Adding certs to firewalls
-
So I stopped supporting a SMB that had a variety of SonicWalls (TZ series), and have only been working with various UTMs in the last few years (ASAs, Fortigate, etc).
I just recently had to change our wildcard cert over from GoDaddy to Comodo because of expiration and cost (GD is getting pretty spendy comparatively, but that's neither here nor there). That made me start thinking about my replacement I recommended to the SMB, I told him his cert would be expiring around this time, but do those SMB firewalls even take certs? If they don't, do they just pass traffic right on through....? I couldn't remember as I hadn't setup a firewall like that in quite some time for SMB.
-
The certificates have nothing to do with the firewall.
That is not how SSL certificates are used.
The SSL certificate goes on the endpoint being contacted. No where else.
-
Certificates also have nothing to do with routers and all the other hardware you mentioned.
-
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
-
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
-
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
-
@JaredBusch said in Adding certs to firewalls:
The certificates have nothing to do with the firewall.
That is not how SSL certificates are used.
The SSL certificate goes on the endpoint being contacted. No where else.
With all the UTMs I've managed, the trusted third party cert has to be installed on the firewall... Are you saying no certs would be on the firewall, but only on the internal CA (in any case, the DC)? I guess I don't understand what you mean by the certs have nothing to do with the firewall.
-
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
-
@JaredBusch said in Adding certs to firewalls:
Certificates also have nothing to do with routers and all the other hardware you mentioned.
I'm not talking about putting a cert on a router... Not entirely sure where you got that from my OC. Only talking about the firewall side of things.
-
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
I didn't recommend them initially. I just replaced them with identical models when they broke and configured accordingly. They worked okay, well enough for what they needed, so I didn't opt to move them in a different direction like Watchguard/etc.
-
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
-
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
-
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
-
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
-
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
-
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
Ah you're talking about SSL filtering. You would need a valid certificate for this, unless you have one that is self-signed that you send out to local machines.
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
I'm honestly not sure. Sonicwalls in general are monstrously overpriced for what they offer though. We pay $1000 a year just for content filtering which I could do for free with Squid. I just don't see a benefit to using it. There are so many other better AND more cost effective options out there.
-
@BBigford said in Adding certs to firewalls:
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.
That's exactly what MITM does for SSL, it decrypts outgoing/incoming traffic analyzes the data and then re-signs it on the way to either party.