HTTPS filtering

[The_Librarian]

So this is a question every sysadmin will be asking.

How the heck do you do HTTPS filtering? Now this is not easily done, hence I'm looking for solutions that will enable me to do so.

I'm not interested in Barney's Capitec sessions, but I want to block Bob's visits to https://porn.site.com

Smoothwall only offer HTTP filtering (URL Filter) which works a treat, but with HTTPS in play, something different is needed.

I don't have the time to go and change settings on each users' PC, which means that this kind of filtering need to be done from a central point, where one can add domains to blacklist, or whitelist. And have reports telling you that Bob tried to visit https://porn.site.com several times during the day, but was blocked.

Additional bonus will be if it can tell you how long a specific IP was spending on a site (for example Tammy spending hours on Youtube instead of working).

As well as bandwidth consumed per IP and all the usual foefenjolletjies you can expect from a good firewall.

Thanks in advance.

Ook

 

[Mr Scratch]

You're looking for a transparent proxy, and your aim is to block access to domains (DNS would be easiest to implement and easiest to circumvent) - a domain blacklist/whitelist sounds easy?


For bandwidth tracking, we use BandwidthD, works.

 

[The_Librarian]

You're looking for a transparent proxy, and your aim is to block access to domains (DNS would be easiest to implement and easiest to circumvent) - a domain blacklist/whitelist sounds easy?


For bandwidth tracking, we use BandwidthD, works.

Spot on. Domain black/whitelisting is what I want/need.

May be possible to use BandwidthD - had used it yonkers ago.

 

[Diabolix]

Have a look at opendns.

Sadly with https, DNS is the way to go.

 

[The_Librarian]

Have a look at opendns.

Sadly with https, DNS is the way to go.

Doesn't Google have something similar?

 

[Mr Scratch]

Doesn't Google have something similar?

Nope

 

[DrJohnZoidberg]

I just tested Squid in Pfsense again quickly (haven't used it in a while) and getting a transparent proxy to work is pretty quick and painless - you just have to ensure you install the CA on all the target machines.

 

[AstroTurf]

So this is a question every sysadmin will be asking.

How the heck do you do HTTPS filtering? Now this is not easily done, hence I'm looking for solutions that will enable me to do so.

I'm not interested in Barney's Capitec sessions, but I want to block Bob's visits to https://porn.site.com

Smoothwall only offer HTTP filtering (URL Filter) which works a treat, but with HTTPS in play, something different is needed.

I don't have the time to go and change settings on each users' PC, which means that this kind of filtering need to be done from a central point, where one can add domains to blacklist, or whitelist. And have reports telling you that Bob tried to visit https://porn.site.com several times during the day, but was blocked.

Additional bonus will be if it can tell you how long a specific IP was spending on a site (for example Tammy spending hours on Youtube instead of working).

As well as bandwidth consumed per IP and all the usual foefenjolletjies you can expect from a good firewall.

Thanks in advance.

Ook

Kerio.

 

[The_Librarian]

I just tested Squid in Pfsense again quickly (haven't used it in a while) and getting a transparent proxy to work is pretty quick and painless - you just have to ensure you install the CA on all the target machines.

Kindly can you do a HOWTO for us if possible?

 

[Mr Scratch]

I just tested Squid in Pfsense again quickly (haven't used it in a while) and getting a transparent proxy to work is pretty quick and painless - you just have to ensure you install the CA on all the target machines.

I don't have the time to go and change settings on each users' PC, which means that this kind of filtering need to be done from a central point

Would be a mission... unless group policy?

Also - does @OP want the liability of being able to decrypt all user traffic?

 

[PsyWulf]

So this is a question every sysadmin will be asking.

How the heck do you do HTTPS filtering? Now this is not easily done, hence I'm looking for solutions that will enable me to do so.

I'm not interested in Barney's Capitec sessions, but I want to block Bob's visits to https://porn.site.com

Smoothwall only offer HTTP filtering (URL Filter) which works a treat, but with HTTPS in play, something different is needed.

