Everyone should hate TLS inspection. No point in breaking sites / application. You were right in identifying this. This applies even in work places as well.
I work on one particular brand of NGFW in my day job and while the TLS inspection stuff is impressive in what it can do, you're right that it does cause a lot of problems in practice.
A lot of modern apps either distribute a trust list on their own (especially if they are containerized / some library is trying to be OS-agnostic), and as a developer it makes a ton of sense to be cert pinning to the CA that issues your certs, but it means it's a nightmare for users behind TLS inspectors.
exactly. Admins can install a trusted CA cert to the workstations and re-sign all their inspected traffic with a subordinate CA signed by the same root, so browsers "mostly" work (Aside from HSTS sites) but standalone apps that just happen to use TCP 443 and TLS are harder.
The authors of TLS and related specs are very concerned with MITM / privacy attacks and don't care to reduce the level of security they provide to make TLS inspection easier. Sites *should* be deploying HSTS, apps using TLS *should* be validating their certs, asking them to do less so you can MITM their traffic isn't something they are interested in 'fixing'. The end result is the end users perpetually think IT has 'broken' something because the program tells them they are being attacked.
Nothing against you in particular, but I absolutely hate people who are trying to MITM TLS traffic. Thank god encrypted SNI is already on the horizon so you people can stop trying to filter the last clear text thing you have left.
eSNI (and it's successor ECH) has some issues with key distribution. It's a great concept but SNI is unencrypted for a reason. Unencrypted SNI (and ALPN) is a thing is so the server can identify which certificate it should use (to properly deal with multi-tenant servers / CDNs / virtual hosts / ...). ECH needs to encrypt the ClientHello using the edge server's key, not the origin's key, so the client needs to know which CDN / server it's accessing and get the key for that server. CF's eSNI would publish their key (their one key, for all of CF) via DNS TXT records, which doesn't work if you aren't using a single CDN for all of your traffic, so it was rejected as a standard. The current ECH version relies on DNS HTTPS records which are basically similar to an SRV. A single domain can have multiple HTTPS records, each of which points to an edge server, proto (http 1.1/2/3), and the edge server's key. But they still aren't widely deployed and supported.
@@l0gic23 1. Because I’m an early enthusiast of the current protocol; 2. I want my network to be simple yet powerful, versatile and in line with what the Internet intended to be (no NATs, no design limitations - other than the project size itself - nor any shenanigans imposed to fix problems that existed on the Jurassic stack); and 3. To test my gear against the actual Internet standard and improve/fix it by providing feedback to the manufacturers or replacing them altogether with stuff manufacturers ACTUALLY care about.
Thank you so much. I am a small Homelab and will not be using this like you even though it looks fantastic for larger institutions. Great professional presentation on this video.
Has someone tried the blocking of DNS over HTTPS wirh this? This seems to be a big unsolved issue in the industry with more and more browsers and devices using it to hide from traditional DNS. Unlike DNS over TLS is also uses the same port 433 so you can't even block it at a port level.
Zenarmor is just way too expensive. I mean why would I spend $500+ on subscription services for a $500 Firewall... if this were like a $100 a year subscription we might spring for it.
Absolutely. I use Sophos XGS on some customers and that is expensive and i use an alternative. But that product is twice that price. So when you really what that features then i can use Sophos XGS. Otherwise i have to use OPNSense without that features.
I’ve been on the free version for a while and just moved to the paid version. Even in Australian pesos $100USD is reasonable for the featureset. For a business firewall I think their subs are very reasonable
@@jameshendry3571 The problem is that depends on devices behind the firewall and for a mid business it's easy to come over 100 devices and then it starts to get expensive.
The problem is i've looked for that yesterday. I think it's nice but in the end much more expensive then the High-End Firewall solutions. So in my Mid-Business Setup i have 120 Devices. So i can't get the Small license i have to pay 1,5 times for the licese (2 Firewalls). So i have 337$ per Month thats too much. So in the end it's much more expensive then the Sophos XGS what i'm using at some customers. So for 3 years it's 12150$. So the problem is i don't need most of the features but i have to use them because i have over 100 devices and then you have to use the Business.
Is it possible to restrict ZenArmor to a specific VLAN? I ask because while I would be happy to use this for work devices, I cant help but agree that the TLS inspection could cause alot more work than I'm ultimately willing to put into it if I had to deploy this across my entire home network. Thanks for the great content!
Zenarmor doesn't intercept TLS, it only looks at the unencrypted headers. But you choose as a global setting which interfaces to operate on, and beyond that you can choose which interfaces apply to a policy.
More control, less user friendly. Thats opnsense. On sophos youve got your beautiful insights and easy configuration whereas opnsense requires more expertise but has similar - if not better results and is free
With Sophos you don't need that because that features are included in most high end firewalls like Sophos XGS. And for Business it's really expensive so twice as the price of Sophos XGS.
