SSL Inspection and pfsense

Hi everyone! I’m a one man MSP with my largest client being about 50 users across 3 locations. Until now, I’ve been deploying EdgeRouter 4 devices and also manage a few Barracuda and Sonicwall appliances. Most of my smaller clients don’t want to spend the $1,000+/year on the licensing for the Barracuda or Sonicwall devices.

I’m also seeing that the ER line is “just ok” as a firewall, so I’m looking for something in the middle I can offer to clients.

I’ve been watching some of the Lawrence Systems videos on pfSense and think that might be a great product offering. My one question is surrounding the lack of SSL Inspection. The Barracuda and Sonicwall devices support SSL inspection, but I’m wondering how important that is in the grand scheme of security?

I have run into issues before with SSL inspection because of how it signs the data after scanning it on the way in. It’s caused me to have to add exceptions for multiple applications like remote access software and VoIP devices that failed to register.

Does anyone have any thoughts on the implication of not having SSL inspection?

I was looking at buying the Netgate 2100 for my house so I can get familiar with pfsense. I don’t like to sell anything that I haven’t fully vetted.

Excellent videos by the way. I really appreciate you taking your time to create such excellent content and your willingness to share your knowledge with people that are in the same space. I’ve learned a lot from your videos.

It depends of if the clients need that, when they do we use an Untangle firewall or when they are a fully managed we can do the filtering with the endpoint tools provided via N-Able.

Is there a metric you use to make that determination? Such as industry, storage of PII, HIPPA requirements, etc?

I wouldn’t recommend deploying a firewall without SSL inspection. It’s another layer of security that could avoid a breach.

This thread is a bit old, I found it while researching whether pfsense is capable of decrypting SSL.

I have to agree with @FredFerrell here. In this day and age, where 90+ % of the web traffic is SSL encrypted, using a firewall that can’t look inside that traffic is dangerous. You’re completely blind to the most important protocol on the Internet that is used for literally everything today.

I think you can configure the squid proxy on pfsense to decrypt SSL, but I wouldn’t consider it a viable option, because you will only look at proxied content and the malware scanner of pfsense is useless. pfsene’s IPS is also incapable of scanning proxied traffic.

I’d never use any open source firewall in a business environment. They are just not up to the task. They not only lack in features, but more importantly, they lack in security intelligence. No quality URL filters, no quality threat prevention engines, no nothing.

Trying to save money here is going to hurt you eventually.

Untangle is both open source and has filtering capabilities, but they are a paid option of Untangle. So it’s not really an open source issue, it’s that those features are expensive to properly maintain.