Can Firewalla do url/domain based filtering on https traffic?
My question is if the product can do this (url filtering or blocking for https traffic) without implementing a DNS solution-based approach (OpenDNS as an example). I do not like the DNS based solution as it will not give me the granularity of applying the rules to specific internal IP address/es and endpoints. So this would require either:
1. SSL termination for URL/packet inspection
2. Ponteially reading the server name in part of the SSL handshake
-
All the firewalla products inspect SSL traffic. (We do NOT unwrap or man in the middle of HTTPS, just inspect as (2) you listed). Examples:
- When you turn on porn block, gaming block ... under devices or rules, they are blocked using SSL inspection, DNS inspection, and IP blocks
- When you create rules and do default block, same as above.
- Family mode, ad-blocker, and the new "domain blocks" are purely DNS based blocks
-
understood and agreed...so, to clarify, although they 'inspect' https traffic, this is not DPI. It's inspecting what it can from what is exposed (ip addresses src/dst, etc..). I was trying to understand if this product also allowed for MITM ssl termination and inspection and you answered my question in that it does not.
Thanks
-
In terms of SSL, the inspection is at the certificate level. This is what we refer to as SSL inspection. So it is decent-deep; this is how we can block even without seen DNS. And no, the box can't see encrypted traffic.
None of our product will do a MITM for HTTPS traffic. (By man in the middle, we mean, having you install a weaker certificate on your devices, and in the middle, we decrypt and encrypt https traffic using our own certificates). Without proper infosec or IT support, doing HTTPS MITM is a very dangerous thing
-
Our term SSL inspection is to look at the protocol. We call MITM as SSL interception or SSL Decryption. Which is something we strongly against doing in a consumer or small business environment where there are no true IT or InfoSec teams to manage the system. Plus, installing certificates on thermostats is not possible :)
Will we provide a man in the middle to decrypt and encrypt SSL in the future? Only if we change our market to the enterprise ....
As of SNI, it is still being argued greatly in security. This is the same problem as this one https://www.zdnet.com/article/nsa-warns-against-using-doh-inside-enterprise-networks/
Firewalla relies on multiple factors for inspections, SNI is just one of them.
-
unless I am mistaken,
- the best way to implement what you are describing seems to be at the DNS/cert layer. (SSL termination's purpose is to inspect the content of the connection AFTER the SSL handshake, in other words after having already established the connection to the site that you want to blacklist/whitelist).
- if the filtering provided by opendns is not sufficient since it is bound to your public facing IP(so you can't have different policies per devices behind the same single public IP); you might want to look into cloudflare teams. It allows to setup policies similar to opendns on per locations basis associated to users and devices; but cloudflare determine locations based on unique DOH URL.
- You will also get DOH and WARP at the same time.
- Unfortunately firewalla DOH only supports the generic DOH service from cloudflare not cloudflare teams yet. so for the time being you will just have your devices bypass firewalla completely until the feature is implemented(should be a minor change IMHO since you just need to be able to specify a per team DOH URL like: https://abc12334.cloudflare-gateway.com and map them in firewalla on a per device/group basis).
Please sign in to leave a comment.
Comments
7 comments