[AusNOG] SSL packet inspection security
Andres Miedzowicz
Andres.Miedzowicz at gsn.com.au
Mon Aug 16 19:35:46 EST 2021
Hello,
I need to create a firewall rule for outgoing traffic from my network to the internet for services hosted in public clouds where the destination URL has multiple dynamic IPs (ie: an AWS S3 bucket, Outlook 365 in Azure, etc) which makes a rule based on a destination FQDN troubling because each DNS query will provide a different IP every time. My possible solutions are:
1. Use a firewall rule using a Web URL filter, or application/content filtering (depending on the vendor) where I need to perform deep packet inspection to get the full destination URL or detect the application (ie: email delivery to O365). When this method is used with most of the vendors, the process involves a MITM approach where the SSL Certificate presented to the client is one generated by the firewall with the root CA certificate issued by the firewall as well.
1. Set the destination IP of the rule the full list of possible ranges for the public cloud which could mean millions of IPs.
Any thoughts on security concerns with each of the approaches? Is it worth the potential decrease in security by using a non-trusted Root CA internally (even though we can install the certificate in the application/browser to force it to trust it) vs. allowing access to destination IPs that are not necessary for this service but ensures uninterrupted encryption end-to-end?
Thank you all,
Andres
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20210816/5768b08a/attachment.html>
More information about the AusNOG
mailing list