Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 31 subscribers
  • Views 1202 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone have a good list that's been developed for TLS Exclusion?

DBASQL

I think there will be many more domains that need to be added to the TLS bypass. If you have already been through this pain please share!

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi  ,

    TLS Exclusions highly depends on your own scenario and workplace; I don't recommend using randoms lists from other users for it, to be honest here I deeply recommend for you to build your own exclusion list.

    If your workplace heavily uses browser based applications and you imported the CA correctly, then you will _almost_ never have issues with decryption. But depending on the application your users use - if it has certificate pinning then yes, you will have to create a exclusion for the necessary domain.

    Thanks!

  • 0 in reply to Prism

    This caught my attention because today, after installing MR2 on my production XG210, I re-enabled the DPI engine and created a rule just for me to test.  Some sites work great, blazing fast, and some sites have problems whereby they are incredibly slow to load.  In an organization with 50+ people, I cannot tell our users to call me every time they run into a site that loads weird, I'd be on the phone all day and nobody would ever get anything done.

    Maybe its just me but the DPI engine looks great on paper but performs horribly in the real world.  "Make an exclusion" isn't practical.  

  • 0 in reply to Bill Roland

    Actually its the same "problem" you had in the proxy as well. 

    If there would be a "automated process" this would destabilized the entire system. For example, having a attacker using a TLS connection, which would be decrypted, would lead to a exception. 

    The point is, there are two differences between "This site is not working with DPI": 

    A. The site/Service does not want you to do it. (Banking? Services by microsoft or apps?) 

    B. There are technical difficults within the DPI Engine to decrypt this.

    As Sophos is highly working on the case B, to resolve such issues (lets call them Bugs), for Case A you "should know, what apps your setup is using".

    Case A will lead to a discussion, what should our user do in our network? What is allowed and what is not? If you allow all, you might end up with a huge list of exclusion. 

    This issue is the same as HTTPs decryption was in UTM. 

  • 0 in reply to LuCar Toni

    LuCar,

    "The internet," as in HTTPS websites, is the app that is breaking.  I have the XG certificate installed for MITM decryption.  It works perfectly well when using the web proxy engine.  But turn on the DPI engine and all of a sudden random sites become extremely slow.  If you look in the log file you will see this extremely helpful entry:

    • reason="Dropped due to TLS engine error: FLOW_TIMEOUT[5]"

    What does that mean?  Why does it happen?  How can it be fixed?  

    "Make an exception" is not a useful answer.  

Reply
  • 0 in reply to LuCar Toni

    LuCar,

    "The internet," as in HTTPS websites, is the app that is breaking.  I have the XG certificate installed for MITM decryption.  It works perfectly well when using the web proxy engine.  But turn on the DPI engine and all of a sudden random sites become extremely slow.  If you look in the log file you will see this extremely helpful entry:

    • reason="Dropped due to TLS engine error: FLOW_TIMEOUT[5]"

    What does that mean?  Why does it happen?  How can it be fixed?  

    "Make an exception" is not a useful answer.  

Children