<div dir="ltr">Sorry I'm a bit late, but since its SSL the SNI header can be used and inspected (which is only in the handshake so it's not inspecting _all_ the packets) and use that for filtering, I know there's a netfilter module to do it (quick google found <a href="https://github.com/Lochnair/xt_tls">https://github.com/Lochnair/xt_tls</a>), I think JunOS can do it <a href="https://apps.juniper.net/feature-explorer/feature-info.html?fKey=7646&fn=Server%20Name%20Indication%20(SNI)%20for%20Web%20filtering">https://apps.juniper.net/feature-explorer/feature-info.html?fKey=7646&fn=Server%20Name%20Indication%20(SNI)%20for%20Web%20filtering</a> and probably most of the others when you get to certain levels of licensing.<div><br></div><div>The benefit is you don't need to MITM the SSL connection, the SNI is sent in clear-text and is even part of the first packet in the handshake (lots of application level proxies use this to route TLS connections without terminating them, like haproxy).</div><div><br></div><div>Cheers,</div><div>Kosh</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 16 Aug 2021 at 20:23, Andres Miedzowicz <<a href="mailto:Andres.Miedzowicz@gsn.com.au">Andres.Miedzowicz@gsn.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">
Hi Jennifer,
<div><br>
</div>
<div>Thanks for that. However, my question is more around the options of allowing access to millions of IPs (Office alone has /13s, /14s, /15s and /16s) or narrowing up the list of destination addresses and tightening up security at the expense of the potential
caveats that the MITM approach the firewalls take to decrypt and inspect outgoing, secure traffic.</div>
<div><br>
</div>
<div>Regards,</div>
<div><br>
</div>
<div>Andres<br>
<br>
<div dir="ltr">Sent from my iPhone</div>
<div dir="ltr"><br>
<blockquote type="cite">On 16 Aug 2021, at 20:16, Jennifer Sims <<a href="mailto:jenn@jenn.id.au" target="_blank">jenn@jenn.id.au</a>> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">You should be able to cover 365 via the publicly available IP ranges
<div><a href="https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide" target="_blank">https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide</a><br>
</div>
<div><br>
</div>
<div>For amazon S3</div>
<div><a href="https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/" target="_blank">https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/</a><br>
</div>
<div><br>
</div>
<div>That should give you a good starting point.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Aug 16, 2021 at 7:36 PM Andres Miedzowicz <<a href="mailto:Andres.Miedzowicz@gsn.com.au" target="_blank">Andres.Miedzowicz@gsn.com.au</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-AU">
<div>
<p class="MsoNormal">Hello,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I need to create a firewall rule for outgoing traffic from my network to the internet for services hosted in public clouds where the destination URL has multiple dynamic IPs (ie: an AWS S3 bucket, Outlook 365 in Azure, etc) which makes
a rule based on a destination FQDN troubling because each DNS query will provide a different IP every time. My possible solutions are:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<ol style="margin-top:0cm" start="1" type="1">
<li style="margin-left:0cm">Use a firewall rule using a Web URL filter, or application/content filtering (depending on the vendor) where I need to perform deep packet inspection to get the full destination
URL or detect the application (ie: email delivery to O365). When this method is used with most of the vendors, the process involves a MITM approach where the SSL Certificate presented to the client is one generated by the firewall with the root CA certificate
issued by the firewall as well.<u></u><u></u></li></ol>
<p><u></u> <u></u></p>
<ol style="margin-top:0cm" start="2" type="1">
<li style="margin-left:0cm">Set the destination IP of the rule the full list of possible ranges for the public cloud which could mean millions of IPs.<u></u><u></u></li></ol>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Any thoughts on security concerns with each of the approaches? Is it worth the potential decrease in security by using a non-trusted Root CA internally (even though we can install the certificate in the application/browser to force it to
trust it) vs. allowing access to destination IPs that are not necessary for this service but ensures uninterrupted encryption end-to-end?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thank you all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Andres<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>