An idea for reporting on HTTPS traffic that is exempted from scanning.

Hi floks,

my daily reports show a large download against port tcp 443 but not classified. While i know what a lot of the traffic is to assist with debugging being able to confirm application/web would be very handy.

So, my suggestion that the XG take a parallel copy of traffic and analyse it for reporting purposes only. The analysis has no affect on the traffic passing.

I have reduced my unknown tcp 443 traffic by experimenting with the exceptions turned off and on again to see what fails and what doesn't fail.

You thoughts on whether this would be useful feature to add to the features request forum/

Ian

  • I am not entirely sure what you are asking for.  Are you talking about Web traffic that you have going through the proxy with an exception in place to turn off HTTPS decryption?  If so, you should still get categorization performed.

    v18 has a bunch of new features and modes for HTTPS.  You could wait for that to see if it gives you what you are after, or more clearly state what it is you are looking for.

  • In reply to Michael Dunn:

    Hi Michael,

    (super excited for the HTTPS stuff in v18, would love to have a catch up in email but will probably have to wait till beta/nda lift)

    I think i can see what is being asked, you bilaterally scan the traffic by duplicating the traffic as it goes through, decrypting that so you can see what is going on without actually interfering with the client-server communications.

    However, this won't work without brute forcing the connection (or doing naughty things) because the encryption negotiation with HTTPS is a secure end to end encryption and the key handshake is not visible unless you forcibly intercept it (like classic proxy).

    It's a common idea but the performance requirements would also be as bad as just decrypting and scanning it in the first place frankly.

    Emile

  • In reply to EmileBelcourt:

    Thank you both for your replies. I see a lot of unidentified tcp 443 traffic (over 300Mb) a day go through and was trying to suggest away of identifying it. I have fine tuned my exceptions and reduced the amount but there is still a lot.

    I am looking forward to trying v18.

    Ian

    I do know what some of the uncategorised data is and that is this site, sophos updates, sophosxi, but not the unclassified stuff.

  • In reply to rfcat_vk:

    When you say unidentified tcp 443 traffic what do you mean?
    Is this traffic that is going through the transparent web proxy?
    If it is, is this traffic that is hitting an Web Exception?

     

    All traffic that goes through the proxy, even if it hits an exception, should still be logged with a source and destination FQDN.  Depending on the exception, it may or may not have a category.  So when you say "unidentified" I am wondering if you are talking about some other traffic not going through the proxy.

  • In reply to Michael Dunn:

    Hi Michael,

    I am probably misleading in calling the traffic unidentified when it is really unclassified. I have searched the logs and cannot find any traffic on port 443 not going through the proxy.

    If I expand the entry in the Report it show all going through the proxy (rule). 

    I can identify the IP address of each entry.

    Ian

  • In reply to Michael Dunn:

    Hi Michael,

    I have identified some of the traffic and that is for Sophos Home and Sophos Home Premium products they are classified as NONE. Shouldn't they be classified as IT? All those Sophos sites will have to be added as exceptions when someone applies the Psiphon 3 blocking configuration?

    Ian