Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 45 subscribers
  • Views 16503 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What ist the benefit of IPS, Zero-Day Protection, ATP and web filtering without deep packet inspection on TLS sessions

Dr No

stupid question, I know, but honestly: what is the benefit of the Xstream protection when you decide not to break TLS sessions at all (besides mail filtering)?

Will someone earn any higher protection level with all these features activated without breaking TLS in comparison to a base licence?

I am asking because when I look around (ca. 100 and more customers, even at enterprise level), nobodoy, really nobody does TLS decryption in any case but for testing purposes. There are a lot of reasons against: privacy breach (admins may read passwords of users in clear text) and simply because many things won't work anymore because lots of (web) applications rely just on working https connections. Things get more and more complicated.

So on one hand every manufactor praises zero-trust, xstream, total protection, 360 degree of comfort or whatever term came to your mind, but what does it help in reality when you are able only to inspect unsecured connections? How much do you raise your security level? In percentage maybe: 5, 10, 25 or even 42%?

I can read and read whitepapers and watch demos: It will not get to my mind, what is the purpose of buying all these features, when nobody make use of it?

Some help and clarification would be really appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,
    Thank you for reaching out to the community, With intrusion prevention, you can examine network traffic for anomalies to prevent DoS and other spoofing attacks. Using policies, you can define rules that specify an action to take when traffic matches signature criteria. In addition to blocking risky files, zero-day protection also provides detailed reports of the analysis performed to help you understand the risk. Advanced threat protection analyzes incoming and outgoing network traffic for threats. Using ATP, you can quickly detect compromised clients in your network and log or drop the traffic from those devices. Further more we recommend a read - the new DPI Engine for web proxy explained. Additionally you can refer the License bundles are available for XGS and XG Series firewalls.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    thanks, a good insight between these implementations.

    But as I tried to describe: what would be the benefit of all these technologies if one does not break outgoing TLS connections at all? And this it what happens in real world nearly to 100%, I really do not know any customer who does it.

  • 0 in reply to Dr No

    Don't know what's the problem...
    Default (depending on settings) is decrypt all except trusted sites, services I know, incompatible services (...) and it's working. Of course you can set brake all SSL connections without exceptions -> have fun (and you will have that problem with any firewall). By the way a lot of services are not using SSL encryption and also protecting you. You have to know whether the few percent more security is worth it to you.

    The firewall is just ONE point of security and no egg-laying wooly-milk-pig, there are many other points (inlcuding Layer 8) to care about for reaching a good level of security. If you assume a single the firewall will protect you from all bad things, maybe you are wrong...

  • 0 in reply to Quallensaft

    main problem after a security breach is the internet connection and yes, detection, alert and even response here is essential I would say. Sure, best approach is a layered approach, but keep in mind where is the plot of the story. It's the internet connection and access via c&c and so on.

    I have no problem, I understand the purpose of DPI, but I was curious how others handle this in practice.

    As I said: I know nobody who does, that is why I am asking.

Reply
  • 0 in reply to Quallensaft

    main problem after a security breach is the internet connection and yes, detection, alert and even response here is essential I would say. Sure, best approach is a layered approach, but keep in mind where is the plot of the story. It's the internet connection and access via c&c and so on.

    I have no problem, I understand the purpose of DPI, but I was curious how others handle this in practice.

    As I said: I know nobody who does, that is why I am asking.

Children
  • 0 in reply to Dr No

    Most customers are adapting this technology right now. At least for the German Market, the administrators are using the Company employee agreement to get HTTPS Scanning enabled which means - Employees are aware that IT can read everything and personal usage is under the terms of services for the network. This is also approved by the work council of a company as well. (I mean we are living in this situation for Emails as well for years - Admins can read Emails of each employee without an problem, therefore there has to be an regulation - The same is applicable for decrypting HTTPS). 

    The next point is: SFOS can do certain protection levels still without HTTPS scanning. See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121482/sophos-firewall-https-decrypt-and-scan-faq#mcetoc_1hbv83qnp7

    But from my perspective: HTTPS Scanning was not used prior XGS due the performance cut in terms of needed hardware for a good throughput. This is addressed with a XGS Appliance. It is the same like IPS. People disabled it because users complained. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    thanks Toni! I was looking for more details to this topic - too many buzzwords and marketing gaga are still around. The decision makers with the money pocket say: hey, we have state of the art protection. But indeed 4000 users are surfing more or less unprotected. TLS decryption is disabled.

    I also think that you may rise the protection level without decryption at least a little bit. But the story is DPI with TLS - We will evaluate and try to consider it as well. It has to work, that is the point, and the web proxy approach was not so good at all.

Unfiltered HTML