Results 1 to 4 of 4
  1. #1
    Newbie
    Join Date
    Jul 2018
    Posts
    2

    Default Tag abandoned remote hosts

    Dear Community,

    I use untangle for my home protection and I currently inspect all SSL traffic.
    You who have tried this knows what pain it brings.
    My current approach to make this somewhat manageable is to export all the rules, crunch them with a shell script on my log host which spit out all IPs/networks to a text file.
    Then the script search for all abandoned SSL sessions in my log files and add those to the IP list.
    Now I have a list of unique IPs / networks to import to a small program I wrote which finally creates a xml rule file, ready to import in Untangle.

    The above makes it easier but it´s still a pain in my fat butt and I´m very lazy so I have started to look at another approach.
    I would like to tag the remote hosts with “SSLERROR” when the status of the SSL inspector equals “Abandon”.
    Then I would like to create a SSL rule to ignore remote hosts tagged with “SSLERROR”.
    Is this possible to achieve?
    Is there anyone out there with more than my 20 hours of experience with Untangle whom may give me some pointers or examples?

    The up and down side of this would be that when the wife and kids browse the web, they would just need to refresh the page when the nasty certificate error occur and the second time the page is requested the SSL inspector would ignore it.
    At the same time, it would block some malware which tries to stay of the radar by only connecting to a host once and then try another one to avoid detection.

    And yes, I´m very aware that there are flaws in doing this, but I rather inspect what I can with zero maintenance then ignore TLS traffic all together.
    This is for my home network so I can´t afford a descent SIEM/UEBA solution, neither time nor cost wise.

    Thanks in advance!

  2. #2
    Master Untangler
    Join Date
    Mar 2017
    Posts
    170

    Default

    Before I run to RTFM myself - and going by memory - isn't tagging for local hosts and users only? Not remote ones. If it is so (and only if):

    - if you tag local users, it equals to bypass them in SSL Inspection, so do just that
    - if you want a no-brainer for certificate pinning devices, as they are usually mobile, tag mobile devices accordingly in the device tab and put them via Policy Manager in mobile-only racks where SSL inspections is easier or absent. Then work accordingly with other apps and enforce the mobile devices in a more hardened way (e.g., do kids' android device really need to access the NAS?)
    Sam Graf and beard like this.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, IPSec 1 road-warrior, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  3. #3
    Newbie
    Join Date
    Jul 2018
    Posts
    2

    Default

    Hi docfuz,

    If the box only may tag local users/devices it would explain why I don´t get this working.
    After scanning the forums (before I posted this thread) I don´t think there is a way to automate what I want out of the box then, maybe the only solution is to put a couple of more hours into my script and run it as a cron job.

    I have all my devices on the same subnet and controlling the internal segmentation in my Aruba APs, so Untangle is only used for Internet access,tunnel VPN and for openvpn clients.

    Thanks for your reply!

  4. #4
    Master Untangler
    Join Date
    Mar 2017
    Posts
    170

    Default

    Quote Originally Posted by beard View Post
    I have all my devices on the same subnet and controlling the internal segmentation in my Aruba APs, so Untangle is only used for Internet access,tunnel VPN and for openvpn clients.
    As soon as you will have some noisy devices (Amazon Fire Stick anyone?! ) you will probably stop having all clients in the same subnet
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, IPSec 1 road-warrior, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2