Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 26 replies
  • Answers 1 answer
  • Subscribers 47 subscribers
  • Views 5074 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted Parenting - Why does SOPHOS insist on removing features "for our own good"?

Steve Klassen

SOPHOS markets their XGS product to network administrators, who are professionals in their field. These are expensive devices that owned by the customer, and should be up to the customer how they wish to deploy\configure\use them. 

SOPHOS, however, is intent on "Parenting" their network administrator customers. SOPHOS is removing another feature that some admins are using because I guess SOPHOS "knows better". We've been using the new XGS Firewalls for a few months and this is the second time I've seen this behavior.

While SOPHOS is busy removing functionality and features from their Firewalls to "Parent" their customers who don't need parenting, other functionality is direly needed, however that does not appear to be the focus.

Why don't we work on improving the MANY missing features that XGS needs, before we start making the product less flexible.

   



This thread was automatically locked due to age.
Parents
  • 0

    Now when the user portal gets disabled and the user needs a new certificate because of any change how can they VPN to the user portal to get certificate?

    Is this able to be toggled again or its off for good at the point?

    Again going about things like we are talking about administering 2 firewalls.

  • 0 in reply to DBASQL

    The User Portal will only be disabled automatically if it's unused for 90 days by any user. The Admin can re-enable it afterwards if it does get auto disabled. 

    In SFOS v20, which is going to EAP in a few weeks, there will be a new VPN portal where users will download their VPN config, which won't have this restriction. 

  • 0 in reply to bobbylam

    And what will make new VPN-Portal more secure than current User-Portal, when exposed to WAN? Why not securing User-Portal the same way, new VPN-Portal would/will be?

  • +1 in reply to soph-f

    The goal is to help our customers limit their security risk & exposure on WAN, as we know malicious actors are constantly probing and attacking systems/networks (not just Sophos firewalls) - as you all can probably see from various incidents in the news. 

    We know most users only need to download their VPN configuration remotely. Once they do, they can VPN in to perform other operations (e.g. email quarantine) from the User Portal. Therefore we created the VPN Portal to separate & limit the operations available directly from WAN to a minimum, thus reducing the attack surface. This way our customers can keep their risk to a minimum. 

    We also know some customers enable their User Portal on WAN, without a need to (when it's not used). This again unnecessarily increase their risk & exposure. That's why we implemented an auto-disable if it's unused. If the User Portal is legitimately being used (even by 1 user), it will stay enabled. If the admin needs to re-enable the User Portal after it's been disabled, they can also do so. Again this is to help reduce our customers' risks, especially for those who 'sets & forgets' their firewalls. 

Reply
  • +1 in reply to soph-f

    The goal is to help our customers limit their security risk & exposure on WAN, as we know malicious actors are constantly probing and attacking systems/networks (not just Sophos firewalls) - as you all can probably see from various incidents in the news. 

    We know most users only need to download their VPN configuration remotely. Once they do, they can VPN in to perform other operations (e.g. email quarantine) from the User Portal. Therefore we created the VPN Portal to separate & limit the operations available directly from WAN to a minimum, thus reducing the attack surface. This way our customers can keep their risk to a minimum. 

    We also know some customers enable their User Portal on WAN, without a need to (when it's not used). This again unnecessarily increase their risk & exposure. That's why we implemented an auto-disable if it's unused. If the User Portal is legitimately being used (even by 1 user), it will stay enabled. If the admin needs to re-enable the User Portal after it's been disabled, they can also do so. Again this is to help reduce our customers' risks, especially for those who 'sets & forgets' their firewalls. 

Children
  • 0 in reply to bobbylam

    Again you are missing the point. This is a decision for the partner and client to make. There is no denying this is more secure its the audacity of Sophos thats the issue.
    Things are thought of as having 5 firewalls to deal with. What if you dont have access to the user portal for months because everything has been fine and now because of a cert change or ENC change to 256 bits it requires a new cert.? Suddenly no user portal? Thats fine if you have 3 firewalls but what happens when you have 20k users in the wild?
    What happens when they MFA enabled and the admin cannot download on the user behalf?

    So short sighted yet so typical of Sophos.

    Provide a better way to get the certs per user and then do this change, not the other way around.

    These are very basic common sense matters, very easy to understand.


Unfiltered HTML