Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 21933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS decrypt and scan using Letsencrypt wildcard cert?

john_kenny

Does anyone know how i can use my Letsencrypt wildcard cert for XG HTTPS scanning??  Ive got the cert installed and it works for everything but HTTPS scanning, I cant see how i can get the cert to show in the HTTPS scanning dropdown?

Can someone point me in the right direction please??

basically i want to use a cert that for HTTPS scanning that wont require a cert install on my clients.

JK



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    Ok thanks for filling the gap in my understanding of the feature.

    Is it worth using HTTPs scanning though? I realise its needed to decrypt HTTPs traffic, but what im i dont know is does this mean all HTTPs traffic goes unscanned completely without that setting enabled? Does Sophos XG use Signature based malware scanning on HTTP & HTTPS traffic then or not? If it does use signature based malware scanning then what advantage will enabling HTTPS decrypt and scan have over it being disabled?

    Its just ive always worried about any sort of HTTPs inspection because wouldnt it in theory leave you at higher risk to be vunerable to Man in the Middle type attacks??

    Basically im still undecided whether i really need to use HTTPs scanning or not??

    Also one other thing ive never been sure of aswell is whether i should be using web filtering / malware scanning on XG as I use Sophos Central endpoint advanced too and I still wonder if they might conflict or cause problems in web scanning altogether as i know 2 malware scanners running at the same time is never a good idea.  So should i pick one or the other then or is using both definitely OK?

    Id love to hear thoughts on this?

    Thanks

    JK

  • 0 in reply to john_kenny

    Hi,

    it is a common question. So you will find a couple of articles in the internet about https scanning / https inspection / tls inspection - Why should i use it, is it safe and so on. 

     

    XG is not able to detect malware with sandstorm / pattern based if you dont use https scanning. You can check it via eicar and a https site. 

    Next Question: Privat or company device? 

    There should be no conflict in central with XG, because we designed our products to work like this. 

  • 0 in reply to LuCar Toni

    That answer was what ive been trying to find out for a while, I need HTTPs scanning on to use the web scanning features then??

    Company device fully licenced with Central suite.

    JK

  • +2 in reply to john_kenny
    How it works:  If HTTPS scanning is off, the XG can see the domain name that you are connecting to and do categorization on it.  If it is allowed then the everything else is inside an encrypted tunnel and the XG knows nothing and can do nothing.  If HTTPS scanning is on, then the XG does man-in-the-middle to decrypt all traffic.  Clients will throw up warnings unless the Certificate Authority is installed on them (they warn because someone can man-in-the-middle, exactly what we are doing).  Doing HTTPS scanning does not make you more vulnerable to other MITM attacks - though in theory if the XG was insecure (you didn't have strong passwords and someone logged in as admin) then an attacker could leverage the XG.  But at that point you have bigger issues than the fact they can see inside the https traffic.
     
    If you have AV scanning on your endpoint, it is perfectly fine so also scan on the XG.  There is no problem with scanning twice (aside it taking longer), and in fact you can specifically turn on a second independant AV scanner within the XG.  Some people like to have Single Scan with the Avira engine on the XG and then Sophos AV on the endpoint, with the concept that two different scan vendors are better.

    If your concern is blocking access to categories of websites, then in general HTTPS scanning is not required.  With no HTTPS scanning, the XG can do categorization of the domain name but not of the full URL, which is good enough for most.
     
    If your concern is malware and you don't have an anti-virus scanner on every computer, then you should have HTTPS decryption so that the XG can run AV scanning on everything.
     
    If your concern is blocking the download of certain file types, you will need HTTPS scanning.
     
    If your concern is application control, you will be able to control much more with HTTPS scanning.
     
    If you control every computer that connects to your network then it is easy to deploy a CA to them all.  If you control every phone and use a corporate phone management you can deploy a CA as well.  If you have guest networks it is harder.  But then if you have guest networks that means you may have endpoints without AV and therefore want the scanning on.
     
    Everything is a trade off.