[AusNOG] SSL packet inspection security

Jennifer Sims jenn at jenn.id.au
Mon Aug 16 20:15:55 EST 2021


You should be able to cover 365 via the publicly available IP ranges
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

For amazon S3
https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/

That should give you a good starting point.

On Mon, Aug 16, 2021 at 7:36 PM Andres Miedzowicz <
Andres.Miedzowicz at gsn.com.au> wrote:

> Hello,
>
>
>
> I need to create a firewall rule for outgoing traffic from my network to
> the internet for services hosted in public clouds where the destination URL
> has multiple dynamic IPs (ie: an AWS S3 bucket, Outlook 365 in Azure, etc)
> which makes a rule based on a destination FQDN troubling because each DNS
> query will provide a different IP every time. My possible solutions are:
>
>
>
>    1. Use a firewall rule using a Web URL filter, or application/content
>    filtering (depending on the vendor) where I need to perform deep packet
>    inspection to get the full destination URL or detect the application (ie:
>    email delivery to O365). When this method is used with most of the vendors,
>    the process involves a MITM approach where the SSL Certificate presented to
>    the client is one generated by the firewall with the root CA certificate
>    issued by the firewall as well.
>
>
>
>    1. Set the destination IP of the rule the full list of possible ranges
>    for the public cloud which could mean millions of IPs.
>
>
>
> Any thoughts on security concerns with each of the approaches? Is it worth
> the potential decrease in security by using a non-trusted Root CA
> internally (even though we can install the certificate in the
> application/browser to force it to trust it) vs. allowing access to
> destination IPs that are not necessary for this service but ensures
> uninterrupted encryption end-to-end?
>
>
>
> Thank you all,
>
>
>
> Andres
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20210816/296f4579/attachment.html>


More information about the AusNOG mailing list