Quarantine Digest: Admin Console Port

Hi Stuart James 

Would it be possible to further clarify this by sharing a picture of your quarantine digest settings? (through PM if you prefer).

Users clicking on the link in the quarantine email should be directed to their "MyAccount" via the User Portal (via the user port).

Regards,

I think you've misunderstood the problem.

The "My Account" link is correct, it links to the user portal.

The "Release" link which is to the right of the quarantined email, however, links to the admin portal.

The soohos admin console itself even reports it as a massive security risk.

To be blunt sophos sort this out.

In this day and age you dont make admin consoles public facing. A good brute force attack would get in eventually.

I am not using any Email Proxy on my XGs right now and do not use any Webadmin on any my XGs (because i access them via Central). 

But good to know, you are instantly connecting such a statement to https. 

Still you dont point out, where the big massive security hole is. Do you have a exploit or some way to get instant access or not? 

Can you link me to the security risk page, which shows such flaws in the webadmin? 

Can honestly say I've never met such incompetence.

This is a complete joke.

Ah - You mean the notification / Alert. Completely forget about that part. 

But you are missing my point and are not willing to discuss this any further. I will stay out of this topic for now. 

I would recommend to think about a solution via VPN, UEM and/or Central Email for such deployments. 

Pre MR8 - This feature was not working on the Hostname, so basically you could only use the IP of one of your interfaces, which is most likely not a public IP. 

This is a complete joke.

You now want me to roll out VPN to 200 mobile devices

Why don't I just make all the remote tools ie idrac and ilo publicly facing too.

This is a basic feature that was fine on utm 9

Now on XG you want us to make security changes or purchase another product when this is clearly a flaw in its self.

Mite have to consider a new product and just get rid of sophos cause you have no regard and clearly dont care about this.

I tell you what though seeing as your technical solution is to either use VPN or open web console to the internet the minute a company has a breach because of web console open onthe web I look forward to you and sophos being taken to to court.

A nice GDPR fine would just go down nice to get this resolved.

I am just pointing out, that this is just a Design issue, not a massive security hole. 

And that is just my personal opinion. Like always, i act as a person not the company statement here in the forums. That is my last post in this thread. Thanks for the discussion. 

If Sophos think that mandating that a webadmin port is open to the entire world is not a security risk, it might be time to re-assess whether Sophos is the right vendor to be using for cyber security.

Deploying a VPN to hundreds of users and forcing them to connect their mobile phone to a VPN in order to release a quarantine email is an absurd suggested solution.

Sophos could fix this in about 60 minutes buy changing the URL to the client portal port.

Yet, as usual, Sophos refuses to listen to it's clients and take on the feedback it receives. There are enhancement requests in this forum from 6 years ago that still aren't implemented. The whole "we'll decide what you need" rather than "we'll implement what you want" is a bulls*** approach.

I completely agree.

Hope they look forward to a law suit.

It's not even as if that have 2 factor authentication on the web console. Would give a little bit of piece of mind.

Hi Ben,

a VPN is definitely the better approach than to open _any_ TCP-Port w/o authentication.

You might also reconsider (re-)reading https://community.sophos.com/kb/en-us/122482?

(I doubt that threats and accusations will drive the vendor to implement your proposal faster;)

You are still free to decide:

[ ] enable the WebAdmin-Port on WAN

[ ] send Quarantine digests with clickable links

[ ] enable User-Portal access

So no need to complain that hard about your chosen design (Anti-)pattern.

And "But UTM9..." is no valid argument any longer :)

Regards

Steven

Hi Stuart,

I like your passion on that topic and agree that Sophos XG Firewall should be really able to release mails without using the admin interface!

But in my opinion it is still debatable if this is a security relevant (MASSIVE?) bug or more a feature request...

I'm a big fan of PMX, where you can release Spam by UserPortal or even directly from the Quarantine Digest inline by replying with an auto-approve-mail!

Did you test already more powerful Email filtering solutions such as Central Email, E-Mail Appliance or PMX - if that XG 'Quarantine Digest' approach did not satisfy your concerns?

Regards

Steven Seyfried

Hi Stuart,

I like your passion on that topic and agree that Sophos XG Firewall should be really able to release mails without using the admin interface!

But in my opinion it is still debatable if this is a security relevant (MASSIVE?) bug or more a feature request...

I'm a big fan of PMX, where you can release Spam by UserPortal or even directly from the Quarantine Digest inline by replying with an auto-approve-mail!

Did you test already more powerful Email filtering solutions such as Central Email, E-Mail Appliance or PMX - if that XG 'Quarantine Digest' approach did not satisfy your concerns?

Regards

Steven Seyfried

SayFriedLight said:

Hi Stuart,

I like your passion on that topic and agree that Sophos XG Firewall should be really able to release mails without using the admin interface!

But in my opinion it is still debatable if this is a security relevant (MASSIVE?) bug or more a feature request...

Do you really think that allowing users to release a quarantine email without opening up the entire administration console to the entire world is an enhancement and not a bug?

I've just decided to downgrade my Sophos license to remove SPAM filtering and use a third party SPAM engine instead. I have 128 Sophos XG's in production, so it just means Sophos has cost themselves licensing fees. It would be nice to have the Sophos do things securely, but given they've chosen to ignore this issue I have little choice.