This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection - Filtering - SSL decryption and scan without certificate ? + Few more questions.

Hello everybody,

I'm currently trying the Web Protection. I understood how it works, transparent/standard mode, etc.

However, I noticed that lots of things don't work in case HTTPS is configured on "URL filtering" only (download scanning, download checks for blocking, etc). This is logic seems nearly everything now is working with HTTPS.

Our company has a lot of testing/development computers which must have Internet and there are not in a domain and not well secured. Since they are on WORKGROUP, it is annoying to have the need of a certificate to allow "Decrypt & Scan" feature on HTTPS.

1. Is there a way to have HTTPS configured on "Decrypt & Scan" mode without having the need of pushing the CA certificate on clients computers ?

I read the following KB:  support.sophos.com/.../KB-000034334

What about this: "In 9.2, SNI-based HTTPS filtering is possible, which allows you to filter HTTPS content without installing a certificate, but does not allow in-stream antivirus scanning of web traffic."

2. Is it a solution ? What must be done ?

So far, I'm testing the Web Protection in a lab environment with few machines. I'm a little bit afraid of the resources consumption with a production environment. We have two SG 210 on active-passive HA with around 150 computers.

3. Will it be ok with Web Protection for this company/computers sizes ?

4. Eventually, about transparent mode and SSO, is there a way to allow authentication immediately when a computer is booting ? Any workaround ? For the moment I have to do a HTTP request to make it work (as said in the documentation). I tried with a Powershell script (Invoke-WebRequest) but it didn't work.

Thank your for your time & help !

DeltaSM



This thread was automatically locked due to age.
  • Hey,

    1. Never tried without pushing the certificate to the clients.  It sounds like you could do blocking of HTTPS traffic, but no scanning for antivirus.  Let us know if Snort can "see" the unencrypted traffic.

    2. You don't say what things you have active in the UTM, but 150 computers sounds like the 210 is undersized - depending on what those computers are doing, 330s would be recommended if doing much more than firewalling and routing.

    3. Maybe, but I wouldn't have recommended the 210s to any of my customers with that many computers.

    4. I wonder if the Client Authentication Program couldn't be used for this.

    Please post your results.  Good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • i totally agree with bob... Some additional hints:

    1. scanning (need decryption) is not possible without pushing the UTM-CA-certificate.
    But simple URL-Filtering on HTTPs without decryption will create Block-/Warn-pages on HTTPS too ... and you will get the certificate-error here.

    2. 150 Users/PC may be a lot with AV-Scanning ... if many of the are active at the same time. . Compare:


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Eseentially the answer to the first question is : no. If there would be a way, we could stop doing TLS in the internet. TLS is a privacy feature. You cannot scan it. Unless the client is willing to accept it. That is the way Certificate exchange works. 

    TLS Decryption is very hardware consumption. If you want to do this right, check out the XGS Platform, as it does this streambased (with the same limitation above - You need to distribute the certificate). 

    And Web scanning (HTTPS) does only work on Port443 on UTM. SFOS does it on every port. 

    About the last point: This is better in SFOS, as SFOS can do this on a earlier stage than Kerberos. 

    __________________________________________________________________________________________________________________

  • Hello guys,

    First of all, thank you for your answers and all the details you gave me ! your table about UTM sizing is very interesting, I never saw it before.

    : you told me about "Snort". What is it ?

    About this: "In 9.2, SNI-based HTTPS filtering is possible, which allows you to filter HTTPS content without installing a certificate, but does not allow in-stream antivirus scanning of web traffic."

    What is it ? What is SNI-based ?

  • Snort is the engine that does Intrusion Prevention scanning.  it's likely the first protection you turned off when internet downloads seemed slow.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA