Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenApp ID and encrypted traffic

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    2
    308
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reynold
      last edited by reynold

      Hello, i'm using pfsense with pfblocker snort and open app id
      My big question is about encrypted traffic.
      As we know Pfsense can not make mitm (unless using squid maybe).
      Pfblocker works at DNS level. That's clear for me.
      I was wondering how to block social network app like facebook (so I need to work at level 7)
      I'm going to use openApp id and i configured rules in Snort.
      But i did not install certificate, and pfsense can not perform dpi ssl.
      So, how does openApp id work?
      It should not have access to payload
      It works at dns level?

      thanks

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        OpenAppID works by examining the SNI in the packet header. Here is a quick explanation of SNI (server name identification) from Cloudfare: https://www.cloudflare.com/learning/ssl/what-is-sni/.

        Currently SNI is usually not encrypted, thus it can be seen and interpreted by IDS/IPS tools such as Snort and Suricata. There is a push to move to encrypted SNI. Here is a Cloudfare article describing that process: https://www.cloudflare.com/learning/ssl/what-is-encrypted-sni/. Should ESNI take hold and be widely adopted, Layer 7 IDS/IPS tools could suffer a fatal blow unless MITM (man-in-the-middle) breaking of encryption is utilized.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post