![]() ![]() It poses a huge risk to have your router/firewall capable of decrypting all traffic on your network, it becomes a single point of failure and isn't good and breaks end-to-end encryption entirely.īut, what you were doing on the UTM should be possible on pfSense through Snort, which CAN take actions based on TLS traffic it just can't take actions based on decrypted TLS traffic. So you are correct in saying that the only way to do that is with DPI-SSL (or DPI-TLS) which requires installing certs on the end devices and is actually NOT recommended by most security professionals or even by the government itself. Regarding the HTTPS inspection, if you didn't install certs on your devices for the UTM then it wasn't actually "opening" those packets and inspecting them, that's the whole purpose of TLS communications. ![]() Is this Full disclosure, I'm still new to Sophos gear so I'll try to keep this all related to pfSense since I know it's ins and outs pretty well. Based on the info I've obtained so far, it appears that pfSense only goes down to interface level. In pfSense, can IPS be tuned per server/web app? In Sophos UTM's WAF, you can disable different IPS rules and add exceptions for each web app behind the UTM even if they are on the same interface. So, is the UTM doing the man-in-the-middle thing by hosting the certs, accepting the HTTPS traffic and forwarding it to the internal web server via port 80?Ĭan I get the same functionality with pfSense, with HTTPS traffic? Contrary to what some may think, I have been searching my butt off trying to answer my own question but I'm still confused. The UTM's WAF (reverse-proxy) handles the certs and port forwarding. I never installed any certs on the workstations or servers behind the UTM but I still see plenty of Snort blocked activity and false-positives in the WAF log so it must be working with HTTPS traffic, right? I'm referring to external traffic (443) coming into the UTM->WAF->internal webserver (80). I've read a lot of posts that state that IPS only works as man-in-middle and that you have to install a cert on all of the clients. The UTM's IPS (Snort) catches a lot of things even with HTTPS traffic. Back then, not every connection was encrypted but all of my stuff uses HTTPS, now. ![]() It was several years back when I set everything up. Please tell me, can I replace most of the UTM's functionality with pfSense? I'm confused about a few things. There must be some people on this forum that are very familiar with the Sophos UTM. I've been utilizing most of the features of the UTM. This is for personal/home lab use but I do host quite a few things behind the device so I need the VPN, WAF, anti-virus, IPS, SMTP proxy, web protection etc. Since the UTM is reaching EOL, I'm looking for a replacement. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |