 Tom here from Orange Systems and we're gonna talk about web filtering today because well a lot of people ask about it There's a lot of confusion about how websites are filtered at the firewall level or at the endpoint level And I want to clear up a few of those things including why it's not as simple as people think it is Especially when they go well Just gonna block the IP address of that website until they realize that's part of a content delivery network and The nuances of the way it used to work and the way it works today have caused a lot of changes now It was easy in the early days of the 90s when I first started getting into tech and we had filtering systems And it was just really as simple as there's not many websites compared to today at least things weren't encrypted So we could see the traffic and many times a single IP block would be all you need to block out a certain website And there were nice little lists of these things So it was reasonable to manage back then all the way here in 2022 Well, it's a lot more complex with the majority of the traffic being encrypted now It being a lot more difficult with having to install certificates to have a firewall do traffic Inspection within there and we're gonna talk about different ways to solve that problem and some good and bad when it comes to using things Like PF sense or untangle or an endpoint solution for that And we'll talk about the different solutions that we use for this before we get into the details of this video Let's first are you an individual or company looking for support on a network engineering storage or virtualization project Is your company or internal it team looking for someone to proactively monitor your system security or offer strategic guidance to keep your it systems operating smoothly Not only would we love to help consulting your project? We also offer fully managed or co-managed it service plans for businesses in need of it administration or it teams in need of additional support With our expert install team We can also assist you with all of your structured cabling and Wi-Fi planning projects If any of this piques your interest fill out our hire us form at Lawrence systems comm so we can start crafting a solution that works for you If you're not interested in hiring us, but you're looking for other ways you want to support this channel There's affiliate links down below to get your deals and discounts on products and services We talk about on this channel and now back to our content now the first place I want to start is with this cloudflare write-up on what is sni how tls server name indication works Because this is very representative of how things work here in july of 2022 And we're just going to jump to right here, but of course i'll leave everything linked down below Although sni stands for server name indication what sni actually indicates is a website's host name or domain name Which can be separate from the name of the web server that is actually hosting the domain In fact, it is common for multiple domains to be hosted on one server in which case they're called virtual host names Now this encompasses two technologies We have dns that looks up the website that you would request hitting your browser that dns turns into an ip address But then that ip address may have multiple sites on there So we need to do an sni so your browser sends that in plain text to say which website Which you want and then when they serve up a certain website that Website probably has a security certificate with it and that says which security certificate should be sent now This is all happening in plain text. I do know there's ways to encrypt dns and there's ways to encrypt the sni But it's not very popular or well implemented right now. That's why I said as of july 2022 So we had some context of this video This is where a lot of firewalls do have the ability to see what websites people are going to now They're only seeing that requested domain or sub domain, but they're not seeing the full URL You're going to but this provides combined with dns at the firewall level Without installing deep pack and inspection certificates that allow for you know unraveling the entire Certificate to be able to do some blocking and this is where I want to start with What about pfSense or what about other firewalls and how they work and pfSense is just not a good solution for this pfSense does not have a good system That can easily manage and someone's going to say what about squid. We'll get to that Does not have a good system by which you can manage and see the sni information even though it's too passing through the firewall It's just not a facility really well built in there that gives you granular control It does have be a blocker which does do some dns blocking. Yes, you can use app id with snort But it still doesn't give you any granular blocking and now let's mention squid It's very manual doing squid in there and for anything you set up to run through squid proxy It's still going to have a lot of management problems There's a little lot of things you have to bypass and it's just well not easy to manage within pfSense And then from our perspective we're an outside it contractor and we have to manage lots of separate client locations Combine that with work from home being so popular over the last couple years as well It becomes a not great spot to try to manage it But before we get into how we solve that solution Let's talk about how some of the other commercial firewalls do it including untangle Now I brought up untangled firewall because it's one I have reviewed It's not the only one of course that supports these features But I have reviewed this on my channel and it does offer application control web filtering SSL inspection provided you install a certificate But on the basis of do you have the ability to Do some basic blocking with it without going through the trouble of