SSL Inspection



  • Hello friends

    I wonder if you can apply this technique with pfSense … the SSL inspection ...

    I probe the WPAD and all good, but I would now apply this solution in the company I work ...

    in dansguardian is a MITM option pointing to a certificate either created by me, but all I would like to apply this solution but only using pfSense ... have if anyone has any ideas and we see ..

    sorry for my English, this is google translator



  • Hi,

    you cannot do this with basic pfsense. You need additional package from pfsense package manager.

    You can use squid2 or better squid3 package to filter http and https traffic. Then use squidguard to filter websites based on the URL. Or use dansguardian which is also a package and can be used with squid.

    There is no other way I know for pfsense.



  • I would like to do with pfsense as explained in this video

    Youtube Video

    that's really what I want to do but with pfSense.


  • LAYER 8 Global Moderator

    Yeah that is your typical MITM attack ;)

    Yes many proxies support this sort of thing - it is a slippery slope to be sure!!  Since you could view users login info to their bank accounts for an extreme example.

    Even in a company - do you have sign off of such a thing from company officials like Legal and HR?

    Before going down such a path you better have all the ducks in row from legal, are users going to be aware that their ssl traffic is being compromised?  Its one thing to filter a user from going to say their bank during working hours and even using company internet for such a thing.. Its another thing to allow the traffic and then sniff inside their what to them should secure connection - where persons in the company would be able to view the details of such traffic..

    I know the major players that support this method of snooping have lists so that say bank traffic is not decrypted.

    Don't get me wrong this can be a great tool in troubleshooting something that is going wrong over a ssl connection and have done it many times to get to the bottom of a strange issue..  But that is can be seen as having lots of issues with privacy concerns and depending on what country your in could be a real no no.

    But sure you could do such a thing with pfsense..



  • Thank you so much for the reply ..

    Of course, for those who are banks, these sites were placed in a white list so the device does not decrypt to websites of banks. I want to analyze HTTPS traffic since there are https pages with xml codes malicious, malware, bypass proxies, etc, etc. .. What I want is to implement filters in the cloud to my clients but in a more transparently as possible, and researching, I have come to the conclusion that only one could achieve ssl inspection.
    If they can do with pfsense or free software, which would be the tools, because I've been researching and experimenting with "Delegate" or "sslstrip" but I do not support simultaneous connections 1000-2000 (or someone tells me otherwise)

    Greetings community: D


  • LAYER 8 Global Moderator

    I have not done this with pfsense specifically included packages – but squid is proxy package, and squid supports this so yeah it is possible

    http://wiki.squid-cache.org/Features/SslBump



  • Thank you so much for the reply JOHNPOZ ..

    I'll investigate about SSLBump in squid, show you my results …

    :)



  • Hi again,

    all what you want to do is what I posted as the second post in this thread. Everything Checkpoint is doing is the same you can do with squid proxy.

    I would suggest you using the squid3-dev package which contains all functions of SSL-bump what you need to do SSL inspection. Creating CA within pfsense if you like. Select this CA on squid3-dev package GUI, put this CA into browsers trusted store and that's it.

    Sites you do not want to be inspected needs to be put into "Bypass these destination addresses by the proxy". Of course you can create an alias which contains all sites so you do not have to put all the websites into the one line squid GUI offers.



  • Has anyone successfully done this? I think for this to work the Dansguardian logic needs to be encapsulated in an ICAP service like Diladele.


Log in to reply