Quarantine Digest: Admin Console Port

Hi Stuart James 

Would it be possible to further clarify this by sharing a picture of your quarantine digest settings? (through PM if you prefer).

Users clicking on the link in the quarantine email should be directed to their "MyAccount" via the User Portal (via the user port).

Regards,

I think you've misunderstood the problem.

The "My Account" link is correct, it links to the user portal.

The "Release" link which is to the right of the quarantined email, however, links to the admin portal.

Wow.

No doubt you would argue that we don’t need HTTPS either because a HTTP website has passwords protecting it?

I hope you are not in charge of network security anywhere.

The soohos admin console itself even reports it as a massive security risk.

To be blunt sophos sort this out.

In this day and age you dont make admin consoles public facing. A good brute force attack would get in eventually.

I am not using any Email Proxy on my XGs right now and do not use any Webadmin on any my XGs (because i access them via Central). 

But good to know, you are instantly connecting such a statement to https. 

Still you dont point out, where the big massive security hole is. Do you have a exploit or some way to get instant access or not? 

Can you link me to the security risk page, which shows such flaws in the webadmin? 

Can honestly say I've never met such incompetence.

This is a complete joke.

Ah - You mean the notification / Alert. Completely forget about that part. 

But you are missing my point and are not willing to discuss this any further. I will stay out of this topic for now. 

I would recommend to think about a solution via VPN, UEM and/or Central Email for such deployments. 

Pre MR8 - This feature was not working on the Hostname, so basically you could only use the IP of one of your interfaces, which is most likely not a public IP. 

This is a complete joke.

You now want me to roll out VPN to 200 mobile devices

Why don't I just make all the remote tools ie idrac and ilo publicly facing too.

This is a basic feature that was fine on utm 9

Now on XG you want us to make security changes or purchase another product when this is clearly a flaw in its self.

Mite have to consider a new product and just get rid of sophos cause you have no regard and clearly dont care about this.

I tell you what though seeing as your technical solution is to either use VPN or open web console to the internet the minute a company has a breach because of web console open onthe web I look forward to you and sophos being taken to to court.

A nice GDPR fine would just go down nice to get this resolved.

I am just pointing out, that this is just a Design issue, not a massive security hole. 

And that is just my personal opinion. Like always, i act as a person not the company statement here in the forums. That is my last post in this thread. Thanks for the discussion. 

If Sophos think that mandating that a webadmin port is open to the entire world is not a security risk, it might be time to re-assess whether Sophos is the right vendor to be using for cyber security.

Deploying a VPN to hundreds of users and forcing them to connect their mobile phone to a VPN in order to release a quarantine email is an absurd suggested solution.

Sophos could fix this in about 60 minutes buy changing the URL to the client portal port.

Yet, as usual, Sophos refuses to listen to it's clients and take on the feedback it receives. There are enhancement requests in this forum from 6 years ago that still aren't implemented. The whole "we'll decide what you need" rather than "we'll implement what you want" is a bulls*** approach.

I completely agree.

Hope they look forward to a law suit.

It's not even as if that have 2 factor authentication on the web console. Would give a little bit of piece of mind.

Hi Ben,

a VPN is definitely the better approach than to open _any_ TCP-Port w/o authentication.

You might also reconsider (re-)reading https://community.sophos.com/kb/en-us/122482?

(I doubt that threats and accusations will drive the vendor to implement your proposal faster;)

You are still free to decide:

[ ] enable the WebAdmin-Port on WAN

[ ] send Quarantine digests with clickable links

[ ] enable User-Portal access

So no need to complain that hard about your chosen design (Anti-)pattern.

And "But UTM9..." is no valid argument any longer :)

Regards

Steven

Hi Ben,

a VPN is definitely the better approach than to open _any_ TCP-Port w/o authentication.

You might also reconsider (re-)reading https://community.sophos.com/kb/en-us/122482?

(I doubt that threats and accusations will drive the vendor to implement your proposal faster;)

You are still free to decide:

[ ] enable the WebAdmin-Port on WAN

[ ] send Quarantine digests with clickable links

[ ] enable User-Portal access

So no need to complain that hard about your chosen design (Anti-)pattern.

And "But UTM9..." is no valid argument any longer :)

Regards

Steven