This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM best practise guide for strict webfiltering

Note for any user users stumbeling upon this post and looking for advice (just a small list. Any moderator is welcome to edit or to make a better list here):

* Sophos Sales Team DACH published a best practise guide on 26th Feb 2016 by Mail.
Some people have published the newsletter, therefore I will link it here. It also includes some categories to block and general interactions and hints:
http://web.sophos.com/res/sophos/92aaef928aee3e5ff8216622c999157c.pdf
http://utm-shop.de/information/news-und-co/sofortmassnahmen-gegen-krypta-trojaner-wie-wie-cryptowall-teslacrypt-oder-locky(Note: I did not found a English version. In case you need, maybe Sophos has a translation ;) )

* Have a scroll down to 2nd post here and later posts for blocking/logging/categorizing of unkown sites

* Have a look for the ad-blocking over
-- DouglasFoster 2nd post
-- here: https://community.sophos.com/products/unified-threat-management/f/55/t/46207
-- and/or here: https://drashna.net/blog/2015/03/an-exercise-in-frustration-fine-tuning-the-web-filter-in-sophos-utm/#comments

* Keep in mind:
-- Sophos filtering of Flash, ActiveX and Java is not secure! (Malware gets tru!) => Therefore block the risiky ad networks!

Sophos support itself says that it does only gives an enhanced layer of security and not a security itself. Be sure not to trust Sophos UTM to protect you. It is just another layer, which may protect you.

Keep this in mind and the flash filtering, that Sophos seems not to mention that something does not work as you expect (compare like to this: https://community.sophos.com/products/unified-threat-management/f/55/t/74173)

 

=========== Original post ============

Hello together,

we are using here a fully licensed Sophos UTM 9.3. The computers (Win7) have running Sophos Endpoint Cloud, but no Web Control on.
The Win7 computer was fully patched, and the user surfed with MSIE 11 (latest version) with Adobe Flash (lastest version).

During surfing on a more or less popular German website, the user got infected with a perfect language specific ransomware software, probably by malifious ads.

We probably had some low security guideline for the computer. Specific errors are:
- using MSIE instead of Firefox,
- using no ad-blocker
- using Adobe Flash

In any case we had hoped that the Web filter gives us an additional layer, concreate:
- filtering all HTTP and HTTPS traffic
- using reputation limit with lowest limit (i.e. blacklist)
- Anti-Virus filter with Avira
- Blocking ActiveX/Flash/Java

So, now we are wondering, which are the probably right settings for the UTM
- Anti-Virus is not helpful as it does not detect new stuff
- Blocking ActiveX/Flash is not helpful as it does no automatic stripping of ActiveX and Flash - i.e. several sites with Flash work

Therefore, the only logical consequence is whitelisting.
- We have now set reputation limit to whitelist (i.e. neutral)

How does whitelisting work and is it safe enough?

Currently I have the feeling the Web Filtering is not enough...
- Anti-Virus is not 100% secure
- Blocking ActiveX/Flash is not 100% secure
- How secure is the whitelisting?

(Edit 14.30 UTC) We did now the following, too:
- Blocking suspicious category (In German you have to scroll down the list and I did not see it)
- Following the user guide over there to block the ads: https://drashna.net/blog/2015/03/an-exercise-in-frustration-fine-tuning-the-web-filter-in-sophos-utm/#comments
- Checking the boxes in Options for strict HTTP and blocking of unscannable downloads to get this one right: https://community.sophos.com/products/unified-threat-management/f/55/t/74173

Any best practise hints, for making a good tradeoff between surfing and safety?
With current whitelisting some pictures are blocked, even community.sophos.com is blocked...



This thread was automatically locked due to age.
Parents
  • My two cents:

    UTM Web Filtering Best Practice Recommendation

    General

    Upload your organization logo using:

               Management… Customization… Global… Company logo

    This helps your users detect block and warn messages as legitimate, reducing help desk calls while promoting compliance.

    Categories

    1) Review and optionally refine the supplied categories.

