I have tried to get an answer to what I consider a pretty straight forward question but thus far have gotten anything but so I am hoping you all can help clear the air and put me on the path to sanity and security.
I am running PFS CE on a small network which serves PCs and mobile devices and this question is aimed at using PFS itself or in combination with the many packages available.
Requirement 1:
I need to control user access (permit/deny) to web sites deemed inappropriate or risky (this would be manual entry of particular sites but also something that can also import feeds). Please bear in mind that some of these sites use HTTPS url’s which must also be inspected and controlled per the rules I setup. Site examples include Facebook, Twitter, TikTok, Discord, Youtube, etc.
Requirement 2:
I need to identify what apps are operating within the network and where appropriate restrict/limit their ability to access external servers/resources.
Wish list:
I would like to have the ability to apply the rules to certain devices/pc’s, not a blanket allow/deny for all.
If possible having the flexibility to do it based on time of day should it be determined that limited access should be granted would be a nice to have.
Basing rules on mac addresses, static IP’s or groups would probably be the easiest way to tailor access but am flexible and defer to community feedback as how best to approach.
A solution that doesnt require having to install a certificate on each device (some devices may be guests) but is configured automatically would be extremely helpful.
Ease of use/configuration and extensive support/videos/documentation would be a major plus.
Conclusion:
I have become aware of snort, pfblockerNG, squidgard, suricata in my search but as of yet have not been able to get a straight answer as to which would fit the bill.
I am aware that MITM capability for SSL/HTTPS packet inspection would be required (so I have been told and read) so maybe this narrows the field a bit but again want to confirm for certain.
I have a brand new box from which I will build the new PFS instance so I am eager to get started and would much appreciate suggestions from those who have done this successfully in the past.
For those requirements you don’t want pfsense as it does not have good granular filtering features. You can not do TLS MITM traffic inspection without installing a certificate, if you could see the traffic without one then it anyone could which would mean it’s insecure. Some firewalls can do SNI (Server Name Indication) which just reveals the web site the end point is going to, but not the full traffic in between.
Thank you Tom for the feedback. To begin, I love your videos and willingness to share your expertise. You are a Rock Star and highly thought of within the professional and novice IT community, so thank you for all you have and continue to do.
I know this is a long post, being brief has never come easy to me as I live life in the details, so if you wish to ignore I would completely understand.
Your response has taken me aback since despite the confusion regrading how PFS would accomplish this I thought it was doable just the “how” was in question. So please bear with me as I run this through the old gray computer. FYI, I am not doubting your assessment but just want to clarify.
So you are saying that PFS and a package or packages cannot achieve encrypted URL website filtering?
Squid proxy does have MiTM capabilities (based on config settings) which I think is the requirement for filtering HTTPS/SSL traffic.
I am not averse to installing certs on local devices (pc’s/mobile), auto config is just a nice to have. As for guest devices I have no issue with restricting access all together and forcing them to use cell data.
Given this you still feel PFS would not be the right tool?
As for the cloud solution, I am trying to keep an open mind but I am not a fan of anything cloud based especially anything to do with security. Here are some reasons for my hesitation. Disclaimer…I have a reputation for being fastidious, this is not an apology as I consider it a valuable trait especially in my line of work but I like to put that out there so comments are taken in context.
Not knowing anything other than what I read quickly from the Arista site, I see performance as a potential issue if traffic has to go from my network to the NG service, processed and then onto its final destination and back again. I just upgraded to FiOS and enterprise level devices (managed switches, APs) and would like to avoid taking a hit in throughput.
My current profession is validating cloud solutions within regulated healthcare and one of the major drawbacks that I see is once a solution is adopted it is more painful than ripping off finger nails to make a switch to another service or technology. It is never as simple as migrating a configuration or set of rules when the time comes to move on.
Service providers are notorious about price increases and limiting functionality through packaging functions within service tiers. I dont mind paying a fair price for a product or service but my “frugal” nature is usually not compatible with the “strip them of their pocket lint” mentality of most providers.
If you still feel that PFS is not the way to go, in addition to Arista, do you have other recommendations for FWs that might be a fit maybe similar to PFS (runs on 3rd party HW / PCs) or dedicated appliances? I will do more research on Arista and probably give their free trial a test drive as well and provide feedback.
Thank you David for that info. I have never heard of this company and its definitely what I am looking for as far as it being on premise.
