Firewall – Blocking HTTPS content with a Watchguard (Websense) vs. SQUID and SQUIDGuard using Transparent Proxy mode

content-filterfirewallpfsense

I'm trying to compare these 2 solutions when it comes to content blocking :

1 – A pFSense appliance with SQUID and SQUIDGUARD packages configured

2 – A Watchguard FW that uses Websense

So, in order to block something like https://www.facebook.com, using Squidguard aparently I have to perform a MITM attack , or give up on the option of using the Transparent Proxy mode, but the Watchguard manages to block the very same page without losing the Transparent proxy option. Can someone help me understand how does that work, please?

Best Answer

The Watchguard has HTTPS full-content inspection in the same way by installing an SSL certificate and doing a Man-In-The-Middle (MITM) attack on all the traffic, but it can blocking domain names without resorting to that by looking at the Server Name Indicator field sent out by the browser so the server can identify which SSL certificate to answer with, and by looking at the SSL certificate returned from the server to see which domain names it's signed for.

HTTPS-Proxy: Domain Names

If your Firebox or XTM device runs Fireware XTM v11.9.4 or higher, you can configure your device to allow or deny access to a site, perform content inspection, or bypass content inspection based on the Domain Names rules you create. To match the specified pattern in your Domain Names rules against the name specified in the connection server, the SNI (Server Name Indication), the certificate common name (CN), or the IP address of the server is used.

Because it can determine the actual server name from the HTTPS traffic headers, the SNI is the most accurate option. A certificate CN is often shared between several services from the same site. For example, many Google services such as YouTube and Google Maps share the same certificate CN. If you block access to YouTube based on the certificate CN, access is also blocked to Google Maps and other services with the same CN. The certificate CN is used if the SNI is not available.

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#en-US/proxies/https/https_domain_names_c.html%3FTocPath%3DProxy%2520Settings%7CAbout%2520the%2520HTTPS-Proxy%7C_____3

Related Solutions

Firewall – How to configure PFSense firewall with external transparent Squid proxy

SO in PF you have to do the following:

int_if="fxp0"
ext_if="em0"

rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state

Be sure that your SQUID has the transparent module when you compiled it, or the package is transparent enabled you are using.

“Content Injection” using the Squid Proxy (pfSense). Is this possible

I use the pfSense captive portal a fair amount and you are correct, I've never seen a way to do this. I'm not sure if squid would do it either - it doesn't seem like a technically clean way to handle it.

Most of the time in hotspot environments I have seen this solved with a small popup window that has time connected, other details and a disconnect option. We did run into issues with this (the pfSense pop-up window had issues with certain browsers, so we disabled it), so we had a default landing page - pfSense does allow you to redirect to a specific page on a successful auth. That page would then give the user an option to launch a separate window with connection details and logout options. It (the status page) was also put on an easy to remember url (status.xxx.yyy) so users that lost the page or the popup could go in relatively easily.

Best Answer

Related Solutions

Firewall – How to configure PFSense firewall with external transparent Squid proxy

“Content Injection” using the Squid Proxy (pfSense). Is this possible

Related Topic