Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 11 subscribers
  • Views 2577 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Control only works with HTTP

notesguru99

Hi All,

Like everyone else no doubt we are trying to ramp up security for all of our home workers by extensively blocking all of the dangerous file types and non work categories using Web Control for Sophos EndPoint.  However from testing it appears that web control only blocks port 80 - so anything via HTTPS is bypassed and it is a complete waste of time.  In the office our firewall (different vendor) intercepts the HTTPS traffic and we can block/restrict it, but now everyone is at home we have lost this protection.  Is there any way I can block file types and web pages delivered over HTTPS for my home workers?

TIA

Stuart



This thread was automatically locked due to age.
Parents
  • 0

    Hello Stuart,

    Endpoint Web Control should block HTTPS access to sites (based on the SNI or IP-address) but it can't inspect the traffic (the additional security options won't work).
    How did you test?

    Christian

Reply
  • 0

    Hello Stuart,

    Endpoint Web Control should block HTTPS access to sites (based on the SNI or IP-address) but it can't inspect the traffic (the additional security options won't work).
    How did you test?

    Christian

Children
  • 0 in reply to QC

    Hi Christian,

     

    Thanks for the reply.  We have increased the categories that we block and I have ticked to block all file downloads, so PDF and EXE are blocked, however I can download PDF files and EXE files from Microsoft's download center - but files are blocked when I go to a HTTP site. (I have in fact had to allow PDF files since, but EXE files are still blocked). We haven't whitelisted any sites via Sophos either.  Are there circumstances when it cann't inspect the packet and block the file?  Just tried again and I could download the Direct X installer from Microsoft download center (exe)

    Thanks

     

  • 0 in reply to notesguru99

    Hello Stuart,

    Web Control (and Web Protection) are in principle a proxy, i.e. they can only inspect the TCP stream. As HTTPS connections are encrypted Web Control is totally blind.

    Christian 

  • 0 in reply to QC

    Thanks again,

     

    Just out of interest how do you manage to secure and restrict HTTPS for your users? Or do you not bother?  It just seems to me that the world is going HTTPS so this is going to be an issue for most users if like us you are only using the endpoint software for home workers?

  • 0 in reply to notesguru99

    I don't think it would be possible unless you have a network appliance performing HTTPS scan and decrypt.  When a user accesses a HTTPS website the appliance will take the connection instead of forwarding it to the intended website and create its own connection with the site.  This way the appliance can decrypt and inspect the traffic before handing it to the endpoint.  In order for the appliance to do this you'll need to import the appliance's certificate into the endpoints trusted certificates, otherwise the endpoints will not trust the appliance and drop the HTTPS connection.

    What you can do is require remote clients to connect using a full VPN tunnel to the network appliance, passing all network traffic through it to be scanned.  The endpoint's web control has been good enough for my environment as the endpoint still scans files for malicious content as they are opened and web control blocks access to inappropriate web categories.  I do understand the need for blocking downloads of specific file types through HTTPS though and believe a VPN + network appliance would be the only way to go for that.

  • 0 in reply to MEric

    Hi,

    I think you're right with regards the appliance situation, that's exactly how it works in the office for us, allowing us to scan HTTPS traffic.  We use split tunnel VPN because we don't have the bandwidth at the office to route all VPN traffic through it (Teams video call quality dropped significantly) so we have applied for an upgrade to the line.  Hopefully once this is done we can route all VPN traffic back via the tunnel and out through the firewall for better protection.

     

    Thanks all that replied :-)

  • +1 in reply to MEric

    Hello Stuart,

    the world is going HTTPS
    it already went, and crooks were by far not the last.

    As MEric has said, you'll likely need some network device to inspect HTTPS traffic - and even then it's not trivial. Security, privacy, authentication, non-repudiation, and - not to forget - availability and performance are not independent. Pushing one too far at least one of the others will suffer. Whatever you do it's a trade-off. HPKP (HTTP Public Key Pinning) seemed to be a good idea, it has meanwhile been deprecated. Sometimes certain practices, like HTTPS, are imposed on you that make other procedures arduous or even impossible.

    Without inspection you can't block or allow certain URLs (paths) only sites/hosts (and even this might not work as expected), you can't block the download of files with certain extensions, or scan the content while it's still in transit. The latter can be quite a challenge to configure and even where content scanning is possible it has limited functionality on endpoints so as not to break things.

    how do you manage to secure and restrict HTTPS
    it depends on the actual risks and the environment. As said, it's always a trade-off. The measures that help to contain Covid-19 also help against other infections but they are "too expensive" to keep them up for a longer period let alone establish them as standard, though in certain areas operating procedures will likely undergo permanent changes. You could deploy hardened devices, connect you home workers via dark fibre, and so on. Who can afford this?
    OTOH, "The Internet" is not a generally dangerous place. "Accidental dangerous downloads" are rare (at least should be in a work environment), in most cases the source is scam, phishing, social engineering. Of course, someone else's (business partner, agency, government body) site could be compromised. We are talking about HTTPS and thus browsers - AFAIK vectors of file-less malware and, as MEric has said, Endpoint will scan what has been downloaded. 
    BTW: Download reputation doesn't work with Firefox. Even though the article says recently been removed from Firefox it's IIRC quite some time. Apparently a re-introduction of reputation lookup is not high priority. And it anyway only looks up a certain type of executables.

    Last but not least: Unscannable HTTPS in case of Business device private use or with BYOD is IMO one of the lesser problems.

    Christian

  • +1 in reply to QC

    QC said:

    OTOH, "The Internet" is not a generally dangerous place. "Accidental dangerous downloads" are rare (at least should be in a work environment), in most cases the source is scam, phishing, social engineering.

     

     
    :D 
     
    My forensics background + career path made me chuckle at this. Oh, to be an optimist again!
     
     
    However, Christian is correct on all points here. We are constantly looking at improving the balance between threat posture and risk acceptance in the product. On the one hand, I firmly support End-To-End encryption in a personal/privacy stance at home and for personal use but its different in a corp environment. Hence the network appliance is a good start. 
     
    On the endpoint, yes it is ideal to snag the item before it is downloaded, but even then we have other protection layers. If you are using our Central product you get our Deep Learning engine which will evaluate all PEs at time of execution and can stop them if it determines the PE is malicious. DL is the best defence we have right now against 0day threats and it is very effective. We also full scan any PE downloaded even if it isn't run (as a background process) so if the malware gets on but isn't executed then we'll come along and find it. 
     
    finally, Intercept X operates on the basis of malicious actions are bad no matter who is doing them - so it looks at the things the program is trying to do not what the program is. It will stop malicious actions based on its rules parameters and settings even if the monitored PE is signed. 
     
    So, with a full security suite you get interception chances at: 
    1. Network layer
    2. Save to Disk
    3. Execution
    4. Post Execution - during operation

    I hope this helps. If you have any further questions, please let me know.

    Sincerely,

    Richard

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    Many thanks for the detailed responses, I understand the situation better now, especially with regards the security and protection offered by Sophos.

    One thing though that is still niggling at me is that we have designed our security to protect everyone in the office environment and now 90% of my work force are at home, so I think a review is required for us asap so we can offer better protection for all our home workers as well as being able to enforce policies that work in the office but not at home, like restricting website categories and blocking the downloads of executable files.

    Thanks again.

Unfiltered HTML