I did a quick look at product offerings and will need to lean toward the 5 port models. Not knowing specifics I assume that as long as it does SSL inspection my url woes will be covered?
What I havent been able to gather yet is, will I be tied to a license/subscription structure to use the device per its stated HW and functionality specs or is the license more for updates and threat feed updates?
Dont want to buy into the specs only to find out that should I choose not to renew that I have a fancy doorstop.
Yes, you can use Squid to filter sites but it is very time intensive to manage and will also break many sites and requires constant tuning. I don’t know of any company that offer a layer 7 filtering that does not also charge a subscription. With the Arista and most other firewalls it does not go to their “Cloud” for filtering, it is done so locally but does use a data feed to keep up with site information. Also, filtering is processor intensive when done at the firewall so you have to spec it for the traffic volume you will be using.
Thank you Tom for your time and input. I was able to get some feedback from a tech at Netgate who I communicate with from time to time and he says that it is possible to achieve this using http/https proxying in Squid or dns filtering using PFblocker but admits there are restrictions/limitations. To advance my understanding of PFS I am going to give that a try and see what comes of it but also give Arista demo a try as I was looking at their fees and they seem reasonable. Not knowing specifics it seems that what I am looking for would be their web filter package but will reach out to them to get more details about the right package and what the optimum hardware specs would be since as you mentioned SSL inspection would be highly processor/memory intensive. I liked the Fortigate recommend by David as well but since their devices are pretty pricey at the moment and not sure what I would lose should I choose not to renew the initial license I will keep them as plan C should A and B not pan out. Will let you know how things work out in PFS, whether a success or failure might be of interest to your loyal followers . Thanks again.
Good luck with pfSense been using pfBlockerNG with success, you could run suricata on a separate box if necessary because of maintenance. I would avoid Fortigate, cost and past fubars with programming. Palo Alto good choice but boo coo bucks. Tom’s suggestion of Arista is good also and is priced well also.
Thank you for that lead…Do you know of any PFB documentation, videos or other that go into this in greater depth? I have gotten as far as creating white and black lists within PFB but when that didnt work I started hunting for other solutions and put it on the back burner. I googled “pfblockerng ssl tls inspection” and nothing relevant jumped out. Also if you or anyone following this discussion has an interest I have pasted the link to the netgate hangouts video that explains how squid/squid guard try and address this.
NETGATE’s website has several videos training.
I see Tom has weighed in and I would look at his video. Arista bought Untangle, And according to their web page you can put their software and or hardware behind another router. Might be an interesting exercise. Probably you would not need such but something I will try for just to see the results.
Yes I ran across their list of offerings and looks like I can purchase their web filtering package and run it on system I already have given the min specs they list and keep PFS as my firewall on another box. Yes interesting exercise, will see how it pans out, this is going to need some planning. As for netgates videos I have seen some but nothing yet specific to PFBng content filtering, I will keep looking, searches always yield varying results so its just a matter of persistence.
Back in the day Sourcefire was the company, founded by Martin Roesch here in Maryland, that combined SNORT with hardware and would be deployed along with sundry firewalls, great product. Unfortunately he sold out to Cisco. When the big boys can’t create a worthy product in house they open the money bags, and then raise the price.
Same in healthcare. Rarely does a JJ, Merck, Abbott discover something and develop it, they buy out startups or they get IPs from universities where public money, your tax dollars went into discovering the new drug or device and then they sell it back to us at a huge profit. I am all for capitalism but this makes me scream. One day someone will come up with a way to make drugs and devices like open source software, accessible to all, first have got to get the FDA out of the way.
tom, could you clarify this? TLS MITM traffic inspection, by design requires installing a certificate, right? because otherwise anybody could check your traffic if they got a hold of some packets. no?
i thought that’s exactly what the “splice all” feature in pfsense was for. or did they change that recently?
sorry for waking up an old post, guys. i’m just trying to do research on an open source project that can do what we need done without joining the race to $10,000 per 3 year subscription. the familiar brands all seem to be engaged in it.
The TL;DR is that you need to request a certificate before you can get one. For a more in depth answer Cloudflare has a nice write up on how SNI works here: https://www.cloudflare.com/learning/ssl/what-is-sni/
If you lock down access to other DNS servers as good as possible, then you could rely on DNS filtering. Locking down DNS is not a guarantee, but if you do it right (alias common DNS/VPN IPs, etc) you could reasonably block most traffic trying to bypass your DNS.
. Thanks again.