Why would I use a Web-Proxy for security purposes?

Started by adn77, December 09, 2021, 08:58:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 09, 2021, 08:58:37 AM
I am contemplating the use of TLS inspection in Squid.

If inspection is limited to SNI inspection I might be able to block the request based on SNI, but I could have done that using DNSBL much easier.

What are the capabilities of full TLS inspection in terms of applying Surricata rules?
From what I understand, Surricata is implemented a few layers below (network).

Alex
December 09, 2021, 07:28:58 PM #1
Suricata cannot filter TLS protected content. It can just stop the entire connection based on the plaintext part of the TLS connection.
December 09, 2021, 10:40:42 PM #2 Last Edit: December 09, 2021, 10:45:42 PM by adn77
But Suricata would "see" the connection setup regardless of the proxy, right?

And thanks for the reply!
And sorry, I just noticed that I should've posted in a different topic.
December 12, 2021, 10:32:49 AM #3
Quote from: adn77 on December 09, 2021, 10:40:42 PM
But Suricata would "see" the connection setup regardless of the proxy, right?

Yes, and exactly that. Such IDPS become more and more useless as more and more traffic gets encrypted.
December 14, 2021, 09:33:42 PM #4
Quote from: fabian on December 12, 2021, 10:32:49 AM
Yes, and exactly that. Such IDPS become more and more useless as more and more traffic gets encrypted.

That's actually why I am asking. Does Suricata benefit from breaking TLS with the use of a proxy?
December 14, 2021, 09:51:44 PM #5
Quote from: adn77 on December 14, 2021, 09:33:42 PM
That's actually why I am asking. Does Suricata benefit from breaking TLS with the use of a proxy?
No, suricata does not see what is going on inside squid (proxy). It may see the plaintext if ICAP is in use (protocol to communicate between the proxy and for example an AV engine) but that's a different story.
Print
Go Up Pages1
User actions