Adding certs to firewalls
-
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
-
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
Ah you're talking about SSL filtering. You would need a valid certificate for this, unless you have one that is self-signed that you send out to local machines.
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
I'm honestly not sure. Sonicwalls in general are monstrously overpriced for what they offer though. We pay $1000 a year just for content filtering which I could do for free with Squid. I just don't see a benefit to using it. There are so many other better AND more cost effective options out there.
-
@BBigford said in Adding certs to firewalls:
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.
That's exactly what MITM does for SSL, it decrypts outgoing/incoming traffic analyzes the data and then re-signs it on the way to either party.
-
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
But the firewall is what is inspecting the traffic, maybe I'm misunderstanding you.
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
-
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
The link is referencing the latter.
-
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
No, it is a webserver.
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
I have these moments all the time here. Jared is correct. I'm confused frequently here
-
Found an okay link here explaining it a bit...
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
In your case it is.. because you are using a UTM -
JB, now who's pulling a Scott?
His UTM is a firewall and a content filter.
-
@Dashrender said in Adding certs to firewalls:
JB, now who's pulling a Scott?
Yeah, don't be like that guy.
-
It IS important to realize that UTMs are just like MS SBS server... lots of different things jammed into a single box breaking standard best practices around separation of duties. The routing/firewall and other functions come from different components of the UTM. It is all one UTM on one hand, but it is a collection of random services on the other. If you were building your own UTM, you'd not use the "it's all one thing" terminology. It is only when thinking of it as a black box that it seems like are all one thing.
-
@scottalanmiller said in Adding certs to firewalls:
It IS important to realize that UTMs are just like MS SBS server...
That much I do understand... I was just under the misconception that the inspection was happening on the firewall side of services, rather than proxy/web server side of services. I had overlooked that in the link I posted as a response.
But I guess one could simply state that a firewall does nothing more than allow traffic to pass/redirect/drop/or be blocked based on rules, nothing more. It's not until you add additional services that you can inspect traffic, filter web content, or setup a secure tunnel/VPN.
-
@scottalanmiller said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
JB, now who's pulling a Scott?
Yeah, don't be like that guy.
Why? There is nothing wrong with that guy.
Well except when I'm right and he's wrong of course.
-
@JaredBusch said in Adding certs to firewalls:
@scottalanmiller said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
JB, now who's pulling a Scott?
Yeah, don't be like that guy.
Why? There is nothing wrong with that guy.
Well except when I'm right and he's wrong of course.
Mom? Dad? It's times like these that make me believe you aren't getting a divorce
