Recommendations



  • I have a network with 1,000 users. And I intend to use the squid + transparent squidguard with SSL inspection.

    Are there any recommendations for this type of scenario?



  • Here is one: Don't do SSL inspection (MITM).



  • That configuration will generate Man-in-the-Middle browser warnings for every HTTPS page they visit.  If you must proxy HTTPS, consider using WPAD to handle proxy auto-detection for your clients.



  • @fragged:

    Here is one: Don't do SSL inspection (MITM).

    It would be due to the performance?

    @KOM:

    That configuration will generate Man-in-the-Middle browser warnings for every HTTPS page they visit.  If you must proxy HTTPS, consider using WPAD to handle proxy auto-detection for your clients.

    I will do so, thank you!



  • @bcpereiraa:

    @fragged:

    Here is one: Don't do SSL inspection (MITM).

    It would be due to the performance?

    No. Well, "no" here assumes that you deployed pfSense on hardware able to handle load generated by 1000 users browsing internet  ;)
    This means quite significant hardware BTW

    MITM simply breaks SSL rules because tunnel is supposed ti be established between client and server ;-)
    Furthermore, as explained above, it supposes that you deploy CA public key on each browser in order to avoid warning message about untrusted certificate.

    On the other hand, I can understand that more and more administrators are looking at SSL interception: aside URL filtering (that can be achieved even without MITM), one would like to apply tight content filtering, including anti-virus but I'm convinced there's a balance to find between such objective and willingness to follow SSL concept.



  • @chris4916:

    @bcpereiraa:

    @fragged:

    Here is one: Don't do SSL inspection (MITM).

    It would be due to the performance?

    No. Well, "no" here assumes that you deployed pfSense on hardware able to handle load generated by 1000 users browsing internet  ;)
    This means quite significant hardware BTW

    MITM simply breaks SSL rules because tunnel is supposed ti be established between client and server ;-)
    Furthermore, as explained above, it supposes that you deploy CA public key on each browser in order to avoid warning message about untrusted certificate.

    On the other hand, I can understand that more and more administrators are looking at SSL interception: aside URL filtering (that can be achieved even without MITM), one would like to apply tight content filtering, including anti-virus but I'm convinced there's a balance to find between such objective and willingness to follow SSL concept.

    As for ok hardware resources. the question now would be regarding the configuration. Is there something else I should do?



  • @bcpereiraa:

    As for ok hardware resources. the question now would be regarding the configuration. Is there something else I should do?

    Like what ?

    Pay attention to I/O (Assuming both CPU and memory are OK, which is quite easy nowadays): disk I/O will most likely be your bottleneck with 1000 HTTP users as far as cache is concerned.
    Then it also depends on additional services you intend to run: content filtering, antivirus, something else ?

    I would also suggest to have log and cache on different spindles (this is also true for SSD  ;))

    Last but not least: do not assume that larger cache size will provide better performance.



  • @chris4916:

    @bcpereiraa:

    As for ok hardware resources. the question now would be regarding the configuration. Is there something else I should do?

    Like what ?

    Pay attention to I/O (Assuming both CPU and memory are OK, which is quite easy nowadays): disk I/O will most likely be your bottleneck with 1000 HTTP users as far as cache is concerned.
    Then it also depends on additional services you intend to run: content filtering, antivirus, something else ?

    I would also suggest to have log and cache on different spindles (this is also true for SSD  ;))

    Last but not least: do not assume that larger cache size will provide better performance.

    Thank you so much!


Locked