Can Firewalla do url/domain based filtering on https traffic?

Comments

7 comments

  • Avatar
    Firewalla

    All the firewalla products inspect SSL traffic.   (We do NOT unwrap or man in the middle of HTTPS, just inspect as (2) you listed).  Examples:

    • When you turn on porn block, gaming block ... under devices or rules, they are blocked using SSL inspection, DNS inspection, and IP blocks
    • When you create rules and do default block, same as above.
    • Family mode, ad-blocker, and the new "domain blocks" are purely DNS based blocks

     

    0
    Comment actions Permalink
  • Avatar
    craig currim

    understood and agreed...so, to clarify, although they 'inspect' https traffic, this is not DPI. It's inspecting what it can from what is exposed (ip addresses src/dst, etc..). I was trying to understand if this product also allowed for MITM ssl termination and inspection and you answered my question in that it does not. 

     

    Thanks 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    In terms of SSL, the inspection is at the certificate level.  This is what we refer to as SSL inspection.   So it is decent-deep; this is how we can block even without seen DNS.  And no, the box can't see encrypted traffic.

    None of our product will do a MITM for HTTPS traffic.  (By man in the middle, we mean, having you install a weaker certificate on your devices, and in the middle, we decrypt and encrypt https traffic using our own certificates).   Without proper infosec or IT support, doing HTTPS MITM is a very dangerous thing

     

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    @Firewalla, but it's not SSL Inspection, and perhaps we should stop calling it such as it continues to create a lot of confusion.

    Perhaps "Layer 7 Header Inspection" is a more appropriate claim?

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    And if I'm not mistaken, header information is encrypted as part of the Encrypted SNI extension in TLS 1.3

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Our term SSL inspection is to look at the protocol.  We call MITM as SSL interception or SSL Decryption.  Which is something we strongly against doing in a consumer or small business environment where there are no true IT or InfoSec teams to manage the system.  Plus, installing certificates on thermostats is not possible :)

    Will we provide a man in the middle to decrypt and encrypt SSL in the future?  Only if we change our market to the enterprise .... 

     

    As of SNI, it is still being argued greatly in security.  This is the same problem as this one https://www.zdnet.com/article/nsa-warns-against-using-doh-inside-enterprise-networks/

    Firewalla relies on multiple factors for inspections, SNI is just one of them.

    0
    Comment actions Permalink
  • Avatar
    FF

    unless I am mistaken, 

    • the best way to implement what you are describing seems to be at the DNS/cert  layer. (SSL termination's purpose is to inspect the content of the connection AFTER the SSL handshake, in other words after having already established the connection to the site that you want to blacklist/whitelist). 
    • if the filtering provided by opendns is not sufficient since it is bound to your public facing IP(so you can't have different policies per devices behind the same single public IP); you might want to look into cloudflare teams. It allows to setup policies similar to opendns on per locations basis associated to users and devices; but cloudflare determine locations based on unique DOH URL.   
    • You will also get DOH and WARP at the same time.
    • Unfortunately firewalla DOH only supports the generic DOH service from cloudflare not cloudflare teams yet. so for the time being you will just have your devices bypass firewalla completely until the feature is implemented(should be a minor change IMHO since you just need to be able to specify a per team DOH URL like: https://abc12334.cloudflare-gateway.com and map them in firewalla on a per device/group basis).  

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.