How a firewall identify an application when we have https

At a simple level, most HTTPS connections also include SNI (service name indication), so the firewall knows the server (FQDN) that it is connecting to.  

At a more complex level there is "deep packet inspection" which looks for signatures within packets that can occur when used by some applications.

As a general topic, try Googling "snort".

Hi Michael,

Thank you for your answer.

As you said, I am forced to enable https inspection in order to make "deep packet inspection". But again, I note Sophos firewall identify applications even when Decrypt Scan is disabled. How is that possible? Sophos has a general setting which always decrypt? An internal setting?

Snort is an IDS free application, right? I am gonna make a deeper research about it. 

Thanks in advance,

Fernando Dias

Deep packet inspection is performed regardless of HTTPS decryption.  However its abilities are limited in that case.

Lets say you do not have HTTPS decryption.  Your computer makes a TCP connection to an IP Address, on port 443, and then starts an SSL handshake - sending the SNI.  The packet inspection can see inside the SNI and see that you are connecting to onedrive.microsoft.com.  That matches a signature for OneDrive and it marks the connection with the application OneDrive.

In the second case your computer makes a TCP connection to an IP Address, on port 443, and then starts an SSL handshake - sending the SNI.  The packet inspection can see inside the SNI and see that you are connecting to www.microsoft.com.  That does not match any signature.  The SSL handshake continues and the rest of the connection is encrypted.  You computer then does GET www.microsoft.com/onedrive but the packet inspection cannot see it (encrypted).  It does not therefore match any signature for OneDrive and the connection is not marked.  You would need to have HTTPS decryption on.

However if you are blocking OneDrive, blocking the first connection would be enough.

snort is a common open source implementation of a packet inspector.  It is used in various places in various Sophos products.  I mention it because as a general topic there are lots of documentation around it.  It is most commonly used for preventing attacks but can also be used for application detection (OpenAppID).

Thank you very much for your explanation.

Fernando Dias

Fernando,

Fernando Dias1 said:

We work with Sophos firewalls with several clients and I want to understand how the firewall identifies an application since the application(example: Onedrive) use https and the firewall rule which permits access to the internet DOES NOT HAVE the HTTPS scanning enabled.

To start TLS encryption, there must be a handshake of trust. That begins unencrypted.  This happens by the Onedrive application connecting to a Microsoft or OneDrive website.  Onedrive won't try to connect to Google Drive or to Amazon Cloud Storage to get this authentication.  Sophos has already identified the applications, sites, protocols, and services require to make this work and has programmed this information into your firewall.

After encryption communication is active, the headers of encrypted packets are unencrypted, so every switch, router, and gateway along the way can determine where to send the encrypted packets.  This allows Onedrive data to flow properly between the client's computer and the client's Onedrive storage.  Your firewall can still read these unencrypted headers whether Decrypt & Scan is on or off.

Also, if you are integrating Intercept X or Endpoint Protection with your XG Firewall through Sophos Central, your IX and EPP is identifying the application and it's communication to the firewall.  The EPP can see the Onedrive app and it's data before encrypting to send out and after decryption when received.