They both really different things and are used to protect different things. This is primarily focused on the destination of traffic (going out to the internet, from a client), Crowdsec is focused on incoming traffic to a server and sharing blocklists of simple attackers similar to fail2ban on a larger scale.
What are your thoughts on opnsense being behind on security updates? I know they have a beta with the new openssl, but still, historically looking, it's not the best in response.
It depends on the context. In general they are pushing security updates regularly, but large changes to the codebase take time, and OpenSSL continued 1.x security updates through the end of 2023 which OPNsense was including in their releases. AFAIK 24.1 will include OpenSSL 3.x.
Hi, After configuring Zenarmor, my bandwidth has significantly decreased. Previously, Speedtest showed over 250 Mbps, but now it's dropping to as low as 3 Mbps. What could be causing this issue?
So it relies on TLS headers to categorize encrypted traffic? How else? Btw i think w11 has random MaC address as a built in security feature that you can enable
Apple-everything is both randomizing the MAC per-network and also no longer sending the hostname via DHCP, so tracking Apple devices is a challenge. They still respond to mdns if queried, but don't immediately advertise it. Zenarmor has caused me to raise eyebrows at some traffic and then spend 10+ minutes identifying the unknown client, only for it to be a sus mobile game on a modern iphone which is doing a good job at hiding its identity. But also, some things can be detected by their known protocol headers (i.e. VPNs), TLS has to send at least SNI and ALPN unencrypted (since the server needs to know the SNI to present the right cert), and more traditional IP-based ranges can also be used as well.
Are you telling me that OPNsense's IDP/IPS is "just" check marks if ZenArmor is not installed? - and I will be better of keeping my well administrated VyOS with a PiHole runing?
OPNsense's 'native' IDS/IPS solution uses Suricata. Zenarmor gives you curated feeds for a fee vs administering all of the feeds and rulesets manually for Suricata. Both options can be used (potentially at the same time, on different interfaces) in OPNsense.
Thank you for your video's, it is very interesting. However I am very disappointed in this one because as other's mentioned the free version is very limited. You suggest you can do almost the same as in your video without subscription but that is not the case. I will rollback OPNsense before Zenarmor. For the rest keep up the good work!
Suricata is a very manual solution to manage and curate block lists, and is very prone to false positives (and presumable also missing a lot of things, but you'll never know) if you don't put the work in to manage these block lists. That's largely what you get with a Zenarmor subscription, better feeds that they have curated and keep up to date.
It doesn't really make sense to not have Windows AD somewhere in your network, for testing purposes alone. You can run an eval copy of Windows server for 180 days, and if you are clever can extend that once for another 180 days. Most corporations are based on Windows, and some have some Linux. Users have a Windows desktop with a Windows logon, and one fun thing is to configure Linux to do AD/LDAP authentication, so a user can log into Linux with their Windows username. Not having Windows limits your content and teaching.
It's sincerely the only option if you don't want to spend all your time dissing people on forums if they ask for any firewall feature that was created after like 2004.
If your looking for a free version don't waste your time with this as everything is locked behind premium subscription so it's practically useless unless you subscribe
Everyone should hate TLS inspection. No point in breaking sites / application. You were right in identifying this. This applies even in work places as well.
its inevitable
@@oleksandrkalietnik982 faker
I work on one particular brand of NGFW in my day job and while the TLS inspection stuff is impressive in what it can do, you're right that it does cause a lot of problems in practice.
A lot of modern apps either distribute a trust list on their own (especially if they are containerized / some library is trying to be OS-agnostic), and as a developer it makes a ton of sense to be cert pinning to the CA that issues your certs, but it means it's a nightmare for users behind TLS inspectors.
exactly. Admins can install a trusted CA cert to the workstations and re-sign all their inspected traffic with a subordinate CA signed by the same root, so browsers "mostly" work (Aside from HSTS sites) but standalone apps that just happen to use TCP 443 and TLS are harder.
The authors of TLS and related specs are very concerned with MITM / privacy attacks and don't care to reduce the level of security they provide to make TLS inspection easier.
Sites *should* be deploying HSTS, apps using TLS *should* be validating their certs, asking them to do less so you can MITM their traffic isn't something they are interested in 'fixing'. The end result is the end users perpetually think IT has 'broken' something because the program tells them they are being attacked.
Nothing against you in particular, but I absolutely hate people who are trying to MITM TLS traffic. Thank god encrypted SNI is already on the horizon so you people can stop trying to filter the last clear text thing you have left.
eSNI (and it's successor ECH) has some issues with key distribution. It's a great concept but SNI is unencrypted for a reason.
