Is it permissible to add Google's address range 172.217.0.0/16 to the passlist?
-
When using Suricata, I often see that IP addresses within Google's range 172.217.0.0/16 are being blocked and I have to manually add them to the suppress list. However, since these addresses are exclusively used by Google and are harmless unless someone is hosting a personal service on them, I would like to add the entire 172.217.0.0/16 range to the passlist. What approach do you take in such cases?
-
@Yet_learningPFSense What rule/port/protocol is being triggered? I guess I’d wonder why they’re showing up enough to ask about allowing them.
-
@SteveITS Thank you very much. I think I'll do some more research to see if it's used in QUIC.
-
The HTTP_INSPECT rules are nearly useless these days with everything being HTTPS. They are prone to lots of false positives.
My suggestion is to disable that category entirely. You can easily do that using the SIG MGMT tab feature.
-
@bmeeks Thank you. I had thought that Snort also analyzes suspicious packets within HTTPS, but it seems it is not actually useful. If possible, I would like you to make efforts to install a certificate on the PC like Fortigate's HTTPS inspection, so that HTTPS can also be analyzed. It would be much easier if the HTTP category could be completely disabled.
-
@Yet_learningPFSense said in Is it permissible to add Google's address range 172.217.0.0/16 to the passlist?:
If possible, I would like you to make efforts to install a certificate on the PC like Fortigate's HTTPS inspection
It takes much more than just installing a certificate on the firewall for MITM (man-in-the-middle) SSL interception to work. For starters you need a proxy running on the firewall, all of your clients must be instructed to use that proxy, and you must either install the proxy's CA cert on each client and tell the client to trust it, or you will have to procure your own globally registered/trusted cert.
MITM interception is not easy to do, and there is a legitimate debate about how ethical such network actions really are.
Comparing commercial high-cost products to free open source software is not valid. How much do you pay Fortigate for that "one-click" HTTPS inspection ability? Contrast that with how much you paid to use pfSense CE .
-
@bmeeks Thank you very much. I apologize for realizing that it's not something that can be easily achieved.
-
@Yet_learningPFSense Some antivirus such as the Bitdefender cloud service we use for all our clients can do it on the endpoint which at least protects PCs.
One thing about doing it yourself is the need to update the certificate each year on all devices. -
@SteveITS Thank you very much. I heard that even current antivirus software can be bypassed by creating viruses that can evade detection through pre-testing by attackers. However, if they are using AI for checking, it might be possible to detect them. I would like to consider using it.