Adding certs to firewalls
-
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
I didn't recommend them initially. I just replaced them with identical models when they broke and configured accordingly. They worked okay, well enough for what they needed, so I didn't opt to move them in a different direction like Watchguard/etc.
-
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
-
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
-
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
-
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
-
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
-
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
Ah you're talking about SSL filtering. You would need a valid certificate for this, unless you have one that is self-signed that you send out to local machines.
-
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
@wirestyle22 said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.
and ERX is not a UTM, it's a router.
Right but UTM's are typically not great. I have a few Sonicwalls here.
So did you have to install certs on those firewalls, or no?
No. I don't use that functionality though
I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.
I'm honestly not sure. Sonicwalls in general are monstrously overpriced for what they offer though. We pay $1000 a year just for content filtering which I could do for free with Squid. I just don't see a benefit to using it. There are so many other better AND more cost effective options out there.
-
@BBigford said in Adding certs to firewalls:
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.
That's exactly what MITM does for SSL, it decrypts outgoing/incoming traffic analyzes the data and then re-signs it on the way to either party.
-
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
But the firewall is what is inspecting the traffic, maybe I'm misunderstanding you.
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
-
@coliver said in Adding certs to firewalls:
Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?
The link is referencing the latter.
-
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
No, it is a webserver.
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
I have these moments all the time here. Jared is correct. I'm confused frequently here
-
Found an okay link here explaining it a bit...
-
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@BBigford said in Adding certs to firewalls:
@JaredBusch said in Adding certs to firewalls:
@Dashrender said in Adding certs to firewalls:
Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.
The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.
http://cookbook.fortinet.com/preventing-certificate-warnings/
That is MITM interception of web traffic and has nothing to do with a firewall. Obviously, you can run said service on the same piece of hardware as your firewall, but it is still not a damned firewall.
Okay, just trying to understand what you're trying to saying because I thought the firewall was intercepting and inspecting the traffic. Not another service.
In your case it is.. because you are using a UTM -
JB, now who's pulling a Scott?
His UTM is a firewall and a content filter.
-
@Dashrender said in Adding certs to firewalls:
JB, now who's pulling a Scott?
Yeah, don't be like that guy.