Skip to main content

TLS Inspection Rules on OPNsense

Published on:
.
1 min read

Utilizing encryption techniques ensures the confidentiality and integrity of data sent during communication between the sender and recipient. SSL and its successor, Transport Layer Security (TLS), are protocols specifically developed to ensure the privacy and security of Internet services. Although these measures effectively safeguard information from unauthorized access, they also obscure potential risks to the user, device, and business.

Given that over 90% of worldwide Internet traffic is encrypted, the majority of threats are circumvented by encryption and remain undetectable unless integrated TLS inspection is implemented. Inspecting SSL and TLS encrypted communication is essential in this context.

Transport Layer Security Inspection is a security procedure that enables organizations to decrypt network traffic, analyze the decrypted content for potential dangers, and then re-encrypt the traffic before it enters or exits the network. There are two different methods of TLS inspection, which differ in the level of information they provide and whether or not they include decrypting the data:

  1. Light-weight (or certificate-based) TLS Inspection: Zenarmor® performs a study of the first phases of TLS sessions in the lightweight or certificate-based inspection mode. The aforementioned portions remain unencrypted and include important information, including the remote hostname, web category, and remote application type. There are no special qualifications for administering certificates since this feature is presently accessible to all membership levels. Transparency is absolute when it comes to analyzing lightweight Transport Layer Security (TLS).

    Light-weight TLS inspection is available for all Zenarmor subscription tiers, including the Free Edition.

  2. Full TLS Inspection (or TLS decrypt/reencrypt): The Full TLS Inspection approach entails Zenarmor interrupting the TLS connection, decrypting the packet contents, doing a thorough packet inspection, and then re-encrypting the packet contents. A significant security feature, Zenarmor's Full TLS inspection capability improves visibility and control over encrypted network traffic. Attackers frequently employ encrypted traffic to obfuscate their malevolent endeavors, owing to its widespread adoption.

    Once enabled, the Full TLS inspection capability of Zenarmor enables robust threat detection and prevention by decrypting and inspecting inbound and outgoing TLS packets. By enabling comprehensive monitoring, threat identification, and control over encrypted communications, this procedure fortifies network defense against the penetration of malicious content hidden within encrypted data flows, thereby preventing it from evading security measures.

Figure 1. TLS Inspection Rules in a Policy

note

The full TLS inspection feature is available only for SSE, SASE, and ZTNA subscriptions.

You can easily configure the policy-based TLS Inspection feature by performing the following tasks explained in this guide:

  • Enable/Disable Full TLS Inspection
  • Enable/Disable Full TLS Inspection for Specific Sites
  • Enable/Disable Full TLS Inspection for IP Flow without DNS Data
  • Selecting TLS Traffic to Inspect
tip

For inspecting TLS traffic or viewing the Zenarmor block notification page for TLS traffic, you need to install the Zenarmor internal CA certificate on your client devices as a trusted certificate.

tip

Prior to implementing full TLS inspection on an organization, it is recommended to meticulously strategize the TLS inspection deployment and adhere to established best practices.

Enable/Disable Full TLS Inspection

Zenarmor provides a policy-based Full TLS inspection feature that you can easily enable or disable depending on your requirements. You may quickly enable the full TLS inspection feature on your network by following the next steps:

  1. Navigate to the ZenarmorPolicies on your OPNsense web UI.

  2. Select the policy that you want to enable TLS inspection.

  3. Go to TLS Controls tab.

    Figure 2. Enabling Full TLS Inspection

  4. Click on the toggle bar next to the Enable Full TLS Inspection for this policy option. This will display the full TLS inspection settings below.

  5. Click Apply Changes button to activate the full TLS Inspection for this policy after selecting the TLS inspection settings depending on your needs.

Legal Disclaimer:

Please note that it is your responsibility to determine if it is legal to inspect TLS traffic in your jurisdiction. By configuring the TLS Inspection function, you are in effect allowing the service to inspect your users' TLS traffic. While all such inspection is carried out automatically rather than by individuals, such decryption may nonetheless be in breach of privacy laws in certain countries.

By enabling this functionality, you agree that you have the legal right to decrypt this traffic in all relevant jurisdictions where applied and that you have obtained all necessary consents from your users to do so.

tip

QUIC is a recently developed secure network protocol for transporting data, which was first created by Google in 2012. This technology was developed specifically to enhance the efficiency of internet data transfer by minimizing latencies and offering additional capabilities such as establishing connections, managing numerous data streams, and achieving quicker connection setup compared to conventional TCP and TLS protocols. This may result in expedited page loading times and an enhanced user experience.

