Home Network Design
-
I have a Brocade ICX6450-24P which is an older device but it's a real enterprise switch with all the features you could ever want. It has 2 fans but they are not too loud. I swapped them out for quieter ones and it never gets hot. I only ever run a few APs from it though.
They can be had surprisingly cheaply when they comes up for sale. The 6430 model even cheaper.Steve
-
@jt40 said in Home Network Design:
@bpsdtzpw I'm using it, but I find it very weird.
This is the SHA a84c393949a841252f20085b9c33c120f6711f15I can't find that cert at https://crt.sh , which contains info on network certs issued by most reputable CAs. Also duckduckgo and google don't show any matches. Please post the cert's serial number.
-
@bpsdtzpw Serial number: 4200000210619acc88
-
I just purchased this https://store.ui.com/products/unifi-ap-6-lite
Am i good to use such PoE convertor? 802.3af PoE Injector (48v)Unifi-ap-6-lite requirements:
Supported voltage range 44 to 57VDC
Max. power consumption 12WIt seems good :D
I gave up on the PoE switch, it was not available :D , maybe in the future I'll think to some 10 ports switch only to use PoE.
As usage, I can only think of videocameras for now. -
@bpsdtzpw It's possible that Kaspersky is doing something with it, but normally the cert should not be changed...
In any case, on the EMEA website there are all the product informations, but not on the international version, probably US.
https://eu.dlink.com/uk/en -
@jt40 said in Home Network Design:
Am i good to use such PoE convertor? 802.3af PoE Injector (48v)
Are you not just buying their injector?
https://store.ui.com/collections/unifi-accessories-poe-injectors/products/u-poe-afBut yeah if its an af injector you should be good. Make sure it supports gig.
-
As long as you don't have one of their older models that uses non-standard 24V PoE. Like I do.
Those were all supplied with injectors though AFAIK.Steve
-
@johnpoz Good point, I totally ignored it :D .
I struggled to find it on the official website, anyway it's all out of stock.
I found it on another store, the only difference seems to be a label (UPOE instead of only AF), I didn't spot anything else, it's probably original :DI think I need to use iperf from the phone to test it, I don't have 1 Gbit or so.
Thanks a lot for the heads up. -
@stephenw10 I bought the latest AP model, if that's what you are referring to.
Regarding the parts, I don't have a way to check it now, I don't know if my AP was produced in 2020 or 2018, so to say. -
The AC-LR I have is pretty clearly labelled 24V and it's a few years old now. I doubt you have that.
-
@jt40 said in Home Network Design:
@bpsdtzpw Serial number: 4200000210619acc88
This cert does not exist on https://crt.sh . The only hit that Google returns is this conversation. I suspect you're running Kaspersky and it's MITMing your https connections, thus giving this alternate certificate chain. What happens if you use the same browser to navigate to https://www.amazon.com , and look at the cert chain? It should be www.amazon.com -> DigiCert Global CA G2 -> DigiCert Global Root G2 . If there's Kaspersky in there, it's MITMing your connection.
-
@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.
On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options. -
@jt40 said in Home Network Design:
@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.Yeah, that's how HTTPS scanning typically works, since the encryption is assumed to be (should be) unbreakable. So the scanner acts as a proxy between your browser (system, if the scanner installer put its root cert in your system root store -- shiver!) and the website. That is, your browser forms an HTTPS connection to the scanner, which allows the scanner to decrypt the traffic and scan it, then the scanner forms an HTTPS connection to the website.
The browser-to-scanner connection is thus encrypted with the key from a cert with a wildcard DNS name that matches every possible website. This leaf cert is then signed by a root cert for the scanner "CA". The scanner's installer installs that root cert in your browser's root store so that the browser recognizes the leaf cert as valid.
All this rigamarole means that you can no longer use the browser to determine what cert chain the website actually uses. You need |dig| or some other such tool for that.
On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options.
Your scanner should provide some UI to disable HTTPS scanning.
-
@bpsdtzpw said in Home Network Design:
Your scanner should provide some UI to disable HTTPS scanning.
This! There is no possible way the benefit of whatever that software is doing that would be worth giving them access to all the encrypted stuff you might be doing - login to your bank accounts for starters..
-
@johnpoz Ya. FWIW, Kaspersky is based in Russia, and is currently banned on U.S. government systems and those of U.S. government contractors and subcontractors. https://www.wsj.com/articles/u-s-government-formalizes-kaspersky-ban-11568194206 ; https://www.securityweek.com/kasperskys-us-government-ban-upheld-appeals-court . But any scanner (ha! any program!) with network access creates potential risks. There is no free lunch in this area.
-
@johnpoz said in Home Network Design:
@bpsdtzpw said in Home Network Design:
Your scanner should provide some UI to disable HTTPS scanning.
