This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security Features > Web Filtering - Best practice for BYOD Devices

Hi.

I am looking for some advise around the best practise for Web Filtering for a BYOD network. 

We have a seperate network setup on our XG for residents who connect their own devices which are mainly mobile devices. We have a firewall rule crated to allow this dedicated zone out on the internet and in this rule I want to setup Web Filtering. I have created a Web Policy which includes a large amount of categories to block but I am unsure which of the other settings under this feature to enable or disable. These settings are shown as: 

Web Policy: 
Apply web category-based traffic shaping (currently disabled) 
Block QUC propocol (currently enalbed) 

Malware and contect scanning 
Scan HTTP and decrypt HTTPS (currently disabled) 
Use zero-day protection (currently disabled) 
Scan FTP for malware (currently enabled) 

Filtering common web ports 
Use web proxy instead of DPI engine (currently enabled) 

Web Proxy Options 
Decrypt HTTPS during web proxy filtering (currently disabled) 

I have SSL / TLS Inspection enabled but I read somewhere about a certificate being needed to allow this to work correctly. 

On the same XG we do have a corporate network which is setup against a different firewall rule and I plan to setup SSL and TLS inpection against this. 

With the testing I have done on the residents network I have found internet browsing to be slow which may be down to the amount of categories I have selected. As this is a residents network I need to make sure a solid level of proteciton is in place and I would like secure sites to be scanned as most sites have a certificate in place. 

Any guidance would be greatly apprecaited. 

Many thanks, Dan 



corrected the spell
[edited by: Vivek Jagad at 9:11 AM (GMT -7) on 20 Jun 2023]
Parents
  • Hello!

    I have SSL / TLS Inspection enabled but I read somewhere about a certificate being needed to allow this to work correctly. 

    You cannot do TLS Inspection with a BYOD network since It's necessary to have the certificate authority installed on each device. (But the DPI engine is still capable of doing web filtering with just the certificate information.)

    Over the current settings, I recommend you to change:

    Scan HTTP and decrypt HTTPS (currently disabled) 
    Use zero-day protection (currently disabled) 

    Enable both of those options, even If It can't scan HTTPS traffic - plain-text HTTP traffic will still be scanned. (For the Zero-Day protection, be sure you have a valid license before enabling It, a warning should appear if you don't have It.)

    Filtering common web ports 
    Use web proxy instead of DPI engine (currently enabled) 

    Disable this option to use the DPI engine, currently the DPI engine is better (secure) and faster than the old web proxy. (This could be the reason on why internet browsing is slow.)

    At last, depending on the scenario It's recommended to enable QoS for the BYOD Network.

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Hi, just another thought - If I enable Scan HTTP and decrypt HTTPS on the BYOD network will this cause errors if the Sophos Cert is not installed? 

    Many thanks, Dan 

  • Not sure about all the details, but if it is attempting to decrypt TLS -- which will cause errors for users when their browsers see the firewall's certificates -- you can always turn that part off by setting up a TLS rule to not decrypt traffic on the BYOD zone.

  • If I enable Scan HTTP and decrypt HTTPS on the BYOD network will this cause errors if the Sophos Cert is not installed? 

    No, the DPI engine is only capable of scanning plain-text HTTP traffic without TLS Decryption. (It won't give errors for the user if It's HTTP.)

    The user will only get a certificate error if the website they accessed over HTTPS is being blocked though a web policy. (They will get a certificate error at first because the Firewall will try to redirect the user to a warning page, and in order to do this It needs to MITM (decrypt) the HTTPS connection.)


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • There are three things (at least in V19) that work together to cause TLS decryption, correct? One would be the checkbox in the Firewall Rule (Scan HTTP and decrypt HTTPS). This does not, by itself cause TLS decryption. Then there is the SSL/TLS Inspection Rules tab, which (in v19) has a master on/off switch. Then there are the rules themselves.

    I think if no SSL/TLS Decryption rule applies, it falls off the end and does no decryption. So given that the OP didn't create an broad "decrypt it" rule in SSL/TLS Inspection Rules, it will drop off the end and so won't decrypt even though they check the box in the Firewall rule.

    So there should be a hover-over "I" on the Firewall Rule checkbox next to "decrypt HTTPS" that says, "If an SSL/TLS Decryption rule would cause encryption". Is that right?

Reply
  • There are three things (at least in V19) that work together to cause TLS decryption, correct? One would be the checkbox in the Firewall Rule (Scan HTTP and decrypt HTTPS). This does not, by itself cause TLS decryption. Then there is the SSL/TLS Inspection Rules tab, which (in v19) has a master on/off switch. Then there are the rules themselves.

    I think if no SSL/TLS Decryption rule applies, it falls off the end and does no decryption. So given that the OP didn't create an broad "decrypt it" rule in SSL/TLS Inspection Rules, it will drop off the end and so won't decrypt even though they check the box in the Firewall rule.

    So there should be a hover-over "I" on the Firewall Rule checkbox next to "decrypt HTTPS" that says, "If an SSL/TLS Decryption rule would cause encryption". Is that right?

Children
  • If you don't use the Web Proxy, then you're only able to trigger a TLS Decryption with a custom policy over the SSL/TLS Inspections Tab.

    I think if no rule applies, it falls off the end and does no decryption.

    Yes.

    So there should be a hover-over "I" on the Firewall Rule checkbox next to "decrypt HTTPS" that says, "If an SSL/TLS Decryption rule would cause encryption". Is that right?

    The "Scan HTTP and Decrypted HTTPS" naming sounds weird to be honest, since the DPI can send web traffic to be scanned from all ports then shouldn't this be called "Scan Web(HTTP)-based Traffic" or something as that?

    The same applies on the "Filtering common web ports", the naming sounds as I need to enable It (Web Proxy) in order to get web filtering.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • The super descriptive wording would be.

    "Scan HTTP and decrypted HTTPS traffic"
    Perform antivirus scan on any traffic that it can.  What traffic it can depends on all the other settings.  For example, only traffic on ports listed in Services can be scanned.  HTTP can be scanned.  HTTPS can be scanned only if you also have rules that decrypt the traffic.
    This option does not start turn on decryption.  It turns on malware scanning of traffic that is decrypted (because other settings have made it decrypted).


    "Filtering common web ports [ ] Use web proxy instead of DPI engine"
    The DPI Engine can scan traffic/apply policy on any port.  The Web proxy can only scan/apply on port 80/443 ("common web ports").
    Traffic on port 80/443 will use this setting to determine whether proxy/DPI should be used.
    If ports are listed in Services but are not 80/443 then they will be done by DPI regardless of this setting.

    If you are using port 80/443 and you are using the web proxy, then the "Decrypt HTPS during web proxy filtering" will be used to decide whether to decrypt traffic.
    If you are using port 80/443 and you are using the DPI mode, then the SSL/TLS rules will be used to decide whether to decrypt traffic.
    If you are using other ports then you must be using DPI mode, and the SSL/TLS rules will be used to decide whether to decrypt traffic.

    https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/115976/sophos-xg-firewall-v18-xstream---the-new-dpi-engine-for-web-proxy-explained
    https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121482/https-decrypt-and-scan-faq