Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense has DPI with SSL / TLS / SSH Decryption?

    Firewalling
    4
    12
    203
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      emmanuelsiqueira last edited by emmanuelsiqueira

      Pfsense has DPI with SSL / TLS and SSH Decryption?

      1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan last edited by Gertjan

        Hi,

        Short answer which covers 99,9 % of all usage cases : No.

        Slightly longer answer : visit any https:/: web site, and have a look around on the net what the "s" means in https. You'll find out that, basically, any traffic going to and coming from that site (location) is encrypted, and can only be used by your browser and the remote web server.

        So, your router

        ce236e86-ef7a-49e4-9629-0d117a8dd1d5-image.png

        would probably many of these

        a17cbf0f-c121-4775-abbe-931093127308-image.png

        just to try to "crack" the encrypted data.

        "Try" because it hasn't been done yet. I guess I add the silly remark that the Mossad, KGB, NSA, etc are still really trying in their basements - and be sure they won't make it open source if they pull it off. If some one else does (Wikileaks 2!), the Internet, as we know, will fall.

        So, a better answer :
        You have to make the browser on your PC trust the device where you do your MITM schemes.
        This means that, when you browser asks for info from https://whatever.site.tld, your pfSense router will proxy and handle that demand for your browser. Of course, your router can not reply with a "here is the 'whatever.site.tld' certificate, we can discus safely" : the "whatever.site.tld" cert has to be generated real time. Which is difficult, because you do not own the domain name "whatever.site.tld". This is an important limitation, which prohibits people from obtaining certificates as "updates.microsoft.com" so hey can propose 'patched' version of OS updates ..... and again the entire electric industry will fall tomorrow.

        How it's done today : As said, your browser has to trust your local router - pfSense. This mens that you - you as the admin, have to have the - every - device that is going to use your proxy so you can nstall that "your.pfsense.tld" as trsuted.
        Your browser asks for "whatever.site.tld" and receive an answer from "your.pfsense.tld" which it now trusts. Your pfSense router is now capable of 'decoding' the TLS traffic, DPI the packet data, and take whatever action based on what it finds, connects to the original "whatever.site.tld, do the request on your behalf, get back the answer, has access to the answer "in clear", and uses the trusted "your.pfsense.tld" connection to your browser to finally send back the results, again encrypted.
        Your pfSense router is now the MITM.

        Today, we are 2020, and there are more and more certificates are tagged with the info that they can NOT be redirected by using another "your.pfsense.tld". Which means that all the big media sites can not be proxied this way == no DPI for them.

        Anyway : what do you want ?
        https to protect you and every body else ?
        Or :
        Break https ?

        For now, you can't have both.

        Edit : what's still possible : do the DPI on the device that emits the traffic. I know that's actually not an option, but it will work now, and tomorrow.

        Edit2 : Install Youtube and look at some videos that have the MITM keyword. Its pretty hard core, but you were asking for it.
        Look up some @bmeeks forum posts about this subject - he stays most of the time here. These will make you understand that your asking for a can of worms.

        JKnott E 2 Replies Last reply Reply Quote 1
        • JKnott
          JKnott @Gertjan last edited by

          @gertjan said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

          Short answer which covers 99,9 % of all usage cases : No.

          What the heck was the question?

          Gertjan 1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan @JKnott last edited by Gertjan

            @jknott said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

            @gertjan said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

            Short answer which covers 99,9 % of all usage cases : No.

            What the heck was the question?

            Not this :

            @emmanuelsiqueira said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

            Pfsense has DPI with SSL / TLS and SSH Decryption?

            The questions was edited.
            It was more something like : "how to DPI with pfSense".

            Guess he's off watching some MITM youtube horrors. Wonder if he comes back.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              What I always find funny.. Is users want to hide their shit.. ISP is spying on me.. I have to encrypt everything - even my dns.. Inside a tcp tunnel even.

              If you thought it was so easy to decrypt tls/ssh - what good would you think all this encrypting all your traffic would do?

              JKnott 1 Reply Last reply Reply Quote 0
              • E
                emmanuelsiqueira last edited by

                Let me know if I did well in my question?
                Pfsense has Snort with OpenAppID, right?
                Could we consider that Pfsense is a New Generation Firewall with security against ransomware or encrypted p2p connections?

                1 Reply Last reply Reply Quote 0
                • JKnott
                  JKnott @johnpoz last edited by

                  @johnpoz said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

                  What I always find funny.. Is users want to hide their shit.. ISP is spying on me..

                  That's nonsense. Everyone, except Trump, knows it's the Russians spying on everyone. ๐Ÿ˜‰

                  I've also wondered why so many people are so paranoid. Maybe I should get into the tinfoil hat business. ๐Ÿ˜

                  johnpoz 1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator @JKnott last edited by

                    @jknott said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

                    I've also wondered why so many people are so paranoid

                    Not that they are paranoid - but that they are but think they can click a button and defeat the encryption.. If the encryption can be defeated/circumvented/broken/spied on - then its pretty useless encryption in the first place..

                    JKnott 1 Reply Last reply Reply Quote 0
                    • JKnott
                      JKnott @johnpoz last edited by

                      @johnpoz said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

                      then its pretty useless encryption in the first place..

                      I hear ROT13 is really good. ๐Ÿ˜†

                      1 Reply Last reply Reply Quote 0
                      • E
                        emmanuelsiqueira @Gertjan last edited by

                        @gertjan Let me know if I did well in my question?
                        Pfsense has Snort with OpenAppID, right?
                        Could we consider that Pfsense is a New Generation Firewall with security against ransomware or encrypted p2p connections?

                        1 Reply Last reply Reply Quote 0
                        • Gertjan
                          Gertjan last edited by

                          @emmanuelsiqueira said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

                          Pfsense is a New Generation Firewall

                          pfSense is a router firewall based on FreeBSD. It uses "pf" (aha !) as it's firewall.
                          pf is for FreeBSD what 'iptables' is for Linux.

                          pf (and iptables for that matter) handle Ethernet traffic, so called packets upon the headers of these packets. They do not access the data payload, which is our html page request, a part of an email, a VPN tunnel or whatever the pay load might be.
                          The security part is based on what can be done with these packet headers.
                          NOT the payload.

                          I'm not a snort expert ( maybe @bmeeks has link which explains it all, as he explained everything already xx times here ) but I know that snort can't 'see' the app. It sees traffic, the packets. It should 'see' the data, the pay load, to 'know' what the traffic is all about == profiling it - or what people tend to say : OpenAppID.

                          So, I tend to say : no, no security, as the payload is not visible any more.
                          To no one.

                          You might be able to filter on destination IP (the IP is part of the header) - or the URL used to access the IP (DNSBL based).

                          Again : a small Youtube session will tell you everything.

                          Snort, Squid and all alike are experts only tools.

                          @JKnott : Way to complex, go for the XOR method.

                          JKnott 1 Reply Last reply Reply Quote 0
                          • JKnott
                            JKnott @Gertjan last edited by

                            @gertjan said in Pfsense has DPI with SSL / TLS / SSH Decryption?:

                            pf (and iptables for that matter) handle Ethernet traffic, so called packets upon the headers of these packets.

                            Actually, it handles IP traffic, including IPv6. I'm sure it would work equally well on token ring or arcnet frames.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense Plus
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy