This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM best practise guide for strict webfiltering

Note for any user users stumbeling upon this post and looking for advice (just a small list. Any moderator is welcome to edit or to make a better list here):

* Sophos Sales Team DACH published a best practise guide on 26th Feb 2016 by Mail.
Some people have published the newsletter, therefore I will link it here. It also includes some categories to block and general interactions and hints:
http://web.sophos.com/res/sophos/92aaef928aee3e5ff8216622c999157c.pdf
http://utm-shop.de/information/news-und-co/sofortmassnahmen-gegen-krypta-trojaner-wie-wie-cryptowall-teslacrypt-oder-locky(Note: I did not found a English version. In case you need, maybe Sophos has a translation ;) )

* Have a scroll down to 2nd post here and later posts for blocking/logging/categorizing of unkown sites

* Have a look for the ad-blocking over
-- DouglasFoster 2nd post
-- here: https://community.sophos.com/products/unified-threat-management/f/55/t/46207
-- and/or here: https://drashna.net/blog/2015/03/an-exercise-in-frustration-fine-tuning-the-web-filter-in-sophos-utm/#comments

* Keep in mind:
-- Sophos filtering of Flash, ActiveX and Java is not secure! (Malware gets tru!) => Therefore block the risiky ad networks!

Sophos support itself says that it does only gives an enhanced layer of security and not a security itself. Be sure not to trust Sophos UTM to protect you. It is just another layer, which may protect you.

Keep this in mind and the flash filtering, that Sophos seems not to mention that something does not work as you expect (compare like to this: https://community.sophos.com/products/unified-threat-management/f/55/t/74173)

 

=========== Original post ============

Hello together,

we are using here a fully licensed Sophos UTM 9.3. The computers (Win7) have running Sophos Endpoint Cloud, but no Web Control on.
The Win7 computer was fully patched, and the user surfed with MSIE 11 (latest version) with Adobe Flash (lastest version).

During surfing on a more or less popular German website, the user got infected with a perfect language specific ransomware software, probably by malifious ads.

We probably had some low security guideline for the computer. Specific errors are:
- using MSIE instead of Firefox,
- using no ad-blocker
- using Adobe Flash

In any case we had hoped that the Web filter gives us an additional layer, concreate:
- filtering all HTTP and HTTPS traffic
- using reputation limit with lowest limit (i.e. blacklist)
- Anti-Virus filter with Avira
- Blocking ActiveX/Flash/Java

So, now we are wondering, which are the probably right settings for the UTM
- Anti-Virus is not helpful as it does not detect new stuff
- Blocking ActiveX/Flash is not helpful as it does no automatic stripping of ActiveX and Flash - i.e. several sites with Flash work

Therefore, the only logical consequence is whitelisting.
- We have now set reputation limit to whitelist (i.e. neutral)

How does whitelisting work and is it safe enough?

Currently I have the feeling the Web Filtering is not enough...
- Anti-Virus is not 100% secure
- Blocking ActiveX/Flash is not 100% secure
- How secure is the whitelisting?

(Edit 14.30 UTC) We did now the following, too:
- Blocking suspicious category (In German you have to scroll down the list and I did not see it)
- Following the user guide over there to block the ads: https://drashna.net/blog/2015/03/an-exercise-in-frustration-fine-tuning-the-web-filter-in-sophos-utm/#comments
- Checking the boxes in Options for strict HTTP and blocking of unscannable downloads to get this one right: https://community.sophos.com/products/unified-threat-management/f/55/t/74173

Any best practise hints, for making a good tradeoff between surfing and safety?
With current whitelisting some pictures are blocked, even community.sophos.com is blocked...



This thread was automatically locked due to age.
Parents
  • I am finding quite a few sites that have port 443 open, even though they do not intend to be an HTTPS site, and have not installed a certificate.   These systems are hosted on akamai and have a default akamai certificate installed.   Since the port is open, the google webcrawler will find it and index the site using https.   When our users do a google search, they will be blocked when they follow the link.  

    The site owner generally does not care when I point out the problem.  I suspect that the search result will be slow to disappear from google even if it is fixed, which can only increase the reluctance of the site owner to make the change.

  • Thanks for the links to the best practice guides. Highly appreciated.

Reply Children
No Data