installing a certificate and having to manage that on each end point Yes, it can do it and it does Use the advanced ways of detection of dns and looking at the traffic and applying policies to computers And it's a good solution for people who really want this controlled at the firewall level And the one challenge though and people always ask does this slow things down? Yes, you do have to add a little bit more robustness to any firewall from palo Alto from 40 net whoever it is or the Untangle which yes is now owned by RSA networks. These do have a higher performance need if you want to do that traffic inspection because you're now you're going through Decrypting the traffic as it goes through and on top of that companies such as 40 net Required that you disable the qic protocol that also includes and we'll have this over here This is the tech doc from palo Alto networks. Both of these wants you to disable quick in order to Get the firewall able to filter these things. Let's bring that back over to here like the road to quick Which I'll leave an article Quick is a better way in the way many many sites if you wonder when you go to google and many other sites that offer Really fast interaction as you type kind of auto completing. You see that's on social media The normal tcp handshake system is complicated and good and secure But just doesn't allow for that really submittal seconds response time So introducing qic which goes over udp as that protocol has become more popular it offers amazing response and a better web experience Unless you're trying to do filtering and then now you've slowed down by disabling That's the rules that they want you to add onto the firewalls blocking udp over port 443 where the qic protocol lives and Ruining their web experience But there's you know ruined a web experience versus Having the filter is kind of a thing you have to weigh out You can have it fast or you can have it, you know filtered And that is a challenge when you're dealing with this And as I mentioned before with the work from home problem that people have or as it happened the last couple years Lots of these people are not all behind the same firewall So you could say well Well, then we want to take everyone's traffic and send it over to the firewall until you realize It's a scalability problem and tunneling all traffic There are just also creates a lesser experience. Usually you want to use split tunnel There's exceptions to that but obviously these challenges kind of get compounding Which is why let's talk about how we solve that problem And for us we're doing that with a tool called zoros But let's step back a little the reason we focus on the endpoint is because it doesn't matter where the endpoint is They can have a laptop that they take to the office two days a week from a hybrid Work environment and working from home the other days And I still offer the same level of filtering and protection and monitoring on their system Currently we're using zoros We only started using them About november of last year and we're still using them here in july of 2022 And they've been a good company to work with we have no affiliate or offering for these Companies were not a reseller of them. We're just a client and just letting you know what we use and but they get it It's protective monitor endpoints anywhere your users work and that's really what matters Because managing a series of installed certificates and users that are wandering around of your or sometimes that only work remotely Can be a bit challenging tools like zoros and I know there's other ones out there They're just the one we settled on with that we liked and we've had really good engagement with them and their team And it seems to be a well supported product It gives us that visibility into all of our clients endpoints grouped by the individual companies that we manage and this allows us to See or apply policies based on the criteria of our clients So if they don't want them viewing these particular websites or an easy example is like block social media Which is often You know such a time suck at times and you want to maintain those lists and have them up to date Zoros handles all that on the back end We just apply policies and groups without having to go Too much granular and actually define every website ourselves coming back to something like pfSense. Can you do it? Yes, can you buy some lists from different places? Yeah, but when you're using a more complete tool when you're managing things at scale Tools like zoros are really just make that process a lot easier now Just for clarification. I did not have time to review every potential program out there There's many other ones out there and for example years ago when we were using Enable before we switched to the ninja platform I've mentioned before in other videos. We use their protection management system Well, which is integration when we move to ninja one. This is when we switched over to zoras Now one thing I want to mention here is this question comes up a lot And this is where zoros ends and this particular product sas leo begins This is full disclosure my friend john's company and I've just recently become acquainted with them Did some demos and this is something we're not deploying right now in july of 2022 But something we're really thinking about because this gives us some insight that we didn't have even with all the web filtering and monitoring tools that we currently use and get through zoras and this is application discovery management shadow it is what he put I look at it as a Really deep insight because they're using a browser plugin to not that someone went to drop box Or not that someone went to g suite or office 365, but the additional information of what account did they log into so this is a Program essentially that is a cloud app, of course that uses a browser plugin to Report on all the different places a client has