Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 12032 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Quarantine Digest: Admin Console Port

Stuart James

When you configure the quarantine digest to reference the external IP address of the XG unit, the digest email references the "Admin Console Port". This is absolutely absurd. It effectively means that I need to open up access to the Admin portal to the entire world without restriction - this is a MASSIVE security risk.

The easiest solution is to change the XG to use the User Portal port for the "release" link under the action heading.

I can't comprehend how any developer in the world would ever require a user to access an administrator console port to perform an action.



This thread was automatically locked due to age.
  • 0 in reply to Ben Press

    Hi Ben,

     

    a VPN is definitely the better approach than to open _any_ TCP-Port w/o authentication.

    You might also reconsider (re-)reading https://community.sophos.com/kb/en-us/122482?

    (I doubt that threats and accusations will drive the vendor to implement your proposal faster;)

     

    You are still free to decide:

    [ ] enable the WebAdmin-Port on WAN

    [ ] send Quarantine digests with clickable links

    [ ] enable User-Portal access

     

    So no need to complain that hard about your chosen design (Anti-)pattern.

    And "But UTM9..." is no valid argument any longer :)

     

    Regards

    Steven

  • 0 in reply to Stuart James

    Hi Stuart,

    I like your passion on that topic and agree that Sophos XG Firewall should be really able to release mails without using the admin interface!

    But in my opinion it is still debatable if this is a security relevant (MASSIVE?) bug or more a feature request...

     

    I'm a big fan of PMX, where you can release Spam by UserPortal or even directly from the Quarantine Digest inline by replying with an auto-approve-mail!

    Did you test already more powerful Email filtering solutions such as Central Email, E-Mail Appliance or PMX - if that XG 'Quarantine Digest' approach did not satisfy your concerns?

     

    Regards

    Steven Seyfried

  • 0 in reply to SayFriedLight

    SayFriedLight said:

    Hi Stuart,

    I like your passion on that topic and agree that Sophos XG Firewall should be really able to release mails without using the admin interface!

    But in my opinion it is still debatable if this is a security relevant (MASSIVE?) bug or more a feature request...

    Do you really think that allowing users to release a quarantine email without opening up the entire administration console to the entire world is an enhancement and not a bug?

     

    I've just decided to downgrade my Sophos license to remove SPAM filtering and use a third party SPAM engine instead. I have 128 Sophos XG's in production, so it just means Sophos has cost themselves licensing fees. It would be nice to have the Sophos do things securely, but given they've chosen to ignore this issue I have little choice.

  • 0

    Hi  

    Thanks for reaching out to express your concerns and for providing your suggestions for this.

    I'll reach out to my team to forward this over for their discussion.

    Please don't hesitate to reach out to me directly if you had any questions or concerns I could assist with.

    Regards,

  • 0 in reply to FloSupport

    Honestly, i can't believe that this still isn't fixed, even after XG Firewall got hit by a massive SQL injection security hole! The whole Mail Protection on XG compared to UTM is just one big joke!