What ist the benefit of IPS, Zero-Day Protection, ATP and web filtering without deep packet inspection on TLS sessions

stupid question, I know, but honestly: what is the benefit of the Xstream protection when you decide not to break TLS sessions at all (besides mail filtering)?

Will someone earn any higher protection level with all these features activated without breaking TLS in comparison to a base licence?

I am asking because when I look around (ca. 100 and more customers, even at enterprise level), nobodoy, really nobody does TLS decryption in any case but for testing purposes. There are a lot of reasons against: privacy breach (admins may read passwords of users in clear text) and simply because many things won't work anymore because lots of (web) applications rely just on working https connections. Things get more and more complicated.

So on one hand every manufactor praises zero-trust, xstream, total protection, 360 degree of comfort or whatever term came to your mind, but what does it help in reality when you are able only to inspect unsecured connections? How much do you raise your security level? In percentage maybe: 5, 10, 25 or even 42%?

I can read and read whitepapers and watch demos: It will not get to my mind, what is the purpose of buying all these features, when nobody make use of it?

Some help and clarification would be really appreciated.

Added TAGs
[edited by: emmosophos at 4:54 PM (GMT -7) on 3 Nov 2023]
Parents Reply
  • Don't know what's the problem...
    Default (depending on settings) is decrypt all except trusted sites, services I know, incompatible services (...) and it's working. Of course you can set brake all SSL connections without exceptions -> have fun (and you will have that problem with any firewall). By the way a lot of services are not using SSL encryption and also protecting you. You have to know whether the few percent more security is worth it to you.

    The firewall is just ONE point of security and no egg-laying wooly-milk-pig, there are many other points (inlcuding Layer 8) to care about for reaching a good level of security. If you assume a single the firewall will protect you from all bad things, maybe you are wrong...

  • main problem after a security breach is the internet connection and yes, detection, alert and even response here is essential I would say. Sure, best approach is a layered approach, but keep in mind where is the plot of the story. It's the internet connection and access via c&c and so on.

    I have no problem, I understand the purpose of DPI, but I was curious how others handle this in practice.

    As I said: I know nobody who does, that is why I am asking.

  • Most customers are adapting this technology right now. At least for the German Market, the administrators are using the Company employee agreement to get HTTPS Scanning enabled which means - Employees are aware that IT can read everything and personal usage is under the terms of services for the network. This is also approved by the work council of a company as well. (I mean we are living in this situation for Emails as well for years - Admins can read Emails of each employee without an problem, therefore there has to be an regulation - The same is applicable for decrypting HTTPS). 

    The next point is: SFOS can do certain protection levels still without HTTPS scanning. See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121482/sophos-firewall-https-decrypt-and-scan-faq#mcetoc_1hbv83qnp7

    But from my perspective: HTTPS Scanning was not used prior XGS due the performance cut in terms of needed hardware for a good throughput. This is addressed with a XGS Appliance. It is the same like IPS. People disabled it because users complained. 


  • thanks Toni! I was looking for more details to this topic - too many buzzwords and marketing gaga are still around. The decision makers with the money pocket say: hey, we have state of the art protection. But indeed 4000 users are surfing more or less unprotected. TLS decryption is disabled.

    I also think that you may rise the protection level without decryption at least a little bit. But the story is DPI with TLS - We will evaluate and try to consider it as well. It has to work, that is the point, and the web proxy approach was not so good at all.