[AusNOG] Maximum users per AP
ausnog at libertysys.com.au
Sat Oct 27 10:21:25 EST 2012
On 10/26/2012 04:15 PM, Craig Askings wrote:
> On 26/10/2012 4:05 PM, Paul Gear wrote:
>> I would really love to know how these UTM devices think they can do
>> this securely, given the appalling level of proxy support in Mac,
>> iOS, and Android apps. Or is their certificate validation so poor
>> that they just don't care that they're being MitM-ed?
> The normal trick for SSL is to make a new root ca + wildcard cert and
> forcibly install the root ca onto each PC via A/D or MDM for the iOS
> and Android devices. From there you just MitM with the wildcart cert
> installed on the UTM.
On 10/27/2012 06:43 AM, Scott Howard wrote:
> They do involve a new root CA as you've mentioned, but not a wildcard
> cert. Instead, they create dynamic certs for the sites being
> accessed, and then sign them with the root CA which the end-user trusts.
> The problem here is getting the cert in the users browser. In a
> controlled corporate environment this is relatively easy (standard
> build, MS GPO, etc). In an uncontrolled environment, it's pretty much
So what do you do for the scenario where you're providing service for
BYOD or public networks (as the OP seemed to be) and have no authority
to touch the end user's device? When we tried this, we came to the
conclusion that we would have to allow unfettered outbound HTTPS if we
weren't to have massive user experience rage, and this basically
eliminates the benefit of any filtering.
I usually intercept all outbound DNS and SMTP (and NTP, but that's just
for efficiency) and force it through the local server so that we can at
least force use of OpenDNS and virus/spam check outgoing mail. But
that's not much of a mitigation...
P.S. I would have thought that creating dynamic certificates on the fly
would be too processor intensive for all but the smallest sites...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AusNOG