Results 1 to 5 of 5
  1. #1
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    562

    Default Inbound SSL Inspection for internal web server

    Hi folks,

    Is anyone out there using Untangle's SSL Inspection for inbound connections to a web server you are hosting internally?

    I am interested in this because we disable insecure ciphers on customer's internal Exchange servers & other web servers.

    However, connections still are attempted periodically with these weaker ciphers, and the server then logs errors to the system log about a connection requested to SChannel via an unavailable cipher.

    This muddies up the Windows Server system log.

    With Untangle's SSL Inspector running in the reverse direction we could let the Untangle NGFW handle the acceptable ciphers. This would allow the NGFW to block any client connections to these servers using insecure ciphers, and so the web server would only ever receive connections with strong ciphers. This would keep the logs clean.

    To accomplish this we'd need to put the publicly trusted cert (purchased from a common CA) on Untangle and have it use that cert for its SSL Inspection.

    A part of me feels this is just asking for trouble. But really it should be 100% technically normal use of Untangle. Just a use case that may be less common and would have to be setup meticulously in terms of policy manager, etc.

    This is an extremely common/normal practice for pretty much all big websites. They have a load-balancer sitting in front of a server pool. Common load-balancers for this kind of thing are F5, Citrix NetScaler, Cisco ACE, etc.

    In my case, I'm not seeking load-balancing among a pool of servers. Just a single server that will be accessed via a port forward (or behind a bridged DMZ interface with appropriate firewall rules, etc.).

    Please let me know if you are aware of anyone using Untangle NGFW in this fashion.

    Thanks!
    -
    Doug

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,795

    Default

    What you're asking for is a reverse SSL proxy, and it's utterly different than the SSL inspector.

    Though I suppose it might work if you got creative with it, but why? Those errors are to be expected, and they get worse with time as those bad cyphers are disabled and the server ages.

    Oh, and the certificate used by SSL inspector isn't a web certificate, it's a root authority certificate, that's a very different thing.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    562

    Default

    Quote Originally Posted by sky-knight View Post
    What you're asking for is a reverse SSL proxy, and it's utterly different than the SSL inspector.
    Yes very true.

    Quote Originally Posted by sky-knight View Post
    Though I suppose it might work if you got creative with it, but why? Those errors are to be expected, and they get worse with time as those bad cyphers are disabled and the server ages.
    Would just be nice to have those errors gone. Most large enterprises don't have to have that stuff muck up their event logs because it's all taken care of at the perimeter (or at an outsource DDoS protection service like Akamai, CloudFlare, Neustar, etc.).
    Those cause DCDiag to report failures which is obviously not the cause & generally just undesirable.

    Quote Originally Posted by sky-knight View Post
    the certificate used by SSL inspector isn't a web certificate, it's a root authority certificate, that's a very different thing.
    Yes. I wasn't thinking of that for some reason. That alone is a deal breaker for this idea since Untangle's CA will obviously not be trusted by clients on the web.

    That being said, I'm going to lay this one to rest.

    Thanks for helping me see this one more clearly Rob.

    FYI I do believe this is a feature that various Untangle competitors have. But not a big deal for me.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,795

    Default

    Actually, the issue of handling SSL at the border isn't nearly as uniform as you seem to think it is.

    I'm of the opinion that the web server should be doing that. Using an aggregator is one thing, but Untangle isn't an aggregator... as with anything that's a proxy, it's best to use a proxy. Because that's specific, specialized, and a whole mess of features to deal with just that one thing. SSL aggregators are every bit as complex is as Untangle is! And well... Untangle ISN'T a proxy.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    562

    Default

    Most if not all larger enterprises, Fortune 1000s, Office365, Google, etc. use a DDoS protection system/provider that does an initial termination of the inbound connections, which also often provides a WAF. Then in addition to that, there is always a server pool sitting behind a load balancer which terminates the SSL connection (a 2nd time) before passing it along to the actual web server. This is required to enter the session cookie used for the load-balancing.

    Even many smaller company websites use a CDN like CloudFlare which caches content closer to the en-user & provides DDoS protection among other features. I have a boys & girls club that does.

    I agree it is a specialized technology that you should only provide if you are serious about that market segment and going to do a great job at.

    FortiGates do load balancing for inbound connections to server pools as does pfSense. I have a colleague who uses pfSense for this purpose and controls the available inbound ciphers there.

    I don’t need the functionality though and certainly wouldn’t want Untangle to spend development resources on it, instead of focusing on improving their existing features.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2