coming from the web, just a bit like Email, where (unless there is a edge server with filtering) we have to rely on the local anti virus, the Email provider and /or any Spam filtering.

I have found that in turning of and on different options in the GUI and no errors showing, the setup actually gets all tangled up doesnt work at all. ( I havent looked into why yet).