I want to set up a qube that terminates TLS and inspects traffic. Like IDS and IPS with ZScalar or crowd strike, but consumer version like Suricata. So we will have App VM —> proxy VM —> sys-firewall VM —> sys-net VM. App VM has to install a certificate. Proxy will detect suspicious traffic and flags the app vm.
Does this make sense?
Has anyone done it?
Yes, it makes sense. And no, I have not tested it in this configuration. Note that as far as I know, Suricata cannot do SSL/TLS termination (what I call “a legit man-in-the-middle attack”) on its own, and you have to use some other proxy software.
The setup makes sense, but you need to figure how to make use of it once it’s deployed.
That’s the hard part. It’s a constant review & tuning work.
Thanks!
One approach would be a VPN qube will send the traffic to an external exit gateway for inspection. Otherwise I’m afraid the battery life with Snort or Suricata will be bad (and I’m not sure they can do something like that, as with crowd strike or ZScalar).
In this case, it will not be related to Qubes.