SSL Inspection

From Wiki of WFilter NG Firewall
Jump to: navigation, search

Contents

1 SSL Inspection

"SSL Inspection" is based on [Man-in-the-middle attack]. It redirects SSL connections to a local SSL server, so it can intercept the ssl traffic. When enabled, you will be able to monitor and filter the contents of HTTPS websites and SSL emails(SMTP/POP3/IMAP over SSL):

  • record https webpage titles and web posting in HTTPS sites.
  • record emails over SSL connections.
  • filter email accounts of emails over SSL connections.
  • filter https websites contents.(filter download file types, block file uploading to https sites.)

2 SSL Inspection Policy

  • Services
    • Web: HTTPS traffic on port 443.
    • POP3: POPS over SSL on port 995.
    • IMAP: IMAP over SSL on port 993.
    • SMTP: SMTP over SSL on port 465,587,994.
    • More ports: other SSL ports to be intercepted. (Do not add any http ports)
  • Remote IP, remote ip/domain to be intercepted. Two types are supported:
    • Exclude below list, ip/domain in the list will be excluded from inspection.
    • Below IPs only, only ip/domain in the list will be intercepted.
    • Syntax: One IP segment or domain per line, example: 192.168.1.0/24,172.10.0.0/16,*.google.com

Sslinspector 01.png

3 CA Certificate

  • CA certificate to sign the certificates for SSL interception.
  • When "HTTPS Inspector" is enabled, there will be a certificate warning in the client browser. You need to download and import this certificate into "trusted root certification authorities store" to silence client browser.
  • You can click "Replace" to generate a new certificate.
  • To import an existing CA certificate, the imported file shall be zip format with two files inside(ca.crt, ca.key).

Sslinspector 02.png

SSL Inspection is based on [Man-in-the-middle attack]. It redirects SSL connections to a local SSL server, so it can intercept the ssl traffic. Though it can decode SSL traffic, there are some disadvantages you should know:

  • Performance issue. Please check: SSL Inspector Performance
  • Certificate warning issue. With https inspector enabled, there will be certificate warning. To silence client browser, please follow below steps to import WFilter's certificate into "trusted root certification authorities store" in client devices.

3.1 HTTPS Inspector

  • There will be a certificate warning when visiting https websites. You may choose "continue to this website" to access this site, web surf and post will be recorded.

Wfrecorder cert 01.png

To get rid of this certificate warning, please follow below steps:

  • Download WFilter's certificate

Wfrecorder cert 02.png

  • Double click the "ca.crt" file, click "Install Certificate" and "Next". Enable "place all certificates in the following store" and choose "trusted root certification authorities". Then "Next" and "Finish".

Wfrecorder cert 03.png

  • The certificate warning won't appear again.

Wfrecorder cert 04.png

  • And this https visiting will be recorded.

Wfrecorder cert 05.png

3.2 SSL Email Inspection

There are three types of email connection.

  • Plain text, emails can be recorded without "SSL Email Inspection".
  • STARTTLS, even "SSL Email Inspection" can not record it.
  • SSL/TLS, with "SSL Email Inspection" enabled, emails via SSL connections can be recorded.

Let's take "Mozilla Thunderbird" as an example:

Wfrecorder ssl 01.png

Please note: to record https web emails, you need to enable "HTTPS Inspector" for this https website.

4 Note

  • When deployed in bridge mode, SSL Inspection can not work on "Trunk ports"(vlan tagged). You need to use "Access ports" instead.
Personal tools
Namespaces

Variants
Actions
Navigation
Tools