[AusNOG] Maximum users per AP

Paul Gear ausnog at libertysys.com.au
Sat Oct 27 10:21:25 EST 2012 

On 10/26/2012 04:15 PM, Craig Askings wrote:
> On 26/10/2012 4:05 PM, Paul Gear wrote:
>> I would really love to know how these UTM devices think they can do 
>> this securely, given the appalling level of proxy support in Mac, 
>> iOS, and Android apps.  Or is their certificate validation so poor 
>> that they just don't care that they're being MitM-ed?
>>
>> Paul
>
> The normal trick for SSL is to make a new root ca + wildcard cert and 
> forcibly install the root ca onto each PC via A/D or MDM for the iOS 
> and Android devices. From there you just MitM with the wildcart cert 
> installed on the UTM.

On 10/27/2012 06:43 AM, Scott Howard wrote:
>
> They do involve a new root CA as you've mentioned, but not a wildcard 
> cert.  Instead, they create dynamic certs for the sites being 
> accessed, and then sign them with the root CA which the end-user trusts.
> ...
> The problem here is getting the cert in the users browser.  In a 
> controlled corporate environment this is relatively easy (standard 
> build, MS GPO, etc).  In an uncontrolled environment, it's pretty much 
> impossible.

So what do you do for the scenario where you're providing service for 
BYOD or public networks (as the OP seemed to be) and have no authority 
to touch the end user's device?  When we tried this, we came to the 
conclusion that we would have to allow unfettered outbound HTTPS if we 
weren't to have massive user experience rage, and this basically 
eliminates the benefit of any filtering.

I usually intercept all outbound DNS and SMTP (and NTP, but that's just 
for efficiency) and force it through the local server so that we can at 
least force use of OpenDNS and virus/spam check outgoing mail.  But 
that's not much of a mitigation...

Paul

P.S. I would have thought that creating dynamic certificates on the fly 
would be too processor intensive for all but the smallest sites...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121027/35812652/attachment.html>

More information about the AusNOG mailing list