    UTM has two types of categories  -- website categories and user permission categories.   Website categories are grouped together to create user permission categories.   All of the reporting is based on website category.  If a user is blocked or allowed incorrectly, you will have to manually follow the path from the website category to the user category to the user.   I created two of my own user permission categories

    • High Risk or Illegal, (BLOCK for all users) which now contains these website categories:

    Anonymizers, Anonymizing utilities, Browser exploits, Gambling, Gambling related, Hacking/computer crime, Illegal software, Illegal UK, Malicious downloads, Malicious sites, Media sharing, P2P/file sharing, Parked domain, Phishing, Pornography, Potential unwanted programs, Profanity, Residential IP addresses. School cheating information, Spam URLs, Spyware/adware

    • Web Filtering Problems,  (WARN for all users) which now contains these website categories:

    Categorization failed, Uncategorized

    2) Ensure all website categories are assigned to a single user permission category.

    Website categories are assigned to user categories, but there is no requirement for uniqueness.   A website category can be assigned to more than one user permission category, or it could be excluded from all user categories.   In either of these situations, the webfilter results may be unpredictable or undesired, so you need to ensure that every web category is assigned to exactly one user category.  A spreadsheet can be helpful for this purpose.

    Log Files

    I found that I could not manage the web filtering process without creating a Microsoft Access application to parse the webfilter log files.   The format is difficult to parse:   a space-delimited row header, followed by a space-delimited set of attributes in the format: keyword=”value”.   Several of the data elements are returned as both a code and a text translation of the code:

    • Id and Name

    • Category and CategoryName

    • AppID and Application

    Certificate problems

    I am operating with HTTPS scanning enabled, so UTM looks closely at every certificate chain. It will block any connection with an imperfect certificate chain.   (I don’t know if the behavior is less strict if UTL-only scanning is enabled.)  The UTM administrator can create an exception to ignore certificate checks, but it seems unwise to do so globally,

    I have encountered a surprising number of sites with SSL certificate problems.   The typical problems are:

    • Broken certificate chain:   The system manager loaded the server certificate but did not load the intermediate certificate.

    • Wildcard nesting:   The system manager assumes that a certificate for *.company.com can be applied to any and every web path.   The actual rule is that wildcards can only be applied to one level, so *.company.com is valid for abc.company.com, but it is invalid for abc.def.company.com.

    • Extra self-signed certificate:   The site began with a self-signed certificate, then switched over to a commercial certificate, but never removed the self-signed certificate from the configuration.   UTM sees the self-signed certificate and rejects the connection.  I am hoping that a future release of UTM will ignore extra certificates as long as one certificate path is valid.

    • Expired certificates:  Their system manager messed up.

    The challenge for the UTM administrator is to identify when these problems are occurring, and decide how to respond to the other organization’s mistake.  The standard UTM reports have been of no value to me for this process, which is why I download and parse the log files in my own application.  

    Invalid certificates problems are evidenced in the log file entries with these attributes:

    • ID=”0002”, (Synonym:  Name=”web request blocked”)

    • ERROR=”’ or not present

    • URL starting https://

    This selection rule will identify all sites that were blocked because of certificate problems, but it will not indicate the nature of the problem.   For that I use an SSL installation tester.  Most certificate issuers have a test utility, and SSL Labs has one as well

    Our certificate vendor's test is quicker and suitable for most of my purposes, while the SSL Labs site is more comprehensive but slower.   Once you know the problem, you have three options:

    • Ignore the problem.   This prevents your users from reaching that site.   This is the appropriate response for sites that are least important to your organization.

    • Contact the server owner to make them aware of the problem.   There is no quick and simple method for knowing whom to contact.   You can either bypass UTM and browse the website to look for a “Contact Us” option (preferably for Webmaster), or use WHOIS to find an email address and hope that it will be routed to the right person.    I attempt contact for sites that are likely to be important to our staff but are not business critical.

    • Create an exception to disable certificate checking.   The easiest way to do this is to browse to the problem site to display the navigation blocked page, then click the link for creating an exception.  You must know the webadmin username and password, so most users cannot do this.   For those who know the password, UTM will create the exception record if necessary, or will add to the existing record if it has already been established.