This! There is no possible way the benefit of whatever that software is doing that would be worth giving them access to all the encrypted stuff you might be doing - login to your bank accounts for starters..
@bpsdtzpw said in Home Network Design:
@jt40 said in Home Network Design:
@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.Yeah, that's how HTTPS scanning typically works, since the encryption is assumed to be (should be) unbreakable. So the scanner acts as a proxy between your browser (system, if the scanner installer put its root cert in your system root store -- shiver!) and the website. That is, your browser forms an HTTPS connection to the scanner, which allows the scanner to decrypt the traffic and scan it, then the scanner forms an HTTPS connection to the website.
The browser-to-scanner connection is thus encrypted with the key from a cert with a wildcard DNS name that matches every possible website. This leaf cert is then signed by a root cert for the scanner "CA". The scanner's installer installs that root cert in your browser's root store so that the browser recognizes the leaf cert as valid.
All this rigamarole means that you can no longer use the browser to determine what cert chain the website actually uses. You need |dig| or some other such tool for that.
On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options.
Your scanner should provide some UI to disable HTTPS scanning.
I don't think that it works in that way, the proxy acts as an third party entity that makes the request.
The scanning of encrypted communications doesn't work on the whole communication, it works on the header mainly, or only the header.
The content (body) of the communication it's encrypted end to end, there is no way a proxy or scanner can decrypt such data, it's alwasy the browser (endpoint) to manage the communication with the keys, the keys are not managed in anyhow from the AV, it would be a great zero day for a browser.This is what I know about it, but I could investigate more with Wireshark...
@bpsdtzpw said in Home Network Design:
@johnpoz Ya. FWIW, Kaspersky is based in Russia, and is currently banned on U.S. government systems and those of U.S. government contractors and subcontractors. https://www.wsj.com/articles/u-s-government-formalizes-kaspersky-ban-11568194206 ; https://www.securityweek.com/kasperskys-us-government-ban-upheld-appeals-court . But any scanner (ha! any program!) with network access creates potential risks. There is no free lunch in this area.
The story in US is like the one with Huawei, shall I comment? :D
The problem with KS is that it was in use by sensitive government institutions, so there was an obvious fear which lead to the ban, aside that, it's only cosmetics I guess.Last thing, no banking with Windows, are you joking guys? :D
-
@jt40 said in Home Network Design:
The scanning of encrypted communications doesn't work on the whole communication, it works on the header mainly, or only the header.
The content (body) of the communication it's encrypted end to end, there is no way a proxy or scanner can decrypt such data, it's alwasy the browser (endpoint) to manage the communication with the keys, the keys are not managed in anyhow from the AV, it would be a great zero day for a browser.That's exactly what it does. It breaks the end to end encryption. It can see everything in the connection. If it couldn't it wouldn't be able to scan anything.
Steve
-
@jt40 said in Home Network Design:
no banking with Windows
I don't think anyone said that - what I said is I wouldn't run some software that does MITM on my https connections..
I bank on my windows machine and even my phone all the time - but what I don't run is some so called "security" software that breaks my end to end encryption to "protect me" ;)
-
@jt40 said in Home Network Design:
I don't think that it works in that way, the proxy acts as an third party entity that makes the request.
The scanning of encrypted communications doesn't work on the whole communication, it works on the header mainly, or only the header.
The content (body) of the communication it's encrypted end to end, there is no way a proxy or scanner can decrypt such data, it's alwasy the browser (endpoint) to manage the communication with the keys, the keys are not managed in anyhow from the AV, it would be a great zero day for a browser.That is how deep inspection works. See, e.g., https://www.fortinetguru.com/2019/11/ssl-inspection-certificate-inspection-deep-inspection/ .
When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.It's possible to inspect only the (unencrypted) SSL handshake without MITMing the connection with a pseudo-CA cert, but the fact that your config returns a Kaspersky "CA" cert in the chain to the target website indicates that you're using deep inspection. My non-MITM config returns the chain dlinkmea.com -> cPanel, Inc. Certification Authority -> COMODO RSA Certification Authority , which is exactly the chain indicated by https://crt.sh/?id=5515086855 .
This is what I know about it, but I could investigate more with Wireshark...
Yep.
You can also ask your browser to display the cert chain to dlinkmea.com . I think what you'll see is SAN (subject alt name) *.* -> Kaspersky intermediate CA -> Kaspersky root CA.
-
Thank you all, that has been an interesting conversation.
When I made the setup, I was probably not aware of it, or I wasn't concerned about it, as long as KS doesn't send these data somewhere, which I doubt, I'll still run an investigation though.
For the moment, what I know is that the traffic is not enough to dump something on their servers, as well as the addresses that it reaches, they are meant for specific purposes and I guess that security measures are in constant review.
On top of that, something like that would crack down the company forever, as a security company I'm pretty sure that no one is pushing thecode skipping the audit process in the build...
