Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What ist the benefit of IPS, Zero-Day Protection, ATP and web filtering without deep packet inspection on TLS sessions

stupid question, I know, but honestly: what is the benefit of the Xstream protection when you decide not to break TLS sessions at all (besides mail filtering)?

Will someone earn any higher protection level with all these features activated without breaking TLS in comparison to a base licence?

I am asking because when I look around (ca. 100 and more customers, even at enterprise level), nobodoy, really nobody does TLS decryption in any case but for testing purposes. There are a lot of reasons against: privacy breach (admins may read passwords of users in clear text) and simply because many things won't work anymore because lots of (web) applications rely just on working https connections. Things get more and more complicated.

So on one hand every manufactor praises zero-trust, xstream, total protection, 360 degree of comfort or whatever term came to your mind, but what does it help in reality when you are able only to inspect unsecured connections? How much do you raise your security level? In percentage maybe: 5, 10, 25 or even 42%?

I can read and read whitepapers and watch demos: It will not get to my mind, what is the purpose of buying all these features, when nobody make use of it?

Some help and clarification would be really appreciated.

This thread was automatically locked due to age.
  • Hello  ,
    Thank you for reaching out to the community, With intrusion prevention, you can examine network traffic for anomalies to prevent DoS and other spoofing attacks. Using policies, you can define rules that specify an action to take when traffic matches signature criteria. In addition to blocking risky files, zero-day protection also provides detailed reports of the analysis performed to help you understand the risk. Advanced threat protection analyzes incoming and outgoing network traffic for threats. Using ATP, you can quickly detect compromised clients in your network and log or drop the traffic from those devices. Further more we recommend a read - the new DPI Engine for web proxy explained. Additionally you can refer the License bundles are available for XGS and XG Series firewalls.

    Thanks & Regards,

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case

    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • thanks, a good insight between these implementations.

    But as I tried to describe: what would be the benefit of all these technologies if one does not break outgoing TLS connections at all? And this it what happens in real world nearly to 100%, I really do not know any customer who does it.

  • Don't know what's the problem...
    Default (depending on settings) is decrypt all except trusted sites, services I know, incompatible services (...) and it's working. Of course you can set brake all SSL connections without exceptions -> have fun (and you will have that problem with any firewall). By the way a lot of services are not using SSL encryption and also protecting you. You have to know whether the few percent more security is worth it to you.

    The firewall is just ONE point of security and no egg-laying wooly-milk-pig, there are many other points (inlcuding Layer 8) to care about for reaching a good level of security. If you assume a single the firewall will protect you from all bad things, maybe you are wrong...

  • main problem after a security breach is the internet connection and yes, detection, alert and even response here is essential I would say. Sure, best approach is a layered approach, but keep in mind where is the plot of the story. It's the internet connection and access via c&c and so on.

    I have no problem, I understand the purpose of DPI, but I was curious how others handle this in practice.

    As I said: I know nobody who does, that is why I am asking.

  • Most customers are adapting this technology right now. At least for the German Market, the administrators are using the Company employee agreement to get HTTPS Scanning enabled which means - Employees are aware that IT can read everything and personal usage is under the terms of services for the network. This is also approved by the work council of a company as well. (I mean we are living in this situation for Emails as well for years - Admins can read Emails of each employee without an problem, therefore there has to be an regulation - The same is applicable for decrypting HTTPS). 

    The next point is: SFOS can do certain protection levels still without HTTPS scanning. See:

    But from my perspective: HTTPS Scanning was not used prior XGS due the performance cut in terms of needed hardware for a good throughput. This is addressed with a XGS Appliance. It is the same like IPS. People disabled it because users complained. 


  • thanks Toni! I was looking for more details to this topic - too many buzzwords and marketing gaga are still around. The decision makers with the money pocket say: hey, we have state of the art protection. But indeed 4000 users are surfing more or less unprotected. TLS decryption is disabled.

    I also think that you may rise the protection level without decryption at least a little bit. But the story is DPI with TLS - We will evaluate and try to consider it as well. It has to work, that is the point, and the web proxy approach was not so good at all.

  • I tried to address some of those questions in the FAQ that LuCar linked to.

    I am on the dev team and I deal with escalations, so I know know the sales side and what average customers do. However I know a reasonable percentage of our customers do HTTPS decryption because I see it if I need to go onto their boxes. I don't know how many, but a good portion. The most common reason I hear about for not decrypting is the able to deploy the Certificate Authority to BYOD devices. Compatibility with sites mostly works out of the box and really is just a pain for the first week as people get things up and running.

    As to your original question please understand this is only my off-the-cuff opinion. If you do not do HTTPS scanning:
    - website blocking due to category or domain name fully works, including known malware sites (5% worse)
    - antivirus scanning is only HTTP (90% worse)
    - zero day protection is only HTTP (90% worse)
    - ATP (Advanced Threat Protection) of callhomes is lower but still good (25% worse)
    - IPS and App control is lower but still good (25% worse)

    If you were asking specifically about whether you should buy a bigger license (eg with Zero Day Protection) remember that even though you've lowered the usefulness in web by not doing decryption, you still get it for email.

  • I would not want to work for any of those 100 organizations. I am a contractor and I can assure you that my clients make me use their laptop to access their network and they've got full firewall and endpoint security implemented. Enterprise-level organizations have enterprise-level endpoints and so installing certificates (and having users have to deal with that) aren't a problem. (Yes, this may include things like installing certificates for Python to use, etc, if you're a programmer.)

    Heck, I use TLS decryption at home, and it works well. Yes, there are default exemptions for OS upgrades, and sites like financial sites check certificates closely and need to be exempted as well. But on the whole, it's not a disaster (even though I don't have an enterprise-level infrastructure which would make it trivial), and to be honest, the exceptions in TLS rules mean that maybe the majority of my TLS traffic isn't decrypted at some points in time -- things like OS updates, streaming video, account for a LOT of traffic -- but not going to the trouble to do it where possible is just an amateur move, in my opinion.

  • We have been using HTTPS decryption for almost 2 years without any problem. We have to exclude TV and devices where we cant install certificates.

    Banking site and some software updates need to be excluded from scanning.Overall DPI works and improved a lot.