    Certificate chain problems can be mitigated if you have access to the missing intermediate certificate from your own certificate vendor or other sources.  Intermediate certificates can be uploaded using Web Protection…  Filtering Options… HTTPS CAS… Verifications CAs… Upload local CA.   The same mechanism is used whether you are loading a CA root or a CA Intermediate certificate.

    The certificate problem review process must be repeated continuously, preferably reviewing yesterday’s results today.

    Uncategorized Websites

    A similar process is needed for Uncategorized websites.    As indicated earlier, I have configured UTM to WARN on uncategorized websites, because these are the ones most likely to be malware traps, but they will also include a wide array of legitimate websites that are important to your organization but are too small to have been noticed by the categorization process.

    Warned and uncategorized websites can be identified in the log file with this selection:

    • ID=”0071”, (Synonym:  Name=” web request warned, forbidden category detected”)  and

    • Category=” 9998,9998” (Synonym: CategoryName=” Uncategorized,Uncategorized”)

    The second selection rule is probably unique to my configuration and may not be necessary if you want to review all WARNed sites.

    While it appears that UTM can and does apply categories based on both fully qualified domain name and path, I reduce my results to unique FQDNs.   Then I review the list to decide whether I can safely place it in a category so that users will not be warned in the future.  One a list of updates is identified, I add those sites to the Webites override list.   For sites that seem to be generating a lot of different warn conditions, I may create the exception for the site/organization (company.com) instead of the FQDN.   For sites that I don’t recognize, I do nothing so that the warning remains in place.

    The uncategorized site review process should also be performed daily or frequently.

  • Thanks Douglas for your post. As this thread may come up within a search, I made an edit in my first post and mentioned your extraordinary post.

    0-day for my ransomware is found here: helpx.adobe.com/.../apsb16-04.html
    Distributed through ad networks on trusted sites.
    Not blocked by flash filter of Sophos UTM.
    (Ads have not been blocked to that time, Firefox was not used to that time, Ad-Blocker on client was not used at that time)

    Sophos told on phone:
    Ah yeah you know. We see that the admins are getting more careless. Our software is just an additional layer, but 100% security - it's not possible. It's just one layer and does not release the admin from his duties.

    Dear Sophos (ok, they do not read here, but one never knows): Maybe you should also not write that you block flash in your UTM.
    This information needs to be at the checkbox for flash blocking, so one knows, this feature cannot be trusted. I mean, I should expect that something that is written is working. This javascript tunneling seems not to be new.
    Then saying...it's just a layer which you cannot trust, seems a bit, well,...strange.

    Edit 26th Feb
    Sophos sent a best practise guide per mail (Sophos Sales Team DACH) againt Crypto-Trojans covering also the Web Protection.

    Thumbs up! Thanks.

Reply
  • Thanks Douglas for your post. As this thread may come up within a search, I made an edit in my first post and mentioned your extraordinary post.

    0-day for my ransomware is found here: helpx.adobe.com/.../apsb16-04.html
    Distributed through ad networks on trusted sites.
    Not blocked by flash filter of Sophos UTM.
    (Ads have not been blocked to that time, Firefox was not used to that time, Ad-Blocker on client was not used at that time)

    Sophos told on phone:
    Ah yeah you know. We see that the admins are getting more careless. Our software is just an additional layer, but 100% security - it's not possible. It's just one layer and does not release the admin from his duties.

    Dear Sophos (ok, they do not read here, but one never knows): Maybe you should also not write that you block flash in your UTM.
    This information needs to be at the checkbox for flash blocking, so one knows, this feature cannot be trusted. I mean, I should expect that something that is written is working. This javascript tunneling seems not to be new.
    Then saying...it's just a layer which you cannot trust, seems a bit, well,...strange.

    Edit 26th Feb
    Sophos sent a best practise guide per mail (Sophos Sales Team DACH) againt Crypto-Trojans covering also the Web Protection.

    Thumbs up! Thanks.

Children
No Data