The QUIC protocol accomplishes this improvement by bypassing the TCP handshake and use UDP instead. Due to the reliance on TLS inspection on TCP session metadata, Zenarmor recommends prohibiting the use of the Google QUIC protocol. QUIC connections may be effectively blocked by using TLS Controls in a policy setting. When QUIC protocol is allowed in the policy, a notification message and a toggle bar are displayed allowing you to conveniently block QUIC UDP connections. If a browser or device cannot create a QUIC connection, it will use TCP connections as a substitute.

Figure 3. Blocking QUIC UDP Protocol

You may easily enable QUIC Protocol in the policy via the App Controls tab if you need to allow QUIC UDP connections.

Figure 4. Allowing QUIC UDP Protocol via the App Controls

Enable/Disable Full TLS Inspection for Specific Sites

Specific segments of the Transport Layer Security (TLS) traffic may be governed by legal safeguards that concern the privacy and secrecy of communications. Decrypting and analyzing this communication might be deemed illegal in some jurisdictions. Depending on your industry, location, regulatory concerns, the Sarbanes-Oxley Act (SOX), personally identifiable information (PII), and legal obligations, you may come across some forms of data flow that should not be decrypted, such as confidential medical or financial information.

Thus, it can be superfluous to scrutinize the Transport Layer Security (TLS) traffic for certain websites even though Zenarmor advises inspecting as much traffic as possible. To safeguard the confidentiality of such connections, it is important to establish filters and restrictions for TLS inspection setup.

Furthermore, to thwart Man-in-the-Middle (MiTM) inspection, certain vendors and developers implement coding techniques known as certificate pinning. Zenarmor is unable to analyze SSL traffic originating from websites or applications that employ certificate pinning, including but not limited to Adobe, Apple, Cisco WebEx, Microsoft Office 365, and the Dropbox app.

Zenarmor provides several websites that are automatically excluded from TLS Inspection. It also allows you to specifically choose websites and apps that will not undergo inspection on your firewall at a global scale.

You may easily exclude certificate-pinned and whitelisted websites from TLS inspection in a policy, by following the next steps:

  1. Navigate to the ZenarmorPolicies on your OPNsense web UI.

  2. Select the policy that you want to configure for TLS inspection.

  3. Go to TLS Controls tab.

  4. Click on the Exclude whitelisted/certificate-pinned websites from inspection option.

    Figure 5. Excluding whitelisted/certificate-pinned websites from inspection

  5. You may click Manage button to view and manage TLS Inspection bypassed websites on the global TLS Inspection settings page.

  6. Click the Apply Changes button to activate the settings for the policy.

Enable/Disable Full TLS Inspection for IP Flow without DNS data

Zenarmor allows you to exclude TLS traffic flows that lack hostnames or web category information from inspection. To enable or disable full TLS inspection for flows that are only based on the IP address without any associated hostname, you may follow the next steps:

  1. Navigate to the ZenarmorPolicies on your OPNsense web UI.

  2. Select the policy that you want to configure for TLS inspection.

  3. Go to TLS Controls tab.

  4. Click on the Exclude flows without DNS enrichment data from inspection option.

    Figure 6. Excluding flows without DNS enrichment data from inspection

  5. Click the Apply Changes button to activate the settings for the policy.

Selecting TLS Traffic to Inspect

Selecting TLS traffic that will be fully inspected is a straightforward process in Zenarmor. Zenarmor provides the capability to enable comprehensive TLS inspection for all web (HTTPS) connections, or for selected web categories, based on your individual requirements.

Inspecting All Web Traffic

You can easily enable full TLS inspection for all HTTPS traffic that matches a policy by following the next steps:

  1. Navigate to the ZenarmorPolicies on your OPNsense web UI.

  2. Select the policy that you want to enable TLS inspection.

  3. Go to TLS Controls tab.

  4. Ensure that full TLS Inspection is enabled.

  5. Click on the Inspect all web traffic toggle bar.

    Figure 7. Inspecting All Web Traffic

  6. Click Apply Changes button to activate the full TLS Inspection for the policy.

Inspecting Traffic for a Web Category

You can easily enable full TLS inspection for a web category traffic that matches a policy by following the next steps:

  1. Navigate to the ZenarmorPolicies on your OPNsense web UI.

  2. Select the policy that you want to configure for TLS inspection.

  3. Go to TLS Controls tab.

  4. Ensure that full TLS Inspection is enabled.

  5. Find the web categories that you want to inspect from the web category list at the bottom of the pane. You may also use the search bar to find the web category quickly.

    Figure 8. Inspecting Web Category Traffic

  6. Click on the toggle bar in the Status column next to the web category. This will change Status from Do not Inspect to Inspect.

  7. You may repeat steps 5-6 for each web category traffic that you want to inspect.

  8. Click the Apply Changes button to activate the full TLS Inspection for the policy.

Last updated on by Zenarmor