been the reason this is so important especially when you think about it from a data loss prevention standpoint is We secure all the applications and tools that are on the system And we may block usb's based on data security policy So we know people aren't hopefully using usb to copy or exfiltrate data out of a company Because well, there's a lot of proprietary information, especially at these engineering firms But what often happens is people don't bother with the usb's they're going to upload something to a cloud Not to mention this is where a lot of problems are And you just don't have that same visibility because we're looking at the software on the computers But by having a browser plugin that can say not only did they go to office 365 They logged in with this account that can be really important because they logged in with a non Business-related account maybe because they want to copy something out there or just because users sign up for things And offer a greater risk sometimes to a company through different applications because they're Putting data in the cloud and you're kind of getting blindsided by it. This is another tool I just wanted to bring to people's attention. Um, I did the demo myself of it It's pretty cool what they can do reach out to john and his team. Like I said full disclosure, he is a friend of mine So I'm promoting him, but there's no affiliate keys. No kickback. I'm kidding for this I just thought it might be interesting people, uh Who found it interesting like I do to cover this little aspect of it to conclude and wrap this up While pfSense is a great firewall and we talk a lot about it It just falls short when it comes to being a web filtering device And then the next question people are going to start asking is but what is a good web filtering firewall And you know, I mentioned untangle and then people are going to say but it has a cost with it And I don't really know of any firewall right here in July of 2022 That offers really good filtering granular control group policy settings for certain computers to go certain places That doesn't also have some type of subscription with it And that's because maintaining these lists is tricky and the target's moving Especially if things go to a full encrypted version of the sni You have less visibility unless you install a certificate Managing certificates managing the installer to put those in each system to break the encryption So the firewall has visibility deeper into that traffic is very tricky But when you think of it from an endpoint standpoint, how zoros does it or how Sasslio does it by putting something in the browser. You're getting ahead of the encryption and doing it there This makes it a little bit easier to manage because well, you didn't have to try and unravel the encryption Especially if someone did a full implementation proper of tls 1.3 where it's essentially double encrypted with an Outer and inner encryption if you want to dive into the details of that now It's not just a man in the middle There's a secondary encryption and it gets even more complicated if a site wants to use that and more and more Banking sites are using things like this or high secure websites Because they don't want man in the middle being a potential problem because man in the middle That may be good for firewall inspection is also one of the methodologies used by people who want to tap your network They may get a extra certificate installed in order to do bad things like a threat actor If they get control of certain endpoints, they may put something in to help some decrypt or send data along the way So it's a trade-off a bit when you're doing it that way This is one of the reasons we focus on just putting these endpoint tools on in order to do it Now any of these tools once you start doing any of the inspection, especially as zoras or any of these install certificates are going to do You may have some false positives You may have some things that get blocked accidentally and having a good management platform being able to go through especially as you manage many many clients and say This site had this problem We need to fix it very quickly because we don't want unhappy clients is what lends us to using those tools But in a nutshell, this is a reply video probably sent to people who ask What are you using for end point management when it comes to web filtering? How are you doing it? And isn't pf sense a great solution for it and not particularly a well managed solution Even though it does have some ability to do it And that's why I made this video links to the articles. I talked down down below Go through all that stuff that cloud clarity got some really solid good write-ups to give you a deeper understanding of how all this works and then you'll understand better some of the Challenges that are faced when it comes to doing web filtering and Yeah, and why it's tasked for everybody to do but not as easy as a lot of people think it is It's not just blocking a website or ip address Leave comments down below or head over to the forums for a more in-depth discussion of why you love Or hate web filtering and the fun challenges you've had with it. Thanks And thank you for making it all the way to the end of this video If you've enjoyed the content, please give us a thumbs up If you would like to see more content from this channel hit the subscribe button and the bell icon If you'd like to hire a short project head over to laurancesystems.com And click the hires button right at the top to help this channel out in other ways There's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the description of all of our videos Including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out Well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more In-depth discussion about this video and other tech topics covered on this channel Thanks again for watching and look forward to hearing from you