Pfsense has DPI with SSL / TLS / SSH Decryption?

emmanuelsiqueira · Dec 30, 2020, 12:39 AM

Pfsense has DPI with SSL / TLS and SSH Decryption?

Gertjan · Dec 30, 2020, 8:47 AM

Hi,

Short answer which covers 99,9 % of all usage cases : No.

Slightly longer answer : visit any https:/: web site, and have a look around on the net what the "s" means in https. You'll find out that, basically, any traffic going to and coming from that site (location) is encrypted, and can only be used by your browser and the remote web server.

So, your router

would probably many of these

just to try to "crack" the encrypted data.

"Try" because it hasn't been done yet. I guess I add the silly remark that the Mossad, KGB, NSA, etc are still really trying in their basements - and be sure they won't make it open source if they pull it off. If some one else does (Wikileaks 2!), the Internet, as we know, will fall.

So, a better answer :
You have to make the browser on your PC trust the device where you do your MITM schemes.
This means that, when you browser asks for info from https://whatever.site.tld, your pfSense router will proxy and handle that demand for your browser. Of course, your router can not reply with a "here is the 'whatever.site.tld' certificate, we can discus safely" : the "whatever.site.tld" cert has to be generated real time. Which is difficult, because you do not own the domain name "whatever.site.tld". This is an important limitation, which prohibits people from obtaining certificates as "updates.microsoft.com" so hey can propose 'patched' version of OS updates ..... and again the entire electric industry will fall tomorrow.

How it's done today : As said, your browser has to trust your local router - pfSense. This mens that you - you as the admin, have to have the - every - device that is going to use your proxy so you can nstall that "your.pfsense.tld" as trsuted.
Your browser asks for "whatever.site.tld" and receive an answer from "your.pfsense.tld" which it now trusts. Your pfSense router is now capable of 'decoding' the TLS traffic, DPI the packet data, and take whatever action based on what it finds, connects to the original "whatever.site.tld, do the request on your behalf, get back the answer, has access to the answer "in clear", and uses the trusted "your.pfsense.tld" connection to your browser to finally send back the results, again encrypted.
Your pfSense router is now the MITM.

Today, we are 2020, and there are more and more certificates are tagged with the info that they can NOT be redirected by using another "your.pfsense.tld". Which means that all the big media sites can not be proxied this way == no DPI for them.

Anyway : what do you want ?
https to protect you and every body else ?
Or :
Break https ?

For now, you can't have both.

Edit : what's still possible : do the DPI on the device that emits the traffic. I know that's actually not an option, but it will work now, and tomorrow.

Edit2 : Install Youtube and look at some videos that have the MITM keyword. Its pretty hard core, but you were asking for it.
Look up some @bmeeks forum posts about this subject - he stays most of the time here. These will make you understand that your asking for a can of worms.

JKnott · Dec 30, 2020, 11:46 AM

@gertjan said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

Short answer which covers 99,9 % of all usage cases : No.

What the heck was the question?

Gertjan · Dec 30, 2020, 12:33 PM

@jknott said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

@gertjan said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

Short answer which covers 99,9 % of all usage cases : No.

What the heck was the question?

Not this :

@emmanuelsiqueira said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

Pfsense has DPI with SSL / TLS and SSH Decryption?

The questions was edited.
It was more something like : "how to DPI with pfSense".

Guess he's off watching some MITM youtube horrors. Wonder if he comes back.

johnpoz · Dec 30, 2020, 1:44 PM

What I always find funny.. Is users want to hide their shit.. ISP is spying on me.. I have to encrypt everything - even my dns.. Inside a tcp tunnel even.

If you thought it was so easy to decrypt tls/ssh - what good would you think all this encrypting all your traffic would do?

emmanuelsiqueira · Dec 30, 2020, 12:55 PM

Let me know if I did well in my question?
Pfsense has Snort with OpenAppID, right?
Could we consider that Pfsense is a New Generation Firewall with security against ransomware or encrypted p2p connections?

JKnott · Dec 30, 2020, 1:44 PM

@johnpoz said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

What I always find funny.. Is users want to hide their shit.. ISP is spying on me..

That's nonsense. Everyone, except Trump, knows it's the Russians spying on everyone.

I've also wondered why so many people are so paranoid. Maybe I should get into the tinfoil hat business.

johnpoz · Dec 30, 2020, 1:59 PM

@jknott said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

I've also wondered why so many people are so paranoid

Not that they are paranoid - but that they are but think they can click a button and defeat the encryption.. If the encryption can be defeated/circumvented/broken/spied on - then its pretty useless encryption in the first place..

JKnott · Dec 30, 2020, 2:03 PM

@johnpoz said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

then its pretty useless encryption in the first place..

I hear ROT13 is really good.

emmanuelsiqueira · Dec 30, 2020, 2:37 PM

@gertjan Let me know if I did well in my question?
Pfsense has Snort with OpenAppID, right?
Could we consider that Pfsense is a New Generation Firewall with security against ransomware or encrypted p2p connections?

Gertjan · Dec 30, 2020, 3:33 PM

@emmanuelsiqueira said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

Pfsense is a New Generation Firewall

pfSense is a router firewall based on FreeBSD. It uses "pf" (aha !) as it's firewall.
pf is for FreeBSD what 'iptables' is for Linux.

pf (and iptables for that matter) handle Ethernet traffic, so called packets upon the headers of these packets. They do not access the data payload, which is our html page request, a part of an email, a VPN tunnel or whatever the pay load might be.
The security part is based on what can be done with these packet headers.
NOT the payload.

I'm not a snort expert ( maybe @bmeeks has link which explains it all, as he explained everything already xx times here ) but I know that snort can't 'see' the app. It sees traffic, the packets. It should 'see' the data, the pay load, to 'know' what the traffic is all about == profiling it - or what people tend to say : OpenAppID.

So, I tend to say : no, no security, as the payload is not visible any more.
To no one.

You might be able to filter on destination IP (the IP is part of the header) - or the URL used to access the IP (DNSBL based).

Again : a small Youtube session will tell you everything.

Snort, Squid and all alike are experts only tools.

@JKnott : Way to complex, go for the XOR method.

JKnott · Dec 30, 2020, 3:45 PM

@gertjan said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

pf (and iptables for that matter) handle Ethernet traffic, so called packets upon the headers of these packets.

Actually, it handles IP traffic, including IPv6. I'm sure it would work equally well on token ring or arcnet frames.