Messages

1

General Discussion / Re: Using only virus scanner behind router

« on: May 26, 2022, 03:12:47 pm »

Opnsense is a better UTM than Mikrotik, but it uses ClamAV and obviously encrypted connections can not be scanned anyway.
If you want to scan mails, the best solution is to use OPNSense as your MX with postfix and rspamd / clamav.

I've read that OPNSense can scan SSL traffic too, performing MITM by installing self signed certificate in the local certificate storage of every machine(Trusted Root Certs), which allows the decryption of SSL traffic and then repackaging it again.
And while OPNSense might be better UTM than Microtik, I can't replace the Mikrotik, because of IPSec VPN-s running on it. Replacing it means complete overhaul of the network and the Mikrotik is used to manage
WLAN network AP-s(CAPSMAN).
So, is it possible to decrypt the SSL traffic to the Internet then encrypt it, pass it to the Mikrotik, while the OPNSense is behind the Mikrotik and passing the local network traffic AND the VPN traffic as it is?
I want to use it primarily and only as virus scanner - to block infected attachments and files.
The computers are connected to DC, so installing certificate is extremely easy. Also, to avoid issues with banking websites and etc, I want to whitelist trusted IPs and exclude them from the SSL traffic scanning.
What is MX, btw?

2

General Discussion / Using only virus scanner behind router

« on: May 25, 2022, 08:33:01 am »

Hello,
Currently I use pretty capable Mikrotik router. Unfortunately, there are no antivirus plugins for it.
I want to put OPNSense behind the Mikrotik router, between the Mikrotik and the network switch, transperantly pass all of the local network traffic and currently running Point to Point VPN-s and use the antivirus of the OPNSense to scan any connection to outside IP-s.
Is this possible at all? I have several VPN-s running on my Mikrotik, as well as other services and migrating all of them to OPNSense, if possible, would lead to substantial interruptions, which is undesirable. 
My main concern and the main reason for looking for net scanning AV is the increased amount of infected Emails and potentially infected downloads from sites/IP-s outside my local network.
I have AV on my endpoints, but I would very much like to block crypto viruses and other infected downloads and attachments before they are downloaded by the client or before the client attempts to download them.
For example, currently email viruses are extremely popular. Emails with title "Invoice" and etc, seemingly coming from legitimate domains(unless you check the header of the email, of course), impersonating legitimate companies and "sending invoices". Those emails contain infected Excel documents. To bypass the Protected view, when you open such a document, it says that you must exit protected mode, because the document if from older version of Excel. If you do so, then the VBA starts to execute and you are infected with crypto virus or other type of malware and it starts to spread in your network. Not that the users and uneducated, but some of those emails are pretty creative, even on our native language and on a first glance seem legitimate and if you are not careful enough you might download the attachment, thinking that it is legitimate email and attachment. So, they are relying on coding as much as on social engineering.