At the moment I'm managing a small home office setup - a few PCs and a soft open source x86 *nix based router. I'd like to move traffic scanning / inspection onto an edge device.
The motive is to increase the barrier for undetected malware and suspect traffic, have the main traffic scan separated from any end-user devices, and increase certainty by scanning at the LAN gateway.
At present they use consumer antivirus which effectively scans SSL by creating a fake CA on the PCs. It's a decent brand AV and works but has issues. If it's not too hard they'd like the reassurance that it's approached as an enterprise issue using 'proper' means (their term) rather than PC-based consumer software.
It's clear that malware is increasingly moving to encrypted traffic which - if not scanned - can be indistinguishable from normal https traffic. I can't filter based on endpoint (acceptable endpoints too wide to whitelist, and even 'good' sites can inadvertently host malware) and you don't get much other solid data for encrypted traffic on usual ports.
There's trust and good dialog with the people using it (3 partners, no employees), and they all want this as well as well, so no ethics/consent/privacy issues arise internally. The traffic is low enough (web/email) not to need a high-volume or specialised UTM.
The practical issue in ssl scanning is that SSL is precisely designed to detect and prevent MITM (which is what this is), and therefore scanning needs to rewrite packets with its own CA. That's a pretty bad idea and "breaks" the cert chain so it's best not to... except the only alternative seems to be no scanning at all of any SSL/https which is seen as more risky and potentially worse. Like democracy, it's the worst solution except all the others ;-) For example, as the browser or local device wouldn't be able to verify cert chains, the edge device would have to do this for them, and block or warn if not correct. But in theory if the external cert chain was reliably checked before discarding, then MITM inspection at or next to the gateway could be a safer bet than not scanning SSL at all.
I've looked around and this does indeed seem to be "out there" and used in the enterprise, but usually as a standalone device.
Is there a recognised way to do it without a specialised device?
Update 1:
They are older people, who didn't grow up with computers and still despite their efforts prone to clicking first and worrying after, or the alternative of phoning every time they are in doubt. As with other SMB they also use their work PCs for shopping/browsing/social etc, which adds to the risk - and they know it. SSL scan has caught quite a few things that apparently weren't blocked by the PC based blacklist setup, including apparently legit sites or "nobody knows how". Probably quite sensibly they want to have more comfort going forward even if blacklists would catch "most" things. I think this might be their best way, if I can work out whether it's feasible and how I might do it. If the main objection is "not worth the hassle" then I'd still like to research it so they can think about cost/benefit. But so far all I can find is high-end devices, I can't find if software/FOSS solutions exist for this function, even though one would expect them to. But I haven't been able to find any if so, hence the question.