I don't have the time to go and change settings on each users' PC, which means that this kind of filtering need to be done from a central point, where one can add domains to blacklist, or whitelist. And have reports telling you that Bob tried to visit https://porn.site.com several times during the day, but was blocked.

Additional bonus will be if it can tell you how long a specific IP was spending on a site (for example Tammy spending hours on Youtube instead of working).

As well as bandwidth consumed per IP and all the usual foefenjolletjies you can expect from a good firewall.

Thanks in advance.

Ook

4 Ways

1 - DNS Based filtering (opendns)
2 - SSL-Bump content filtering proxy (needs SSL Cert pushed to any device using the gateway) for Transparent Proxying (Pfsense)
3 - Authenticated proxy for Non-transparent (type in username/password to access internet)
4 - Content filter app on PC - -netnanny a la bleh

 

[The_Librarian]

Would be a mission... unless group policy?

Also - does @OP want the liability of being able to decrypt all user traffic?

I don't want that liabiliy. Only have the ability to selectively block HTTPS (pr0nz facebook ets). I don't wanna see what people posted, unless really neccessary.

 

[PsyWulf]

I don't want that liabiliy. Only have the ability to selectively block HTTPS (pr0nz facebook ets). I don't wanna see what people posted, unless really neccessary.

Then DNS is your safest route,no content interception

 

[irBosOtter]

Smoothwall does support HTTPS filtering according to their website...

When you say not easily done... HTTPS deep scanning (to scan packets inside the secure tunnel) is not easily done, or it is, but sites break, so some HTTPS sites needs be be excluded but those are mostly trusted sites in any case, like banking sites and google etc.
To just block a site with a webfilter, well, should not matter if its http or https... or at least that's how it works on Fortigate web filtering

 

[infscrtyrisk]

Then DNS is your safest route,no content interception

Sure, but the way that many pronsites work is that they simply obfuscate them through CDNs. Try explaining to the CEO that he can't watch the soccer / cricket feed because Frikkie Vuilnaels in the basement has a habit. DNS blocking and content filtering is pretty much rubbish, paying a service provider to enumerate badness, creating long lists of bad stuff (akin to traditional antivirus) and then it doesn't work because they simply cannot keep up with the hundreds of new domains being created every second, and people using countless other methods to bypass it. And then there are the false positives, the "news" sites that provide ads. What do you do in a disciplinary hearing when the defense attorney hires a geek to state that it was just a streaming ad for chixwithdix.com on 4chan?

@OP, SSL/TLS interception has been around since the advent of SSL. Not only does it provide insight into what peeps do with their corporate internet bandwidth, it also gives insight into malware and other far naughtier stuff that peeps get up to, which is why I run it in my own home. You may have problems with Android 7.1+ (it doesn't currently allow "different" certs to be installed without rooting) but I am guessing that Bring Your Own Disaster (BYOD) is the least of your concerns right now. Just do it, most UTMs are capable.

Edited after reading Waylander's Wisdom: Make sure that the processes (such as implementing four eyes principle) are well documented ad followed. They will be tested in a hearing. And challenged when someone's money goes missing. Lastly, do not cache SSL/TLS sessions, leads to huge issues for some strange reason...

 

[web_dude]

You get what you pay for.

If you are running a open source firewall, there are certain functionalities that you can only find on a full UTM device.

HTTPS filtering is quite easy on Kerio and Sonicwalls. I'm sure it is quite simple to setup in other UTM like Fortinet, Sophos or Cisco.

Now, the reporting is a different story, as not all of them report back as they should. Some of them require a separate subscription and sometimes another device that will keep the logs and report back to you.

I know where you are. You not only want to filter the traffic, you also want to know who is trying to access it, when and from which device.

And now with Ransomware and all that crap, you need a device that can also stop that traffic.

Unfortunately, not something that you get on the open source world.

 

[Silver-0-surfer]

I would say DNS is an easy way to go. But if it's really only one site, you wouldn't need to use opendns.

Force users to use your DNS server (via a simple NAT rule) then on your DNS server create a static entry to point that record to something like 127.0.0.1.

I am also pretty sure ip-tables has an extension to check the TLS certificate, that way you could block it in the forward chain