Sophos Firewall: SafeSearch - Enforcement when using the DPI Engine

Question

Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. 
 
 During the webcast on November 14, 2019 there was the following question and answer: 
 Q: Web filtering using TLS interception, not Web Proxy - will safesearch be possible using the TLS interception feature in the future? 
 A: SafeSearch, depending on the content provider, still requires the proxy. We&rsquo;re looking to add specific hosts in the Sophos Firewall to simplify defining proxy policies for those sites. In that way, you can rely on DPI and TLS for everything else and use the proxy for the specific safe search sites. For Google, at least, there are safe search enforcement alternatives that don&rsquo;t require the firewall e.g. inserting a DNS record into your DNS server. 
 I wanted to give instructions on how to enforce SafeSearch in Google and Bing, as well as YouTube restrictions when using DPI mode web filtering. 
 Google, Bing, and Yahoo provide a mechanism for proxies to enforce SafeSearch using header manipulation. Google and Bing provide a mechanism for proxies to enforce SafeSearch using DNS manipulation. YouTube provides a mechanism for restricted mode. 
 In Sophos Firewall, if you use the web proxy, you can enforce SafeSearch by editing the Web Policy and selecting the "Enforce SafeSearch" checkbox. This will enable DNS manipulation (which works with or without HTTPS decryption) and header manipulation when HTTPS is being decrypted. 
 In Sophos Firewall, SafeSearch cannot be enforced if you use the DPI mode web filtering. The DPI engine can't change IP Address the client is connecting to, nor can it manipulate headers. 
 However, an administrator can still enforce SafeSearch by changing the resolution on the DNS server clients on your network use. This might be your network's Sophos Firewall, AD server, router, or other DNS server. Using a DNS CNAME means that clients trying to resolve DomainA will always get the answer to DomainB, which is good if the IP address for DomainB ever changes. However, we have noticed that these domains have existed for years, and the IPs have never changed. Therefore, if a CNAME is not possible, you can use just resolve to the SafeSearch IPs directly. 
 Google Change the DNS entry for the following domains to be a CNAME for forcesafesearch.google.com . www.google.com Country specific Google domains ( www.google.com/supported_domains) More Information: support.google.com/.../186669 
 Bing Change the DNS entry for the following domains to be a CNAME for strict.bing.com . www.bing.com More Information: help.bing.microsoft.com/ 
 YouTube Change the DNS entry for the following domains to be a CNAME for restrict.youtube.com or restrictmoderate.youtube.com www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com More Information: support.google.com/.../6214622 
 
 Steps if you are using the Sophos Firewall as the DNS resolver on your clients: Go to Network, DNS, and Add DNS host entry. For the domain name put in the domain to be overridden (eg www.google.com ). For the IP address, put the IP of the CNAME domain (eg 216.239.38.120 )

Michael Dunn · Accepted Answer

We have discovered that there can be an issue with YouTube Restricted Mode in the Chrome browser sometimes showing search results that are not restricted. Videos themselves are correctly blocked. 
 Scope: Web Proxy mode only HTTPS Decryption Off only Transparent mode only Chrome browser only (issue not reproduced in other browsers, but could occur) 
 In this configuration, the proxy will do the CNAME override and replace the YouTube IPs with restricted YouTube IPs, the client/browser is unaware that this is happening. Chrome will occasionally make a connection to a domain that is not part of he restricted mode to do a Google search and then reuse that connection to do a YouTube search. This causes the search to occur on an IP where YouTube restrictions are not enforced. 
 The symptom is that on occasion, searches will contain links to restricted video, but on refresh those videos disappear from the search results. Attempting the view any of the videos and restrictions are enforced. 
 The solution is to have the clients access YouTube using the restricted IPs directly, rather than the proxy secretly changing to he restricted IPs. Anyone who is experiencing the problem and would like a solution should use the method described in this post regarding DPI mode.

Michael Dunn · Answer

BenjaminMiller said: 
 Will the adding specific hosts be ready for when v18 reaches a GA stage or will this come in a later release. We have different safe search policies for users, depending on their age and the time of day they are accessing so changing the DNS globally is not an option for us. 
 
 It will be added in EAP3. There is a new FQDN Host Group containing hosts of all the search engines. You can then create a firewall rule that only applies to those hosts, and which uses the web proxy that supports configuring as part of the Web Policy that is in 17.5. The later firewall rules that apply to other traffic can still use the DPI Engine.

Sophos Firewall: SafeSearch - Enforcement when using the DPI Engine

Top Replies