I do not understand how XG's Application Control work in detail (under the hood). Are any documentation somewhere?
I have to control and restrict some Traffic between LAN and Production due to written regulation of security.
e.g. for understanding
In this example we have to Block HTTP on Port 25.
How can I solve this with Sophos XG?
So what you want to do is L7 aware Policy, with protocol enforcement.
You want to open port 80, but only if It's HTTP traffic, or port 25 if It's only SMTP? Or port 53 if It's only DNS?…
You want to open port 80, but only if It's HTTP traffic, or port 25 if It's only SMTP? Or port 53 if It's only DNS?
If It is, Sophos XG doesn't support this since there's no way to "Block All, allow only X."; This is a feature that has asked multiple times, and pretty much most of the NGFW in the market supports it, but XG still falls behind.
If a post solves your question use the 'Verify Answer' link.
Yes this is exactly what we need:
L7 aware Policy, with protocol enforcement
We had the hope that XG would become a real L7 firewall, and not an L3 with L7 filters like the UTM.
On the other hand I find it also precarious, in the today's Ransomware time, still to sell such systems with good conscience. "Zero Trust, Inspect all" is the only solution to protect yourself from such threats.I'm shocked.Guenter
These are not work around they arecsecurity you can enforce.
Adding to this, even SonicWall supports L7 Policy and protocol enforcement now. So pretty much any Sophos competitors does this now.
I've already asked to a Sophos Dev about L7 Policies, but this has the answer:
"Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".
The application filter is better suited to denying applications rather allowing them (and denying everything else)."
(If you want I can send you the link of the post about this, but It has been archived.)
Please send me this Link.
I've sent you a message with more information. (I'm trying to find all posts about this.)
Thank you, I've read that Postings.
BTW: I worked the last years with PaloAlto...
Unbelivable what Sophos ignores in 2020 ....
rfcat_vk said:Then you can further enhance enforcement by enabling block non http traffic on http ports etc.
Could you please explain to me how to enforce protocols over Sophos XG ?
I'm on v18 MR 2, all rules are using DPI Engine instead of the old Web Proxy. (No, I'm not going to use the old Web Proxy, it creates more headache than fixes.)
I've created a Rule that allows only HTTP from a host to another host, and blocks everything else.
But I'm able to connect with SSH without any issues over port 80.
It even detects the traffic as SSH...
There are many things to talk about. I guess, we cannot cover everything in this post. But there is a difference between Application Control and Application protection. The problem nowadays with "Attacks" is, those guys like to use normal applications and use TLS encryption to communicate. Therefore you can start to block the application Chrome, but they will simply use your browser to build a channel back. (Its more complicated than that - always recommend https://nakedsecurity.sophos.com/ )
You can build many real L7 scenarios with XG, as the firewall backend allows such processes. But there are certain limitation like groups etc.
For example, you could simple build LAN to WAN, allow and Deny apps, you want / do not want. That will work perfectly fine on all Ports and all apps.
Another example is group support. You could build a firewall rule User A LAN to WAN, allow all apps. User B Lan to WAN, only Browser allowed.
It gets complicated, if you want to allow per user different Apps and deny other.
From my understanding, a control product is to "allow" unwanted things. A "protect" product is to deny attacks etc. You can allow or deny pornographic content. Is it harmful? Likely not, but not wanted in most businesses. Do you want to stop the ransomware to lateral movement? Yes i want to. But thats likely a IPS and DPI topic rather than a application control.
Attacks are complex and uses different mechanism to spread. Look at tools to white hack for example. They can literally inject into notepad and "be notepad". Do you want to block notepad to communicate by your firewall? Where does it stop?
Protection should be used on certain level. You need for example a good endpoint protection to stop the injection in the first place.
there is a slight problem with using DPI only, it does not detect UDP and not all sites are happy with the DPI inspection that is why there is a very big list of specific SSL/TLS exceptions which is not required for HTTPS inspection. There is also a bug in the current DPI ask Prism for the details.
The bug will be fixed in v18.0.3 MR-3.