Home Network Design

JT40

@bpsdtzpw ahaha, the 24 ports is 700 pounds, which is understandable considering the features, TDP and PoE.
All the others are also quite expensive, they are the most recent devices from Cisco if the website doesn't lie.

stephenw10

I have a Brocade ICX6450-24P which is an older device but it's a real enterprise switch with all the features you could ever want. It has 2 fans but they are not too loud. I swapped them out for quieter ones and it never gets hot. I only ever run a few APs from it though.
They can be had surprisingly cheaply when they comes up for sale. The 6430 model even cheaper.

Steve

bPsdTZpW

@jt40 said in Home Network Design:

@bpsdtzpw I'm using it, but I find it very weird.
This is the SHA a84c393949a841252f20085b9c33c120f6711f15

I can't find that cert at https://crt.sh , which contains info on network certs issued by most reputable CAs. Also duckduckgo and google don't show any matches. Please post the cert's serial number.

JT40

@bpsdtzpw Serial number: 4200000210619acc88

JT40

I just purchased this https://store.ui.com/products/unifi-ap-6-lite
Am i good to use such PoE convertor? 802.3af PoE Injector (48v)

Unifi-ap-6-lite requirements:
Supported voltage range 44 to 57VDC
Max. power consumption 12W

It seems good :D

I gave up on the PoE switch, it was not available :D , maybe in the future I'll think to some 10 ports switch only to use PoE.
As usage, I can only think of videocameras for now.

JT40

@bpsdtzpw It's possible that Kaspersky is doing something with it, but normally the cert should not be changed...

In any case, on the EMEA website there are all the product informations, but not on the international version, probably US.
https://eu.dlink.com/uk/en

johnpoz

@jt40 said in Home Network Design:

Am i good to use such PoE convertor? 802.3af PoE Injector (48v)

Are you not just buying their injector?
https://store.ui.com/collections/unifi-accessories-poe-injectors/products/u-poe-af

But yeah if its an af injector you should be good. Make sure it supports gig.

stephenw10

As long as you don't have one of their older models that uses non-standard 24V PoE. Like I do.
Those were all supplied with injectors though AFAIK.

Steve

JT40

@johnpoz Good point, I totally ignored it :D .
I struggled to find it on the official website, anyway it's all out of stock.
I found it on another store, the only difference seems to be a label (UPOE instead of only AF), I didn't spot anything else, it's probably original :D

I think I need to use iperf from the phone to test it, I don't have 1 Gbit or so.
Thanks a lot for the heads up.

JT40

@stephenw10 I bought the latest AP model, if that's what you are referring to.
Regarding the parts, I don't have a way to check it now, I don't know if my AP was produced in 2020 or 2018, so to say.

stephenw10

The AC-LR I have is pretty clearly labelled 24V and it's a few years old now. I doubt you have that.

bPsdTZpW

@jt40 said in Home Network Design:

@bpsdtzpw Serial number: 4200000210619acc88

This cert does not exist on https://crt.sh . The only hit that Google returns is this conversation. I suspect you're running Kaspersky and it's MITMing your https connections, thus giving this alternate certificate chain. What happens if you use the same browser to navigate to https://www.amazon.com , and look at the cert chain? It should be www.amazon.com -> DigiCert Global CA G2 -> DigiCert Global Root G2 . If there's Kaspersky in there, it's MITMing your connection.

JT40

@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.
On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options.

bPsdTZpW

@jt40 said in Home Network Design:

@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.

Yeah, that's how HTTPS scanning typically works, since the encryption is assumed to be (should be) unbreakable. So the scanner acts as a proxy between your browser (system, if the scanner installer put its root cert in your system root store -- shiver!) and the website. That is, your browser forms an HTTPS connection to the scanner, which allows the scanner to decrypt the traffic and scan it, then the scanner forms an HTTPS connection to the website.

The browser-to-scanner connection is thus encrypted with the key from a cert with a wildcard DNS name that matches every possible website. This leaf cert is then signed by a root cert for the scanner "CA". The scanner's installer installs that root cert in your browser's root store so that the browser recognizes the leaf cert as valid.

All this rigamarole means that you can no longer use the browser to determine what cert chain the website actually uses. You need |dig| or some other such tool for that.

On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options.

Your scanner should provide some UI to disable HTTPS scanning.

johnpoz

@bpsdtzpw said in Home Network Design:

Your scanner should provide some UI to disable HTTPS scanning.

This! There is no possible way the benefit of whatever that software is doing that would be worth giving them access to all the encrypted stuff you might be doing - login to your bank accounts for starters..

bPsdTZpW

@johnpoz Ya. FWIW, Kaspersky is based in Russia, and is currently banned on U.S. government systems and those of U.S. government contractors and subcontractors. https://www.wsj.com/articles/u-s-government-formalizes-kaspersky-ban-11568194206 ; https://www.securityweek.com/kasperskys-us-government-ban-upheld-appeals-court . But any scanner (ha! any program!) with network access creates potential risks. There is no free lunch in this area.