Unencrypted SNI (and ALPN) is a thing is so the server can identify which certificate it should use (to properly deal with multi-tenant servers / CDNs / virtual hosts / ...). ECH needs to encrypt the ClientHello using the edge server's key, not the origin's key, so the client needs to know which CDN / server it's accessing and get the key for that server. CF's eSNI would publish their key (their one key, for all of CF) via DNS TXT records, which doesn't work if you aren't using a single CDN for all of your traffic, so it was rejected as a standard.
The current ECH version relies on DNS HTTPS records which are basically similar to an SRV. A single domain can have multiple HTTPS records, each of which points to an edge server, proto (http 1.1/2/3), and the edge server's key. But they still aren't widely deployed and supported.
Can't wait for the IPv6-mostly OPNsense video - This is my primary goal for my new home network
Why may I ask? Serious question... I don't know what I don't know... I have not run out of IPs on my primary subnet... thx
@@l0gic23 1. Because I’m an early enthusiast of the current protocol;
2. I want my network to be simple yet powerful, versatile and in line with what the Internet intended to be (no NATs, no design limitations - other than the project size itself - nor any shenanigans imposed to fix problems that existed on the Jurassic stack); and
3. To test my gear against the actual Internet standard and improve/fix it by providing feedback to the manufacturers or replacing them altogether with stuff manufacturers ACTUALLY care about.
@@UnderEu I better rewatch this channels video on why IP6 in the home/lab. Thanks!
This is a great video! Thanks for making it. I just paid for Zenarmor and will try it for a year and see where it goes.
Unfortunately, the free version is very limited in functionality
Thank you so much. I am a small Homelab and will not be using this like you even though it looks fantastic for larger institutions. Great professional presentation on this video.
I tried and did no feel any need for it at home, and pricing is not ok either
Great Vid! Your graphics (while explaining) are helpful as well. Good job!
Great video, very detailed and super specific, thanks a lot mister.
Has someone tried the blocking of DNS over HTTPS wirh this? This seems to be a big unsolved issue in the industry with more and more browsers and devices using it to hide from traditional DNS. Unlike DNS over TLS is also uses the same port 433 so you can't even block it at a port level.
Zenarmor is just way too expensive. I mean why would I spend $500+ on subscription services for a $500 Firewall... if this were like a $100 a year subscription we might spring for it.
Absolutely. I use Sophos XGS on some customers and that is expensive and i use an alternative. But that product is twice that price. So when you really what that features then i can use Sophos XGS. Otherwise i have to use OPNSense without that features.
Zenarmor is $100 a year for the home version.
@@Milhouz yes ok but this doesn't sound like that he can use the home version.
I’ve been on the free version for a while and just moved to the paid version. Even in Australian pesos $100USD is reasonable for the featureset. For a business firewall I think their subs are very reasonable
@@jameshendry3571 The problem is that depends on devices behind the firewall and for a mid business it's easy to come over 100 devices and then it starts to get expensive.
The problem is i've looked for that yesterday. I think it's nice but in the end much more expensive then the High-End Firewall solutions. So in my Mid-Business Setup i have 120 Devices. So i can't get the Small license i have to pay 1,5 times for the licese (2 Firewalls). So i have 337$ per Month thats too much. So in the end it's much more expensive then the Sophos XGS what i'm using at some customers. So for 3 years it's 12150$. So the problem is i don't need most of the features but i have to use them because i have over 100 devices and then you have to use the Business.
Could you make a video on how to do a basic OPNSense setup with a UDR?
I basically only want to use the UDR as a wifi and protect controller
I would also like to see a video on how to do this most efficiently!
Is it possible to restrict ZenArmor to a specific VLAN? I ask because while I would be happy to use this for work devices, I cant help but agree that the TLS inspection could cause alot more work than I'm ultimately willing to put into it if I had to deploy this across my entire home network. Thanks for the great content!
Zenarmor doesn't intercept TLS, it only looks at the unencrypted headers.
But you choose as a global setting which interfaces to operate on, and beyond that you can choose which interfaces apply to a policy.
Thank you very much for the quick reply! Looking forward to deploying this next week!
With Zenarmor OPNsense becomes NGFW [ as per Sunny Valley ] How it is comparable with other NGFW like Sophos / Fortigate ?
More control, less user friendly. Thats opnsense. On sophos youve got your beautiful insights and easy configuration whereas opnsense requires more expertise but has similar - if not better results and is free
The support and hardware, and every vendor has its own Theat İntelligence platform. Plus enterprises are moving to ZTNA
With Sophos you don't need that because that features are included in most high end firewalls like Sophos XGS. And for Business it's really expensive so twice as the price of Sophos XGS.
Thank you very much! any tips on how to minimize the RAM used by zenarmor?
Great video! What physical host do you use for opnsense?
I use a Protectli FW4B at home
Is there a point in running this and crowdsec at the same time?
They both really different things and are used to protect different things. This is primarily focused on the destination of traffic (going out to the internet, from a client), Crowdsec is focused on incoming traffic to a server and sharing blocklists of simple attackers similar to fail2ban on a larger scale.
