Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 8305 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: SSL/TLS Inspection on Mobile Devices

Raphael Alganes

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This recommended Read describes the TLS/SSL inspection for Smart Devices.

What is TLS/SSL Inspection?

SSL inspection intercepts and reviews SSL-encrypted internet communication between clients and servers.

SSL/TLS inspection rules: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/SSL/TLSInspectionRules/index.html

How it works

When the connection is made over HTTPS, SSL/TLS inspection intercepts all traffic and decrypts. After decrypting secure web content, Sophos Firewall encrypts the content again using certificates signed by the CA.

HTTPS decrypt and scan FAQ: https://support.sophos.com/support/s/article/KB-000038420?language=en_US

Configuration

Configure SSL/TLS inspection and decryption: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/HowToArticles/WebProxyDPITLSDecryption/index.html#add-a-web-policy

Applying SSL/TLS Inspection on Mobile Devices

So, the question is, does it work for mobile devices? It can work. However, there are more cons than pros to using it.

Smartphones don’t work well with decryption for several reasons. Even if you install a Proxy CA on the phones, many systems and 3rd party applications won’t trust certificates in the user store. They’ll cause more applications to not function properly.

Also, you can’t add CAs on the system Store (Google Store/Apple Store) as TLS/SSL using CA.

You may install a custom Certificate for Applications such as Firefox and Chrome, but many applications won’t allow it nor have any option.

It’ll work if you set the “TLS profile decryption to be disabled”. However, this can only scan SNI.

Server Name Indication (SNI): https://knowledge.digicert.com/quovadis/ssl-certificates/ssl-general-topics/what-is-sni-server-name-indication.html

Upon setting the TLS profile to “do not decrypt”, this won’t turn on the “scan for malware “but can still allow or deny categories of Websites. To scan all traffic with decryption, you must manually apply exceptions for all the applications.

Certificate Pinning

This is also one reason why SSL/TLS inspection won’t work well with mobile devices. Some websites and applications are using this approach to prevent Man-in-the-middle Attacks. A Website or an application doesn’t trust the TLS decrypting and scanning the certificate, which, in this case, is presented by the Firewall. Because of this, SSL/TLS inspection won’t work properly, resulting in a broken connection, garbled website output, inconsistent application behavior, and so on.

What is Certificate Pinning:

https://www.indusface.com/learning/what-is-ssl-pinning-a-quick-walk-through/#:~:text=SSL%20certificate%20pinning%20is%20a,documents%20from%20the%20suspicious%20servers.

Certificate Pinning in Android:

https://approov.io/blog/securing-https-with-certificate-pinning-on-android

Web Proxy

When using DPI Engine, you will need to manually maintain a local SSL/TLS list. The SSL/TLS exception list will be overwritten upon update. To bypass this, you may use the Custom URL group in the SSL/TLS inspection rule so it won’t be overwritten.

One workaround is to use “Web proxy

Use “Transparent with direct mode (hybrid).”

Then confirm that under the FW rules for LAN to WAN, you’ve turned on the option "Use web proxy instead of DPI engine" then > under the Security Features. Ensure a web policy is applied before enabling the option. Also, ensure the following option is also turned on: "Scan HTTP and decrypted HTTPS."

https://support.sophos.com/support/s/article/KB-000036493?language=en_US#Direct

Then Install Firewall CA:

https://support.sophos.com/support/s/article/KB-000035645?language=en_US

Installing the Firewall Certificate into Mobile Devices using Sophos Mobile (Optional)

Using Sophos Mobile, our MDM solution, you can install certificates and CAs on groups of Android and iOS mobile devices instead of manually installing them on individual devices.

https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesInstallRootCAUsingSophosMobile/index.html

Application Control

Another simple solution to work on websites and mobile applications is configuring Application Control policies. https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Applications/HowToArticles/BlockApplicationsUsingApplicationFilter/index.html

If your use case is to control unwanted traffic from mobile devices and guest/mobile networks, you can configure app control, as this feature can do its job of allowing and denying specified applications from the network without the need to decrypt the traffic and have the firewall's certificate installed on the mobile devices. Again, please note that this activity does not perform “Decryption,” so it can’t scan for viruses; it’s only an option to work on controlling unwanted and usable applications allowed on the network.



Updated links 19.5->V20 latest. Grammar
[edited by: Raphael Alganes at 10:17 AM (GMT -7) on 10 Oct 2024]
Unfiltered HTML