JT40

@johnpoz said in Home Network Design:

@bpsdtzpw said in Home Network Design:

Your scanner should provide some UI to disable HTTPS scanning.

This! There is no possible way the benefit of whatever that software is doing that would be worth giving them access to all the encrypted stuff you might be doing - login to your bank accounts for starters..

@bpsdtzpw said in Home Network Design:

@jt40 said in Home Network Design:

@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.

Yeah, that's how HTTPS scanning typically works, since the encryption is assumed to be (should be) unbreakable. So the scanner acts as a proxy between your browser (system, if the scanner installer put its root cert in your system root store -- shiver!) and the website. That is, your browser forms an HTTPS connection to the scanner, which allows the scanner to decrypt the traffic and scan it, then the scanner forms an HTTPS connection to the website.

The browser-to-scanner connection is thus encrypted with the key from a cert with a wildcard DNS name that matches every possible website. This leaf cert is then signed by a root cert for the scanner "CA". The scanner's installer installs that root cert in your browser's root store so that the browser recognizes the leaf cert as valid.

All this rigamarole means that you can no longer use the browser to determine what cert chain the website actually uses. You need |dig| or some other such tool for that.

On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options.

Your scanner should provide some UI to disable HTTPS scanning.

I don't think that it works in that way, the proxy acts as an third party entity that makes the request.
The scanning of encrypted communications doesn't work on the whole communication, it works on the header mainly, or only the header.
The content (body) of the communication it's encrypted end to end, there is no way a proxy or scanner can decrypt such data, it's alwasy the browser (endpoint) to manage the communication with the keys, the keys are not managed in anyhow from the AV, it would be a great zero day for a browser.

This is what I know about it, but I could investigate more with Wireshark...

@bpsdtzpw said in Home Network Design:

@johnpoz Ya. FWIW, Kaspersky is based in Russia, and is currently banned on U.S. government systems and those of U.S. government contractors and subcontractors. https://www.wsj.com/articles/u-s-government-formalizes-kaspersky-ban-11568194206 ; https://www.securityweek.com/kasperskys-us-government-ban-upheld-appeals-court . But any scanner (ha! any program!) with network access creates potential risks. There is no free lunch in this area.

The story in US is like the one with Huawei, shall I comment? :D
The problem with KS is that it was in use by sensitive government institutions, so there was an obvious fear which lead to the ban, aside that, it's only cosmetics I guess.

Last thing, no banking with Windows, are you joking guys? :D

stephenw10

@jt40 said in Home Network Design:

The scanning of encrypted communications doesn't work on the whole communication, it works on the header mainly, or only the header.
The content (body) of the communication it's encrypted end to end, there is no way a proxy or scanner can decrypt such data, it's alwasy the browser (endpoint) to manage the communication with the keys, the keys are not managed in anyhow from the AV, it would be a great zero day for a browser.

That's exactly what it does. It breaks the end to end encryption. It can see everything in the connection. If it couldn't it wouldn't be able to scan anything.

Steve

johnpoz

@jt40 said in Home Network Design:

no banking with Windows

I don't think anyone said that - what I said is I wouldn't run some software that does MITM on my https connections..

I bank on my windows machine and even my phone all the time - but what I don't run is some so called "security" software that breaks my end to end encryption to "protect me" ;)

bPsdTZpW

@jt40 said in Home Network Design:

I don't think that it works in that way, the proxy acts as an third party entity that makes the request.
The scanning of encrypted communications doesn't work on the whole communication, it works on the header mainly, or only the header.
The content (body) of the communication it's encrypted end to end, there is no way a proxy or scanner can decrypt such data, it's alwasy the browser (endpoint) to manage the communication with the keys, the keys are not managed in anyhow from the AV, it would be a great zero day for a browser.

That is how deep inspection works. See, e.g., https://www.fortinetguru.com/2019/11/ssl-inspection-certificate-inspection-deep-inspection/ .

When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

It's possible to inspect only the (unencrypted) SSL handshake without MITMing the connection with a pseudo-CA cert, but the fact that your config returns a Kaspersky "CA" cert in the chain to the target website indicates that you're using deep inspection. My non-MITM config returns the chain dlinkmea.com -> cPanel, Inc. Certification Authority -> COMODO RSA Certification Authority , which is exactly the chain indicated by https://crt.sh/?id=5515086855 .

This is what I know about it, but I could investigate more with Wireshark...

Yep.

You can also ask your browser to display the cert chain to dlinkmea.com . I think what you'll see is SAN (subject alt name) *.* -> Kaspersky intermediate CA -> Kaspersky root CA.