Without a certificate proxy, at best you can use DNS to see what website the host requested I.E https://www.google.com, and what node responded (google.com), but not what’s being requested.
The other way is using a proxy server that acts as an intermediairy with a certificated. I.E The host request https://google.com via intermediate cert tunnel, the proxy establish the actual https via googles registered cert. All traffic is still encrypted from those outside access to the proxy.
Well, your friend is right.
If you want all the bells and whistles and state-of-the-art NGFW features and security and speed, than you will have to pay for it because maintaining the lists for all kind of threats (bad IPs, viruses, bad websites, etc) is a 24/7 job that no “free” stuff on the Internet can cover adequately.
Yes the plug-ins you can add in pfSense is cool and does work for some threats, but it is a far cry from what CheckPoint, Juniper, Palo, Fortinet, etc can offer in term of coverage and ease of use if you have a business to manage and protects to run and don’t want to get ransomwared by a miss-click from one of your users.
Plus, having IPS/IDS/AV/WEB/DeepCertificateInspection enabled requires processing power that pfSense can only get from the CPU only vs specialised ASIC on commercial firewalls. If the security AND speed is a must when using all these security features than it is a major selling point.
It is also the reason why I switched from pfSense to Fortinet. The same 600$ FG-60F from Fortinet runs circle around Netgate SG-5100 and the ease of use is miles ahead. Try to route at 10Gbps with IPS, AV and Web Filtering while videobroadcasting and voice and you will understand quickly the difference.
I still use pfSense for my labs and other personal stuff, but anything commercial is now is behind a Fortigate firewall now.
Aside from the fact that almost all of the major manufacturer firewalls have ALL been hit by numerous 0 day attacks, Fortigate one of the frequent names mentioned. Don’t get me wrong, I believe in the stability of these items but nothing is perfect. I’ve used and evaluated many of the major manufacturers but hate the piecemeal approach towards licencing which makes it almost impossible for smaller entities to be able to afford all the multiple bells and whistles that they need to implement to truly best-secure their networks and equipment.
pfSense was one of my best options for multi-wan, vpn, and many of the bells and whistles that help me keep a few choice systems operational.
So what happens now with DNS over TLS/HTTPS? That seems to be implemented by all the major web browsers now, except maybe Safari. Firewalls won’t be able to see DNS requests anymore, right? At least not from those browsers if that setting is enabled.
I’ve heard conflicting statements from IT pros on the issue of encryption and firewalls, IPS, and IDS systems. Everything from “it’s over” to “not a big deal”. What can firewalls and IPS see exactly, in a pervasive encryption situation? IP addresses must still be exposed, right, in order to route traffic? What else is not encrypted when you have HTTP/2 with TLS, which I assume is on top of TCP and say IPv6, on top of Ethernet? What’s exposed in that scenario, beyond an IP address?
I’ve also read that TLS handshakes or session establishment are transmitted in the clear, which surprised me. If a user has been to a site before, doesn’t the browser retain a key or something for all subsequent sessions, so that it can be encrypted from the get-go?
On the man in the middle method of certificate injection, I think it’s supposed to break lots of sites. When I did it with traffic tools like Fiddler it broke sites. I wonder if it works better with Wireshark.
Fortigate as any other commercial brand and pfSense included is not perfect security-wise, but you are closer to that said perfection with them then without. And I really doubt your comment about it seeing Fortinet’s Fortigate mentioned frequently unless you have links to said things.
This is fixed by TLS 1.3, the SNI is now encrypted as well. The way I understand it, the web server now uses one certificate for itself, and a separate certificate for the actual website you’re reaching. This is because a server can have multiple websites.
Just like a lot of other branded names, there are often several.
There were others, just haven’t searched for them.
As I said, branded names being more widespread are often a higher target footprint but my comment still stands - it’s almost impossible to be totally secure.
The good thing is: those security issues on OLD firmware versions have all been patched - thx to Fortinet to still do that for their customers and with assisted support. If you run (as you should) updated FortiIOS, you will fair better and are not subject to these.
Again, pfSense is good, but there are other firewall that do better - but for a price.
I thought TLS1.x (3 or 4) made detection of man in the middle a priority so that the browser would warn you if there was another certificate in the middle. I don’t remember the specific version, and only read about it in passing so I may have things wrong with this (and would appreciate the schooling right or wrong).
Absolutely agree. The communications world has become a minefield, and if companies like Nasa, LG, US Government and many many large names can be infiltrated having something that is updated rapidly is paramount to survival. I’m not knocking the major names aside from their licencing practices that are exorbitantly too expensive for small enterprises - and all need regular updates and someone policing them. pfSense is a great set of tools to help protect the smaller masses for a reasonable pricepoint (Supported) or for free.
That’s really done via certificate pinning, where the certificate signature is distributed via DNS alongside the IP, which itself is protected from MitM by DNSSEC. It’s not related to TLS version per se, although there might be improvements to it.
Doesn’t Cisco use Snort as IDS/IPS, they bought it a few years ago and you can license the good updated rules if you want to run them on pfsense with the Snort package. You can use the rules on Suricata too.
