Solutions to TLS1.3 decryption

Hey yall,
Short and sweet of it, is there another solution other than SSL decryption that I can use to protect my network? TLS1.2 and TLS1.3 aren’t that big of an issue when it comes to decryption and securing some Palos is like pulling teeth from CTOs (which I get , smaller firms) but I need some way to perform scanning of these packets.
An open-source solution is preferred but I’m ok working with commercial firewalls as well as the open source variety (ala pfsense or untangle)

For personal testing, is there a pfsense/opnsense solution to this? Squid is ehhhhh.

So…. You want to scan an encrypted packet, which by design and definition is useless noise without decryption, and you also want to be effective against TLS 1.3 where you don’t even have the crutch to lean on of seeing what name is on the certificate that is being used?

If that was possible, encryption would be worse than useless, and to be clear there are conspiracy theorists that claim this.

There is no alternative from a firewall perspective to installing your own root key on every company computer in order to MITM yourself to decrypt packets. For PFSense/OPNSense, this is done via Squid. If that isn’t suitable for you, you can find cheaper options than Palo, but you’re going to be paying someone money.

A better approach is to invest in an anti-malware solution that lets you do the inspection and filtering on every computer. The computer has to decrypt the packets, after all, and you can directly match DNS requests to sockets.

1 Like

But it’s not just for malware. DLP is another example. I do take your point of course but the reality for me at least is that breaking TLS is a necessity at least in the industry I’m in. It’s all part of the threat prevention play.
What endpoint security solution do you find is good?

Well… if you have to break TLS you have to break TLS… just have to turn that into a cost/benefit analysis as opposed to what happens if you don’t. Might also lean on whatever Cyber Insurance they have (they don’t think their regular business insurance covers cyber incidents, do they?) requires. If their cyber insurance doesn’t require TLS decryption (or something that can only be achieved by decryption) then you actually don’t have to do it, just make sure it won’t come back to being your fault.

I have not been involved in reviewed endpoint protection offerings. I will say that the Fortune 500 I’m at swapped to Cybereason about a year and a half ago, but we also pass all traffic through firewalls that do decryption….

Great points all around. In the end youre right it’s all about cost/benefit. Not everyplace needs it and it does require a lot of time . Regulatory requirements being what they are.

For what it’s worth I’ve been playing with Squid Proxy and SquidGuard and although not the cleanest solution when compared to commercial offerings, it’s free and it works. Maybe for my smaller clients this may be something.

I appreciate your feedback on this.

Edit: to be clear with m using the Squid services for both decryption and url filtering. Reading my response I felt I wasn’t clear on why I was using these tools.

Generally speaking managing Squid for smaller clients is not really worth it for if you bill for the time it takes to troubleshoot it and support it. It’s not a “Set it and Forget” type of tool. Sites will have issues, you will need to deal with those issues.

Doesn’t squid still require the use of a local cert. copied out to all your clients to see the traffic? Or are you using it to block encrypted URLs? Does it also block by direct IP address? Clever users will avoid DNS filtering with direct IP address entry.

I use E2Guardian for filtering, but its time is quickly coming to an end because even the local cert. to do man in the middle will be ending when the browser checks to see if the cert. matches the destination without going through a middle ground cert. At the moment I don’t deal with this and force un-encrypted DNS so I can grab the URL and block it.

So far in my testing, SquidGuard/Squid does not require installing a cert on any device if SSL interception is turned on with the mode set to Splice All.
I injested the UT1 blacklist and using group ACLs I am able to permit/deny based on category. Solution is fine although I would prefer a better blacklist - maybe paid subscription to use.

There is an option in SquidGuard to deny IP addresses in URL. Havent tested it so don’t know if it works.
Lastly, I deny all other DNS servers except for local in my firewall rules and I use PfblockerNG to deny DoH/DoT. Not elegant but so far testing shows its working.

Since e2guardian is somewhat based on squid, I’ll have to ask about that splice all mode. But there will be a day where these blockers no longer work and we will need to figure out another way.

We run our networked in a “walled garden” mode which only allows what I list, sounds very similar to your network.