Excellent Video sir..... 10 out of 10
Okay, unrelated question. What browser are you using in the video? It doesn't look familiar and I couldn't find anything like it.
Edge or Firefox
What are your thoughts on opnsense being behind on security updates? I know they have a beta with the new openssl, but still, historically looking, it's not the best in response.
It depends on the context. In general they are pushing security updates regularly, but large changes to the codebase take time, and OpenSSL continued 1.x security updates through the end of 2023 which OPNsense was including in their releases. AFAIK 24.1 will include OpenSSL 3.x.
Okay, fine.... Ill subscribe. i like this content
Hi,
After configuring Zenarmor, my bandwidth has significantly decreased. Previously, Speedtest showed over 250 Mbps, but now it's dropping to as low as 3 Mbps. What could be causing this issue?
Uh what CPU are you running on? It sounds like it's not able to run that sort of packet inspection at full speed.
Thanks for your prompt response. it's working fine now. Can we do a TLS inspection in the free version?
So it relies on TLS headers to categorize encrypted traffic? How else?
Btw i think w11 has random MaC address as a built in security feature that you can enable
Apple-everything is both randomizing the MAC per-network and also no longer sending the hostname via DHCP, so tracking Apple devices is a challenge. They still respond to mdns if queried, but don't immediately advertise it. Zenarmor has caused me to raise eyebrows at some traffic and then spend 10+ minutes identifying the unknown client, only for it to be a sus mobile game on a modern iphone which is doing a good job at hiding its identity.
But also, some things can be detected by their known protocol headers (i.e. VPNs), TLS has to send at least SNI and ALPN unencrypted (since the server needs to know the SNI to present the right cert), and more traditional IP-based ranges can also be used as well.
@@apalrdsadventures did you take any next steps related to the sus games?
can you use Devices on free version? i dont see that tab
I like the video but did not get a tab for devices, I don't know what I missed here
Yeah me too
u need the home version for it (can use the free 15 day trial)
What kind of robotics coach? First or Vex? I am the robotics coach for our high school first robotics team!
I've done both over the years (and was a student on both over a decade ago), but now I just mentor VEX and VEX IQ.
Are you telling me that OPNsense's IDP/IPS is "just" check marks if ZenArmor is not installed? - and I will be better of keeping my well administrated VyOS with a PiHole runing?
OPNsense's 'native' IDS/IPS solution uses Suricata.
Zenarmor gives you curated feeds for a fee vs administering all of the feeds and rulesets manually for Suricata. Both options can be used (potentially at the same time, on different interfaces) in OPNsense.
Pretty cool.. but I don't want to spend $10 on this for home use haha, maybe small business.
Thank you for your video's, it is very interesting. However I am very disappointed in this one because as other's mentioned the free version is very limited. You suggest you can do almost the same as in your video without subscription but that is not the case. I will rollback OPNsense before Zenarmor. For the rest keep up the good work!
Me again. How about a video / videos on CLAT addresses, 464XLAT & DHCP Option 108?
Doing the NAT64 / Option 108 on OPNsense (mostly v6-only + macos), Linux CLAT comes later.
@@apalrdsadventures Looking forward to it. 👍
Your t-shirt with cyrillic dog breed name Лайка :), also in russian slang it can be feminine of internet “like”. Thank you for interesting video!
Neat! Лайка was the name of the first dog in space, hence the shirt.
Suricata? Seeing as it's sort of built into OPNsense.
Suricata is a very manual solution to manage and curate block lists, and is very prone to false positives (and presumable also missing a lot of things, but you'll never know) if you don't put the work in to manage these block lists.
That's largely what you get with a Zenarmor subscription, better feeds that they have curated and keep up to date.
@@apalrdsadventures not to mention suricata is VERY CPU intensive which can result in massive slowdowns.
Good video sir ! Keep them coming !!
I still prefer NetBSD with it's npf.
Way more control to the user/admin.
It doesn't really make sense to not have Windows AD somewhere in your network, for testing purposes alone. You can run an eval copy of Windows server for 180 days, and if you are clever can extend that once for another 180 days. Most corporations are based on Windows, and some have some Linux. Users have a Windows desktop with a Windows logon, and one fun thing is to configure Linux to do AD/LDAP authentication, so a user can log into Linux with their Windows username. Not having Windows limits your content and teaching.
It's sincerely the only option if you don't want to spend all your time dissing people on forums if they ask for any firewall feature that was created after like 2004.
If your looking for a free version don't waste your time with this as everything is locked behind premium subscription so it's practically useless unless you subscribe
Great
To expansiv
All of this is fun, but I just whip out shadowsocks and laugh at your firewall all day long.
Don't whip it out in public or you will go to jail.
@30:35 who else was expecting pornhub to be a top traffic driver