So what happens now with DNS over TLS/HTTPS? That seems to be implemented by all the major web browsers now, except maybe Safari. Firewalls won’t be able to see DNS requests anymore, right? At least not from those browsers if that setting is enabled.
DoT/DoH encrypt DNS queries. However, endpoints are still a toss-up (name server, tld, etc)
What can firewalls and IPS see exactly, in a pervasive encryption situation? IP addresses must still be exposed, right, in order to route traffic? What else is not encrypted when you have HTTP/2 with TLS, which I assume is on top of TCP and say IPv6, on top of Ethernet? What’s exposed in that scenario, beyond an IP address?
I would suspect like anything else that’s encrypted all the firewall can see is data, but not what the data is. Certainly the gateway firewall will be able to see what nodes (or hops) are sending and receiving data, but not necessarily what the data is. I.E You are accessing 8.8.8.8 which is google dns, but not if you are using it for DNS or why. With IPV6 it gets worse, because every user will be able to have a static IP assigned to them like a social security number if they decide to go that route.
In fact, I think there are so many addresses in IPV6, each DEVICE can have its own IP address.
It’s hard to tell what is and isn’t exposed based on the amount of variables. What protocols being used, for what services, against what firewalls hardware/software, and more.
I would always assume baseline “your (or your VPNs)” IP is being transmitted.
Honestly, I’m just laymen going off my understanding of what I have read over the years.
Of the choices the only “AAA” product I would recommend would be Palo Alto providing the client had very deep pockets.
Keep in mind that most businesses that budget for security are moving to zero trust networks. The days of relying on firewalls are long gone. I suggest if clients want to protect their infrastructure especially with cloud adoption and remote work they look at solutions like Zscaler. Spend less on the perimeter and shift their budget with end-point and authentication solutions.
I’m still struggling to grasp what the “Zero Trust” approach comes down to, beyond better auth like 2FA. It doesn’t seem to do anything about the gaping flaws in how the software industry builds software, the lack of innovation and any progress in programming language design, tools, testing methodology, etc. As long as software and OSes are built in a way where a human programmer’s typo or error can result in random strangers on the internet being able execute their own code on your computer or server, well we’re just whistling Dixie. Some of the Google security team’s reports are phenomenal, like the Norton enterprise endpoint garbage where you could just email the target a specially corrupted data file and the mere scan of that file by Norton tripped an overflow or something and allowed remote code execution. If that’s how bad even endpoint security software is, then it’s not really progress over firewalls.
We used to install PFSense quite a bit many years ago, I was playing with it when it was still in beta…as playing with various *nix firewalls was a hobby of mine back then. But for businesses, we prefer full UTM appliances. I’ve played with quite a few, and we got onboard with Untangle back around 2006 or so (when it was version 5). Became a reseller back then, and the features that full UTMs have, are features we want to help be one of the layers of protection for business networks. I know PFSense has a few “add-ons” which make it almost sorta a very basic entry level UTM…almost. But still, compared to a product that is designed to be a UTM first…PFSense can’t hold a candle.
I’m going to be the voice of dissent here. The “NG” in the name doesn’t really seem like it is “next” at all in my opinion (and please, please, please prove me wrong). The benefits you are supposed to be getting (single point AV, spam, and phish blocking) are only effective for non-tls communication, or if you are using a proxy with a site-wide trusted cert to MITM all communication (and don’t use Chrome + Google in that configuration). We don’t have a single customer still using on-prem Exchange and even if they did, we wouldn’t be accepting email over non-tls SMTP, so all of those email protections are immediately useless. All of our clients take their laptops off-site, so that single-point AV (requiring a major deployment initiative) is essentially useless as well.
I don’t have much experience with some of these vendors, but setting up firewall rules in SonicWall and Sophos are ridiculously difficult (define the service, define the host, define the end-point, create the rule), and make port auditing almost impossible. I mean, where do I find the list of all of the ports that are open? Oh, I forgot to go to the next page and missed several in my audit? Oh, I went back and forgot to go back to the first page and missed some more? Oh, I need to figure out what ports are assigned to that service? Oh, I need to figure out what host that port is pointed to? And don’t get me started on how huge a PITA it is to figure out what someone else did when they configured that firewall 2 years before you took over.
Finally, I’ll point out that pfSense makes it extremely easy to push all of my firewall logs to a centralized logging facility, so I can build a consistent set of reports for all of my clients (and do some fun comparison reports as well), making auditing and reporting across all of my client base easy-ish (not easy, I still have to build and manage the queries and dashboards, but once you’ve got that down…).
The basic point is that I’m not sure that I see any value in bells and whistles that don’t address the current state of the world. Those things would have been awesome in 2004. Today they don’t seem relevant.
Just for fits and giggles I decided to download and install the latest OPNsense and install it. Damn, I think that’s one crazy confusing product (IMHO) as after using PFsense for so long I can’t get my head around OPNsense.
They say KISS for a reason…
Unless Sophos/Palo Alto/ Fortinet give a non-piecemeal product that I have to bolt on what I want, PFsense is still my goto…
I managed a few Sophos firewalls a few years ago and I have to agree and will never recommend them. As a MSP point of view it was a nightmare for starters with licensing, wrong registration, etc, and their units were fragile and often DOA when we unpacked them to configure.