Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 6624 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How a firewall identify an application when we have https

Fernando Dias1

Hi Everyone,

We work with Sophos firewalls with several clients and I want to understand how the firewall identifies an application since the application(example: Onedrive) use https and the firewall rule which permits access to the internet DOES NOT HAVE the HTTPS scanning enabled.

Thanks in advanced,

Fernando Dias



This thread was automatically locked due to age.
Parents
  • +1

    At a simple level, most HTTPS connections also include SNI (service name indication), so the firewall knows the server (FQDN) that it is connecting to.  

    At a more complex level there is "deep packet inspection" which looks for signatures within packets that can occur when used by some applications.

     

    As a general topic, try Googling "snort".

  • 0 in reply to Michael Dunn

    Hi Michael,

    Thank you for your answer.

    As you said, I am forced to enable https inspection in order to make "deep packet inspection". But again, I note Sophos firewall identify applications even when Decrypt Scan is disabled. How is that possible? Sophos has a general setting which always decrypt? An internal setting?

    Snort is an IDS free application, right? I am gonna make a deeper research about it. 

    Thanks in advance,

    Fernando Dias

  • +1 in reply to Fernando Dias1

    Deep packet inspection is performed regardless of HTTPS decryption.  However its abilities are limited in that case.

    Lets say you do not have HTTPS decryption.  Your computer makes a TCP connection to an IP Address, on port 443, and then starts an SSL handshake - sending the SNI.  The packet inspection can see inside the SNI and see that you are connecting to onedrive.microsoft.com.  That matches a signature for OneDrive and it marks the connection with the application OneDrive.

    In the second case your computer makes a TCP connection to an IP Address, on port 443, and then starts an SSL handshake - sending the SNI.  The packet inspection can see inside the SNI and see that you are connecting to www.microsoft.com.  That does not match any signature.  The SSL handshake continues and the rest of the connection is encrypted.  You computer then does GET www.microsoft.com/onedrive but the packet inspection cannot see it (encrypted).  It does not therefore match any signature for OneDrive and the connection is not marked.  You would need to have HTTPS decryption on.

    However if you are blocking OneDrive, blocking the first connection would be enough.

     

    snort is a common open source implementation of a packet inspector.  It is used in various places in various Sophos products.  I mention it because as a general topic there are lots of documentation around it.  It is most commonly used for preventing attacks but can also be used for application detection (OpenAppID).

  • 0 in reply to Michael Dunn

    Thank you very much for your explanation.

    Fernando Dias

Reply Children
No Data