Proxy and UfdbGuard

Francenildo · July 24, 2024, 1:09pm

I’m missing a lot of Proxy and UfdbGuard, I don’t see how DPI can replace this.
DPI has become mostly useless with the proliferation of TLS for everything?

giacomo · July 25, 2024, 12:37pm

Hello Francenildo,
can you please elaborate a bit?

What problem do you have?
What are you trying to achieve?

Francenildo · July 25, 2024, 1:12pm

I have client where I did a management by groups, where the financial only accesses Banks for example. How can I do this in Nethsecurity?

oneitonitram · August 4, 2024, 5:22pm

this is very interesting, I am curious, how did you achieve this kindly?

Francenildo · August 10, 2024, 5:18pm

In the firewalls of brand like: Sonicwall, Fortinet, Cisco, Sophos, etc. In the free software firewall I always used Squid with Squidguard or UfdbGuard. In PFsense lower version 2.72 and Nethserver up to 7.9 always used, it was perfect.

elico · September 18, 2024, 1:59am

In FortiNet and many other vendors products there are two types of “traffic” processing means. The first is based on the lower level firewall modules ie DPI which in some vendors like CheckPoint is kind of “re-compiling” a kernel module per specific configuration “apply” or “commit” function.
The second type of processing is by using a Proxy which is usually a user-level software which use more CPU and other hardware features at runtime compared to the flow or FW module based configuration, which usually consume less CPU and RAM and is designed for lower specs Hardware like tiny ARM boards (low number of CORES and low amount of RAM and DISK).
Proxy level services require more hardware resources due to the basic fact that it’s a userland software and is much more complex and dynamic then a precompiled kernel module. A proxy can be maintained more easily both in the coding/developlemt and the operation aspects of the product.

Most FW products rely on the client to choose to apply the Deep Inspection (flow or proxy) on specific ports while all the other ports are handled with basic Packets based FW. Usually Deep Inspection can also talk fully or partially the Inspected protocol while the Flow based modules can only identify and “block” the traffic in a DROP or REJECT level with the specific exception of couple HTTP and TLS based known protocols such as SMTP and POP3 and IMAP.

A good point to take in account when using a proxy with an OS that has a FW with DPI is to be able to decide which of the products will apply DPI on specific known ports such as HTTP(80/TCP), HTTPS(443/TCP) since technically it’s wrong to even try to run both the DPI module in the FW level and the Proxy on the same ports.
Usually the DPI rules can be converted also to a Proxy based setup so it’s only a matter of generating the same rules which available in the pre-compiled DPI form in their Proxy conf and specificically for Squid-Cache it’s pretty easy to write a set of helpers that will use a simple DB or store which will store the details which exist in the DPI code and DB.

I hope it helps.