faster better tech support with tls host matching - mikrotik · wiki.mikrotik.com tls host matching...
TRANSCRIPT
![Page 1: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/1.jpg)
Faster better tech support with TLS Host Matching
MUM Costa Rica 2018
![Page 2: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/2.jpg)
my network is
slow!
what’s taking up the bandwidth
are the neighbors on my
wifi?
can I see what my kids are
doing online?
Chronic tech support calls bog down the help desk
![Page 3: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/3.jpg)
no one is using the network
your network is
maxed
The customer and the helpdesk agent don’t see the same thing
![Page 4: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/4.jpg)
90%
90%
What if they could see the same thing like
LogMeIn or PCAnywhere but for
networks?
![Page 5: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/5.jpg)
90%
90%
That is exactly what smart.network offers, a
way for the customer and agent to view the network together, in real time, and
in non technical terms
![Page 6: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/6.jpg)
AS19679 108.160.172.4
AS19679 108.160.172.4
90%
90%
Without TLS host matching, many of the
services would not show on the screen with friendly names
that are useful for the agent and the
customer
![Page 7: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/7.jpg)
90
2008
Back in the days, traffic was not encrypted so traditional packet inspections was useful
![Page 8: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/8.jpg)
90
90
2013
By 2013, between 30% and 50% of the traffic was encrypted
![Page 9: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/9.jpg)
9
9090
2018
These days, 90% of the traffic is encrypted
![Page 10: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/10.jpg)
ASN9 Port
Pattern DNS TLS
Other means are used to identify and classify encrypted traffic
![Page 11: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/11.jpg)
TLS “Allows to match https traffic based on TLS SNI hostname. Accepts GLOB syntax for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).”
wiki.mikrotik.com
TLS host matching is a big help on classifying ssl traffic
![Page 12: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/12.jpg)
IP > Firewall > New Firewall/NAT/Mangle Rule > Advanced tab
youtube.com or *.youtube.com or *youtube*
Where to find TLS Host matching settings:
![Page 13: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/13.jpg)
youtube.com or *.youtube.com or *youtube*
ytimg.com and googlevideo.com
Most services will use other domains to call content from, so additional tis hosts need to be found
![Page 14: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/14.jpg)
cnn.com bbc.com vimeo.com twitter.com
cnnios-f.akamaihd.net bbci.co.uk vimeocdn.com t.co
ugdturner.com bbcfmt.hs.llnwd.net vimeo.akamaized.net twimg.com
turner.com bbc.co.uk
Here are some examples of other TLS Hosts related to primary domains
![Page 15: Faster better tech support with TLS Host Matching - MikroTik · wiki.mikrotik.com TLS host matching is a big help on classifying ssl traffic . IP > Firewall > New Firewall/NAT/Mangle](https://reader035.vdocuments.site/reader035/viewer/2022062402/5eadea2327a22e14015fb985/html5/thumbnails/15.jpg)
To find more, one has to go deep with wireshark look for client hello, ssl handshake server name!