Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 15884 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Has Encryption Made Your Current Firewall Irrelevant? Latest from Sophos about decryption on XG/XGS

rfcat_vk

Hi folks,

I read the document with interest and noticed there was no mention of HTTP/2 support in the XG/XGS decryption profile. What is the Sophos way forward with this protocol to improve the security scanning on the XG/XGS?

Ian



This thread was automatically locked due to age.

Top Replies

  • +1 suggested

    HTTP/2 and Quick etc. is of course in big interest of bigger providers like Google, Akamai etc. They want to to push this to decrease there output volume to a minumum. 

    In SFOS you can block QUIC and clients will fallback to HTTP/s. 

    The issue with HTTP/2 is, it is rather new to begin with and there is HTTP/3 already in the pipeline. With ~45% of webservers supporting HTTP/2, it is not the best coverage. Therefore you will still have to use HTTP/1 with TLS. 

    HTTP/2 needs a DPI to begin with. You cannot support this protocol with a proxy based solution, as far as i understand. Therefore the Fundation is already in place with V18.0. 

    And HTTP/2 has only a Web based coverage. If you ignore the fact, that all other apps still use TLS, you will go blind again.

    The solution would be in the current state to block HTTP/2 and fallback and use DPI to decrypt TLS1.3. 

    Jump to answer
  • 0 in reply to Prism

    About the HTTP/2 part: As far as i know, most HTTP/2 Protocols uses TLS anyways. Therefore XGS can decrypt those protocols, but cannot pass them to the proxy. In the wild, i do found plenty of HTTP/2 based operations, on firewalls, which indicates, the fallback to HTTP/1.1 works fine. 

    Yes, i was referring to QUIC on HTTP/3. 

    DPI is again a decryption on any service, seen on the firewall. Nowadays you can do this on all ports and with TLS1.3 etc. There are applications, which were designed to work without any decryption, as on that point of app creation, there was no such product of decryption. 

    The DPI is completely separate from the firewall stack. You can trigger decryption and a app filter. You can trigger only appfilter but no decryption. You can trigger only decryption but no app filter etc. 

    The DPI will take the traffic first, decrypt it and pass it to the modules to do there job. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you. I have been experimenting with SSL/TLS rules and so far only broken two applications, one was fixed by enabling the web proxy the other is video streaming which I can't find why video fails to start. Nothing obvious in logviewer att his stage.

    I have noticed that some of the applications I had to create special policies for are blocked in SSL/TLS scanning by categories. I suspect though the site when it gets its act together will no longer be classified a virus etc source by Sophos.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.