topic Re: HTTPS Inspection for Mobile Devices in Firewall and Security Management

HTTPS Inspection for Mobile Devices

spinazdoo — Mon, 28 Oct 2024 09:54:07 GMT

Hi Checkmates!

We would like to enable HTTPS Inspection to have better security with URLF and App Control policy to tackle users query to inappropriate website and social media sites.

Due to mandatory install certificate on every devices, how about for mobile devices like android, ipad, etc? Is it mandatory to install in every mobile devices to block them access social media sites?

The objectives is have equal policy and protection for laptop and mobile devices. If facebook or X blocked via URL Filtering, we must blocking it as well in mobile devices application. Thank you!

Re: HTTPS Inspection for Mobile Devices

oa_munich — Mon, 28 Oct 2024 10:25:56 GMT

Most mobile applications use certificate pinning, and they won't trust your certificate in the first place (facebook, reddit, ...).

If you'd like the devices to trust decrypted and resigned traffic, you'd have to install certificates on your mobile devices too. MDM solutions, such as InTune, AirWatch, etc can help with that. If you "only" would like to deny certain traffic/URLS, the mobile devices won't get to see the certificate you will be resigning with - so no need to install it, though you need to make sure you bypass allowed traffic, which in turn won't get inspected / resigned.

Re: HTTPS Inspection for Mobile Devices

spinazdoo — Mon, 28 Oct 2024 12:46:58 GMT

Thank you for your insight @oa_munich!

So, it is almost impossible to block mobile application via firewall, right?

I was thinking about cert pinning before, however, i am looking for any idea from CP firewall how to block such social media application and access social media via browser in mobile devices.

Re: HTTPS Inspection for Mobile Devices

oa_munich — Mon, 28 Oct 2024 13:24:22 GMT

No, you absolutely can! The mobile device will attempt to open a connection to the target, the firewall would inspect it and block it. The mobile device won't get to see the inspected packets (which are decrypted and re-encrypted using your certificate), therefore it won't need your certificate.

For the permitted traffic - if you intend to not only bypass what you inspect - you'd need to distribute your certificate, so mobile devices would trust the traffic you permit.

Re: HTTPS Inspection for Mobile Devices

PhoneBoy — Mon, 28 Oct 2024 13:43:36 GMT

While you will get better (more accurate) results with HTTPS Inspection, you can certainly block certain kinds of traffic without it as the App Control/URLF policy reads the SNI of the relevant traffic.
Make sure you block QUIC in the policy.

Re: HTTPS Inspection for Mobile Devices

oa_munich — Mon, 28 Oct 2024 20:06:44 GMT

@PhoneBoy wrote:
Make sure you block QUIC in the policy.

Btw, according to the release notes:

Added support of HTTP/3 protocol over QUIC transport (UDP) for Network Security, Threat Prevention, and Sandboxing

Not sure what this means exactly, but QUIC seems to be partially inspected in R82 now.

Re: HTTPS Inspection for Mobile Devices

PhoneBoy — Mon, 28 Oct 2024 21:54:30 GMT

We have support for QUIC in R82, yes.
However, I presumed the original poster isn't yet running R82.

Re: HTTPS Inspection for Mobile Devices

otto_w — Mon, 28 Oct 2024 22:54:56 GMT

nice

Re: HTTPS Inspection for Mobile Devices

the_rock — Tue, 29 Oct 2024 00:58:36 GMT

Personally, I dont know if that can work with the fw itself, never tested it, but we have a client that uses harmony mobile for mobile phones in particular and works really well with https inspection, as they used MS intune to distribute the cert that way to the users' phones.

Andy

Re: HTTPS Inspection for Mobile Devices

the_rock — Tue, 29 Oct 2024 10:26:50 GMT

Yes, I tested it in the lab, works well.

Andy