Quarantine Digest: Admin Console Port

Hi Stuart James 

Would it be possible to further clarify this by sharing a picture of your quarantine digest settings? (through PM if you prefer).

Users clicking on the link in the quarantine email should be directed to their "MyAccount" via the User Portal (via the user port).

Regards,

I think you've misunderstood the problem.

The "My Account" link is correct, it links to the user portal.

The "Release" link which is to the right of the quarantined email, however, links to the admin portal.

Hello Stuart,

You are absolutely right that some organisations allow the release of mail from the quarantine regardless of their location.

I also agree that Aditya's suggestion is not satisfactory as it requires a massive helpdesk overhead and constant attention whenever a user is moving around the planet.

I do also agree that the release option should not require web console access and had not noticed before it is reliant on the web console to be open for it to function. This is something I will try and query to engineers I can contact.

For now, I would recommend that a VPN be used so that quarantine release can only occur when you are connected to the organisations network. I can imagine this isn't fully satisfactory however the vast majority of organisations do have a form  of VPN for secure access back to Head Office for a multitude of reasons, quarantine release will just be another.

I can imagine this may already be being looked at for the v18 release this year but if I find out, I will try and feed back here.

No one has defended it here and jumping to conclusions will not help ourselves in the forum or Sophos assist with the matter further.

Emile

Has there been any further updates on this,

I cant believe that sophos have so stupidly allowed this to happen.

FIX IT SOPHOS.

we all have to create a massive security risk on our networks because of you bad design or we risk upsetting users and increasing help desk calls for - can you release this email please.

The question is, do you actually have a way to exploit the Webadmin or is the only fact, that the webadmin is needed, the only concern? 

I mean, There are plenty of webadmins of all products around the world public facing. Actually only a admin account can actually use this access. So if you have password guessing protection enabled, a strong password and no exploit is available, what should happen? 

Currently i am just curious - It is like demanding, all web pages should not be in the internet, because it is a management platform. It is like Sophos Central should not be public because it is a management platform? 

I am absolutely agree with you - The better approach would be the user portal - But that change would take development time to get up / running for a "security hole", which i cannot quite understand. 

Maybe Central Email would be the better solution for such deployments, with mobile devices etc.  

Wow.

No doubt you would argue that we don’t need HTTPS either because a HTTP website has passwords protecting it?

I hope you are not in charge of network security anywhere.

The soohos admin console itself even reports it as a massive security risk.

To be blunt sophos sort this out.

In this day and age you dont make admin consoles public facing. A good brute force attack would get in eventually.

I am not using any Email Proxy on my XGs right now and do not use any Webadmin on any my XGs (because i access them via Central). 

But good to know, you are instantly connecting such a statement to https. 

Still you dont point out, where the big massive security hole is. Do you have a exploit or some way to get instant access or not? 

Can you link me to the security risk page, which shows such flaws in the webadmin? 

Can honestly say I've never met such incompetence.

This is a complete joke.

Ah - You mean the notification / Alert. Completely forget about that part. 

But you are missing my point and are not willing to discuss this any further. I will stay out of this topic for now. 

I would recommend to think about a solution via VPN, UEM and/or Central Email for such deployments. 

Pre MR8 - This feature was not working on the Hostname, so basically you could only use the IP of one of your interfaces, which is most likely not a public IP. 

This is a complete joke.

You now want me to roll out VPN to 200 mobile devices

Why don't I just make all the remote tools ie idrac and ilo publicly facing too.

This is a basic feature that was fine on utm 9

Now on XG you want us to make security changes or purchase another product when this is clearly a flaw in its self.

Mite have to consider a new product and just get rid of sophos cause you have no regard and clearly dont care about this.

I tell you what though seeing as your technical solution is to either use VPN or open web console to the internet the minute a company has a breach because of web console open onthe web I look forward to you and sophos being taken to to court.

A nice GDPR fine would just go down nice to get this resolved.

I am just pointing out, that this is just a Design issue, not a massive security hole. 

And that is just my personal opinion. Like always, i act as a person not the company statement here in the forums. That is my last post in this thread. Thanks for the discussion. 

I am just pointing out, that this is just a Design issue, not a massive security hole. 

And that is just my personal opinion. Like always, i act as a person not the company statement here in the forums. That is my last post in this thread. Thanks for the discussion. 

If Sophos think that mandating that a webadmin port is open to the entire world is not a security risk, it might be time to re-assess whether Sophos is the right vendor to be using for cyber security.

Deploying a VPN to hundreds of users and forcing them to connect their mobile phone to a VPN in order to release a quarantine email is an absurd suggested solution.

Sophos could fix this in about 60 minutes buy changing the URL to the client portal port.

Yet, as usual, Sophos refuses to listen to it's clients and take on the feedback it receives. There are enhancement requests in this forum from 6 years ago that still aren't implemented. The whole "we'll decide what you need" rather than "we'll implement what you want" is a bulls*** approach.

I completely agree.

Hope they look forward to a law suit.

It's not even as if that have 2 factor authentication on the web console. Would give a little bit of piece of mind.

Hi Stuart,

I like your passion on that topic and agree that Sophos XG Firewall should be really able to release mails without using the admin interface!

But in my opinion it is still debatable if this is a security relevant (MASSIVE?) bug or more a feature request...

I'm a big fan of PMX, where you can release Spam by UserPortal or even directly from the Quarantine Digest inline by replying with an auto-approve-mail!

Did you test already more powerful Email filtering solutions such as Central Email, E-Mail Appliance or PMX - if that XG 'Quarantine Digest' approach did not satisfy your concerns?

Regards

Steven Seyfried

SayFriedLight said:

Hi Stuart,

I like your passion on that topic and agree that Sophos XG Firewall should be really able to release mails without using the admin interface!

But in my opinion it is still debatable if this is a security relevant (MASSIVE?) bug or more a feature request...

Do you really think that allowing users to release a quarantine email without opening up the entire administration console to the entire world is an enhancement and not a bug?

I've just decided to downgrade my Sophos license to remove SPAM filtering and use a third party SPAM engine instead. I have 128 Sophos XG's in production, so it just means Sophos has cost themselves licensing fees. It would be nice to have the Sophos do things securely, but given they've chosen to ignore this issue I have little choice.