This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web control - endpoint or firewall?

Hello,

which product will be better to use in case of Web control? With the new agent rolling out by the end of a month there should be option to use Web control right on endpoint. Does this means, i should use only one Web control or filtering, combine it or its allways better to use Web control on firewall side?

Thanks for any thoughts



This thread was automatically locked due to age.
  • Just to say, you could always use Web Control on the endpoint, it's been there for years.  The new update I believe you are referring to supports HTTPS which should provide more insight beyond the domain name extracted from the SNI using the handshake as is the current verison.

    I suspect the FW provides better insight/control as it's one of the primary features but you could enable one or two clients in the latest EAP to see the new HTTPS client in action and what additional data that provides.

  • well, whats the point of using web control and not being able to inspect https traffic? :-)

    prefering Web Control on firewall would be my default choice but i'm wondering why would Sophos go to implement it on Endpoint side, if there is no benefits into it? There must be something i'm not seeing. Hope somebody with deeper knowledge will reply.

    Thanks anyway!

  • You can get the domain name at the establishment of the connection from the SNI, so you can still look up the domain, to block it based on category for example or get a report of domains being accessed.  You just don't see the full URL or the content.

    Not all customers have a firewall that can perform web control/protection centrally or maybe working from home with just cloud services, they are going direct.

    It's just another option to enforce some level of control at the endpoint.

  • FormerMember
    +1 FormerMember in reply to Jakub Kavka

    Two points:
    1) not all our customers have dedicated firewall perimeter devices - so they need this protection at the endpoint level

    2) you can distribute processing to the endpoints - If the endpoint determines the connect isn't safe it can truncate it before it ever gets to the firewall