Is Squid, ClamAV and Captive Portal still necessary?

[WhiteTiger]

With Zenarmor can I avoid installing Squid for content filtering and ClamAV as antivirus?
Who manages the Captive Portal? OPNSense or Zenarmor?

[beki]

Hi WhiteTiger,

Zenarmor has a powerful web filtering and application control mechanism with a rich and up-to-date threat intelligence database.
Especially essential and advanced security rules safeguard your clients against malicious websites that contain malware, virus. Antivirus protection and sandboxing feature will be available in the future releases.
https://www.zenarmor.com/roadmap

Zenarmor runs independently from OPNsense fw rules and plugins.
You can easily configure captive portal on OPNsense and integrate it with Zenarmor for user-based filtering.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-captive-portal-on-opnsense
https://www.zenarmor.com/docs/guides/user-based-filtering-using-opnsense-captive-portal

Bests

[meyergru]

There is a principal difference in what you can do by terminating traffic in a proxy like squid and looking at the traffic flowing by with zenarmor when encryption comes into play.

In order to be able to inspect the content (e.g. to scan for viruses), you have to enencrypt the traffic, which is only possible by terminating it. This has other drawbacks, like having to include the proxy CA in the end devices.

So, the answer to your question depends on what you expect from a specific solution.

[Monviech (Cedrik)]

Since viruses affect endpoints (usually Microsoft Windows), using a proper Endpoint Protection with central Management is way more efficient than using a MITM. Also, decrypting and encrypting all traffic is a big security risk in itself.

[meyergru]

Correct, but as far as the question goes, zenarmor is no endpoint protection, so waging a proxy solution against zenarmor, the latter cannot prevent viruses. I agree that because of the drawbacks of MITM, protection on the endpoint is best.

Or shorter: To have virus protection, you cannot use zenarmor, you could (but should not) use central scanning via a proxy, what you really should do it have virus protection on the endpoints.

[WhiteTiger]

I don't want to use MITM, too many complications to handle.

I currently use Squid with Transparent HTTP.
The PCs already have an Antivirus, but I wanted to activate one on the firewall for greater protection by being able to block malware before it even reaches the network.
If Zenarmor doesn't have it and if MITM is needed in any case, then I prefer not to install it and in the future deactivate Squid.

For protection, should I install Suricata or do I already have similar protection on Zenarmor?

However, I can't understand why the HTTPS filter with Squid needs MITM, but the HTTPS filter on Zenarmor doesn't need it.

[meyergru]

The only thing zenarmor can do without MITM is analyze the initial phase of the HTTPS TLS connection, where there the host part of the URL is specified. That is a bit better than to use the IP only, because so it can discriminate between different sites on the same host, thereby enabling blocking based on presumed content type of the specific website (i.e. the connection is dropped directly after a malicious or otherwise unwanted site is detected).

However it cannot look at the content of the pages or downloaded files, i.e. virus-scanning is impossible. Once the encrypted connection is established, zenarmor is essentially blind.