Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted Parenting - Why does SOPHOS insist on removing features "for our own good"?

SOPHOS markets their XGS product to network administrators, who are professionals in their field. These are expensive devices that owned by the customer, and should be up to the customer how they wish to deploy\configure\use them. 

SOPHOS, however, is intent on "Parenting" their network administrator customers. SOPHOS is removing another feature that some admins are using because I guess SOPHOS "knows better". We've been using the new XGS Firewalls for a few months and this is the second time I've seen this behavior.

While SOPHOS is busy removing functionality and features from their Firewalls to "Parent" their customers who don't need parenting, other functionality is direly needed, however that does not appear to be the focus.

Why don't we work on improving the MANY missing features that XGS needs, before we start making the product less flexible.

   



This thread was automatically locked due to age.
Parents
  • The Focus is Security. This is a low hanging fruit and increase the security best practice for a lot of customers. 

    Exposing WAN HTTPS/SSH for no reason is an real security concern. 

    You can workaround this by using the CLI switch: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/Set/index.html#advanced-firewall

    What are the use cases for using WAN HTTPS ANY? 

    Or lets rephrase it: Why would you leave your door open if there is nobody using it? The Mechanism checks for successful logins, if there are some, it will be untouched. 

    If you are not using the door for 60Days, it will be disabled per default, increasing the security of a product by a lot. So if you want to use the HTTPS ANY policy, nothing will change for you.

    If you get this alert by the firewall, it means, nobody used it for 30 days - Maybe it is time to "shut it down". 

    See Shodan, how many firewalls are available on Port4444 for "no reason". 
    You can put your reason into the reason to enable WAN HTTPS - But essentially there are better ways to build this access (VPN, Central, ZTNA, ACL). 

    __________________________________________________________________________________________________________________

  • We don't allow SSH access at all and we have added the ACL for https to most units. Some we will surely not get to and get locked out for numerous reasons.

    That said that is not the point. We should not have to buy yet another product to administer firewalls and this is not a decision for anyone at Sophos to make. This is a decision of the partner and the business owners to make.

    I'm sure the user portal will be next and then what? There is an assumption that we have a VPN access to every firewall sold? Sophos thinks in terms of selling 5 firewalls and the burden it creates. The reality for someone thats sells 1000 units is far far away from that reality.

    Outside of all this Sophos Central has a lot to be desired before that can be touted as the answer.

    I know you have your Sophos underwear on I get that, but there is no way this type of decision should be made by any firewall manufacturer. 

  • So lets unfold your statements here: 

    You have firewalls installed for your customers with HTTPS Access set to ANY. 
    Are they in active use - So people are accessing those Webadmins via this ANY object? Then nothing will change. Every successful access will reset the clock for another 60 Days. 

    You dont have to buy another product for this purpose - Central is free. VPN is free. ACL are free. Only ZTNA, in case you want to use it there. There are people doing it right now - just wanted to add it to the list. 

    The Assumption is not to have a VPN to every firewall - Instead to add the firewall to Central, if you want to manage it. Central Partner Dashboard gives you the option to administrate and login via SSO to the firewall. Just in case you need access for what ever reason to your customer firewalls. 
    If you dont want to do that, an ACL would be a good place to start to limit the access. 
    Your current partner setup is to sell Customer Firewalls and open WAN to ANY for HTTPS? Do you not think, this might be an situation to talk about? 

    I talked to a lot of German Partners in the recent Days/weeks about this changes. Most of them not even concerned about this. What you could do: Build a Import/Export file for an ACL with Internetv4 and HTTPS Enabled. You can upload it to all firewalls and nothing will change. But i would strongly advise not to follow up on such a call. 

    __________________________________________________________________________________________________________________

Reply
  • So lets unfold your statements here: 

    You have firewalls installed for your customers with HTTPS Access set to ANY. 
    Are they in active use - So people are accessing those Webadmins via this ANY object? Then nothing will change. Every successful access will reset the clock for another 60 Days. 

    You dont have to buy another product for this purpose - Central is free. VPN is free. ACL are free. Only ZTNA, in case you want to use it there. There are people doing it right now - just wanted to add it to the list. 

    The Assumption is not to have a VPN to every firewall - Instead to add the firewall to Central, if you want to manage it. Central Partner Dashboard gives you the option to administrate and login via SSO to the firewall. Just in case you need access for what ever reason to your customer firewalls. 
    If you dont want to do that, an ACL would be a good place to start to limit the access. 
    Your current partner setup is to sell Customer Firewalls and open WAN to ANY for HTTPS? Do you not think, this might be an situation to talk about? 

    I talked to a lot of German Partners in the recent Days/weeks about this changes. Most of them not even concerned about this. What you could do: Build a Import/Export file for an ACL with Internetv4 and HTTPS Enabled. You can upload it to all firewalls and nothing will change. But i would strongly advise not to follow up on such a call. 

    __________________________________________________________________________________________________________________

Children
  • Again none of this is the point, I'll say it one more time. This is not a decision regardless of security or any other matter that Sophos should be making. This is like buying a car from Toyota and then having Toyota say we are locking your doors remotely whether you want them locked or not. Its not their decision to make and it probably oversteps a boundary that means more of this non sense is coming in the future.


    You realize we have hundreds of firewalls sold that we have no access to. this means we have lots of burden on those units for businesses that may not be on the forum every day. it is their decision to make if they want the WAN to be accessible or not. Many of them feel fine as long as MFA is enabled its enough. i may not think that is the best way but its not my decision and I am not dumb enough to think it is.

  • Then set the parameter above and disable this option. WAN HTTPS will be active. 

    So essentially my point is: Partners liked this approach, as they can point towards Sophos to be the voice to "close this gate". SFOS will close it automatically, if not needed and Partners can discuss this with there customers to find alternatives like listed above to increase the hardening of there edge security product. 

    If you want a car analogy: Most cars nowadays auto lock themself after a time per default, as they assume, you are not there anymore and maybe forgot to lock the car. Why does the car vendor build that? 

    __________________________________________________________________________________________________________________

  • Your product is not designed for 16 year old rookie drivers with no experience, like a car is. 

    Your product is designed for businesses and professionals who are experienced. We don't need training wheels and parenting. We need a flexible device that allows us to do what we need, even if that is risky or unrecommended.

    I wonder if Klaus Schwab and the WEF are involved in the direction of SOPHOS.

  • Its impossible to get you to understand the point so I'll stop. I don't drive a Fiat. 

    I'll just calmly wait until everything is ingested in to Sophos Central and wait for the announcement that its now a pay for product and watch the meltdown.

    Sophos needs to worry about the 1000 things that are broken and leave the configuration to the professionals. You guys dont even have ACL lists that support DNS names, yet closing everything down. Take away the SSL VPN client when the Sophos Connect client is trash and on and on. Worry about the things that actually matter and then there wont be posts like this.

    I hope you dont get locked out of you car, its very annoying.