IDS + Haproxy + SSL decrypt

Started by klamath, January 25, 2021, 04:49:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 25, 2021, 04:49:22 PM
Howdy,

I just got finished up with converting the majority of my portforwards to haproxy terminated endpoints.  The SSL termination + re-encryption is taking place on my opnsense firewall.  I have IDS monitoring my external WAN connections, I was wondering if there is anything else i need to get setup to have IDS inspect the "in the clear" data while it is transversing the firewall?

Thanks
January 26, 2021, 08:46:04 AM #1
Hi
I do not think that scheme allows suricata to be used for analyzing https traffic. The decrypted traffic must somehow arrive on the interface the suricata is listening to for it to parse.
For IDS mode, this method might work: https://laskowski-tech.com/2020/03/29/opnsense-and-ssl-decryption-using-sslsplit/
For the IPS mode, I think you will need a chain of servers with intermediate servers between which unencrypted traffic will pass.

Nginx plugin uses naxsi WAF for web-traffic inspection (thanks @fabian for adding such a great feature)
January 26, 2021, 08:40:13 PM #2
This is disappointing, I get the issues with inspection around SSL and decrypting the traffic.  Is there any plans to getting a system in place to make SSL inspection on opnsense work in the future?  The more im digging into IDS/IPS is a non-starter on opnsense in the current state without fronting a CA cert or using unencrypted traffic on the backend.

January 27, 2021, 08:01:44 AM #3
May I ask why you prefer IDS over WAF for HTTPS-inspection?
There are clear limitations when running a reverse-proxy and IDS on the same host related to the layers at which the IDS and proxy is running. As a result, when IDS sees incoming web traffic, it is not yet decrypted, and when it sees outgoing traffic, it is already encrypted. and additional steps are required for the IDS to receive traffic suitable for analysis (and even more so for IPS).
WAF, on the other hand, was originally designed to analyze web-traffic on a reverse proxy.
I don't know about plans to integrate modsecurity and HAProxy, but OPN already has a excellent bundle of nginx+ naxsi and looking at the activity on github some updates can be expected
January 27, 2021, 09:57:17 PM #4
To be honest I have more experience with HAproxy so I used what I know.  I took the plunge today and setup nginx and running into nothing but problems with a Exchange server.  I have read a bunch of tickets around the issue and cannot find a place in the GUI to input such variables, I am hoping these options are there and I don't have to hand-jam them into a config.

Thanks,
Tim

https://forum.opnsense.org/index.php?topic=16595.0
https://forum.opnsense.org/index.php?topic=12939.0
https://stackoverflow.com/questions/14839712/nginx-reverse-proxy-passthrough-basic-authenication
January 28, 2021, 07:22:28 AM #5
can you start a new topic in "Web Proxy Filtering and Caching" with more details?
January 28, 2021, 04:16:05 PM #6
Print
Go Up Pages1
User actions