Thread Info
  • Locked Locked
  • Replies 0 replies
  • Subscribers 2 subscribers
  • Views 2802 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Inspection - pro and con - How Sophos UTM compares to an ideal

DouglasFoster

Just read this brand-new article:  "The Sorry State of TLS Security in Enterprise Interception Appliances”  (Find it yourself by doing a web search for this title.)

The research paper evaluated products from 13 vendors (17 firmware versions) against the authors' criteria for a perfect TLS inspection engine.  It is a valuable reference.

Notable observations:

  • UTM (version 9.506-2) was evaluated, but not XG Firewall.   Considering that XG Firewall is expected to be the preferred product for new sales, this was curious.   Maybe the authors did not ask Sophos marketing which one to evaluate.

  • UTM did pretty well, better than most of the other products.   Depending how you score their results, UTM might be best of them all.  However, they faulted UTM for these issues:
    • Some CA Root Certificates are untrusted and should be removed.  This can be corrected by the system administrator.
    • UTM has some weak ciphersuites enabled by default.   This can be updated using the shell (using information available from Sophos Support.)
    • UTM permits the internal and external ciphersuites to be different, with each one being negotiated to the best available.   The authors think the ciphersuites should be identical, so that browser defenses are still available.   I prefer the dual-negotiation approach, since I used UTM to ensure even XP boxes would use TLS 1.2 for the external connection.
    • UTM accepts some intermediate certificates that it should reject.   I don't know that this is correctable at the local level.
    • UTM does not mimic the original certificate perfectly.  My impression was that this was more like hair-splitting than a real security issue, but they understand certificates better than I do.

The researchers solved the problem of getting UTM https inspection to work with the SSL Labs client test and the badssl.com certificate tests.   They added these ports to the Allowed Target Services list for Standard Mode:  1010, 1011, 10200, 10300, 10301, 10302, 10303, 10444, and 10445.   i have not yet tried to test this workaround.



This thread was automatically locked due to age.
Unfiltered HTML