Here is my 2 cents on this:

When it comes to security, I would not go with an open source setup (e.g. Squid). No open source project in the world has enough security intelligence to properly protect you. Feeding it some publicly available black lists won’t do much for you. Attacks these days are highly sophisticated, and the really dangerous stuff is usually zero-day.

You want a commercial product from one of the big players because they have their own security research operations that really know what the threat landscape looks like at any given day and update their products accordingly.

There are “cheaper” variants available, something like Sophos XG or Fortinet’s Fortigate firewalls that won’t break the bank and give you infinitely more security than a DIY squid proxy that has to rely on non-commercial public domain security feeds. You also get support, which should not be neglected.

All of these commercial frewalls / web gateways can handle TLS 1.3.

1 Like

I would throw CheckPoint as a cheaper option as well.

Honeslty, hard to argue. The reality is what Bruce pointed out above. You’re going to be paying for security somewhere.
I got customers with not that deep pockets so the reality is that getting a Palo is just out of scope for them. I get it but I try to tell them you cant do this stuff on the cheap. The reason the commercial firewalls are huge is that they offer something that free never could - consistency. I know I will always have up-to-date AppIDs. I know the PAN URL filtering is always getting modified.
That being said, its also about providing a “value add”. For the customer or consumer who doesn’t want to put a PA-3250 in their home or 30 people business or the school district with tight pockets , to that I say Squid and SquidGuard. The only issue I’m having is finding a decent .tgz blacklist file. UT1 is ok but its missing things.

cheaper than palos…but is it really cheap tho?

Checkpoint isn’t cheap at all. It’s once of the most expensive vendors out there, right up there with Palo Alto. Yes, they have some small business stuff, but that isn’t really the full Checkpoint product. It’s cheap and you get cheap.

For those customers that have not so deep pockets, I would always consider a SASE / SSE product, e.g. cloud. Cloudflare One is really good and has a free plan available. Gives small businesses everything they need. A full-featured secure web gateway (called Cloudflare Gateway), and a full-featured Zero Trust network access solution (Cloudflare Access). Cloudflare Gateway comes with a L4 firewall, a L7 proxy with SSL decryption, malware scanning and URL filtering. It’s easy to set up, and easy to deploy (simply install an agent on all devices or run a cloudflare tunnel to connect entire networks).

Highly recommended.

Perimeter 81 is also making strides in the security field, they just recently added web/url filtering to their SWG and malware scanning will come next quarter. All around good product, as well.

These cloud based SASE / SSE solutions really bring enterprise grade security to the small business at affordable prices and next to zero opex.

good stuff here. thank you

Just an update. Squid randomly breaks apps that we’re just working a day before. There is no MITM or filtering taking place. Just enabled the package and got reporting in Squid reports.
I agree, proxying needs not to be done on the pfsense. A dedicated appliance perhaps is most likely the way to go.

tls is only one part… you could use tls1.2 with DES encryption … you have your choice of encryption suites to support or not.

Also known as a cipher, algorithms are the rules or instructions for the encryption process. The key length, functionality, and features of the encryption system in use determine the effectiveness of the encryption.
using Perfect Forward Security with ECDHE-[RSA], ECDHE-[ECDSA] is pretty uncrackable.

Are you thinking that TLS 1.2 is easy to be cracked? The math doesn’t agree with your impression

Huh? Not sure if your reply was meant for me or someone else.

It’s certainly more work to monitor from the firewall, you’re going to get so much data it’ll only be useful for after the fact. Even then, sorting through it all will be a nightmare.

What useful data are you looking for inside of the encrypted tunnel? You already have the URL from DNS / SNI / Header information.

If data loss prevention is your end goal, you need classification (Software that adds metadata to documents/files based on its contents) software and some sort of DLP solution. You need to lock down the environment and restrict what users are able to do. What you really need is something installed on each endpoint / file servers that watches files (when they’re opening / written / deleted).

Varonis does this: Data Loss Prevention Software | Varonis
There’s also an open source version for tripwire, but no pretty GUI.

Found this article that might have a few more: What Are Open Source File Integrity Monitoring Solutions? | RSI Security