Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 8927 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Category None -- Inadequate management tools, misconfigured default

DouglasFoster

Sites that are not categorized fit into one of these categories:   (1) a legitimate enterprise that is too small to get noticed by the categorization service, (2) a malicious enterprise that changes its domain name regularly to evade categorization, (3) a typing error by the user which leads to an unintended site, or (4) a typing error by the user which produces a host name that does not exist, or (5) a bug in the classification logic's ability to evaluate a long URL.

Because of #2, Category none should never be configured for ALLOW, but the default configuration of XG is ALLOW.   This should be fixed.

Because of #1, I recommend setting the category to WARN, but some sites might prefer BLOCK.

Because of #2, #3 and #4, I don't care about warnings where the user chose not to proceed.  I do want to know about the sites where the user chose to proceed despite the warning, both to understand my risk and to simplify life for the user.   I need to get these sites categorized.   Ideally, this should be done automatically, with the device sending a periodic (perhaps daily) upload to Sophos.  

After a site is categorized, the best response would be to check for any results that are flagged as malicious.   Since I already know that the user proceeded to the site, I may need to find those users and PCs to assess the risk or reality of a compromise.

With XG, I don't see a way to download log results for analysis, and the interface does not seem amenable to identifying all unique URLs with Category None, so the problem does not seem solvable.   Plus, the Sophos Reassessment site (as of my last check) only takes one URL at a time, then provides no feedback, so it is not viable if you have many uncategorized URLs within your evaluation period.

In UTM, the problem is hard but not impossible.   I download the logs (about 2GB per day for my site), then parse them into a SQL database.   I use SQL queries to find unique occurrences of URLS with three related log entries:   a warn record, a choose-to-proceed record, and a site-accessed record.   Then I submit those URLs to the TrustedSource.org website, in batches of up to 100.   (Different parts of a site may have different categorizations, so it is important to submit every uncategorized URL for reclassification, not simply the host name.)  McAfee/TrustedSource processes the results in one business day and sends a confirming email when they are done.  UTM gets the results eventually (not more than 5 days, according to support.)  

However, since many UTM installations will not be creating custom reporting tools to solve this problem, and may not even realize that uncategorized sites are a risk to be managed, Sophos should provide tools to make it easy for them to be safe, and hard for them to be foolish, with uncategorized sites.

(My understanding is that XG uses a different database, so the McAfee TrustedSource approach is not an option for getting sites categorized efficiently, even if someone figures out how to extract the relevant informaiton.)



This thread was automatically locked due to age.
  • 0

    Douglas,

    thanks for your post. Regarding the Web Filtering, XG is using Sophos/Cyberoam Engine (we do not know which one really) but an engine developped internally. There are other threads regarding the bad categorization and how the Engine is not working well as expected. One of my thread, I complain about ADS and Youtube website where ADS are not blocked:

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80869/youtube-and-ads---sometimes-they-are-not-blocked

    No answer still today.

    UTM is using McAfee engine and it working quite good (I have it on 4000 users and only few website are wrong categorized). XG should use McAfee engine too but Sophos is pushing to use its engine. At the moment the results are not good as expected for who buy and pay Web Filtering license.

    We are still waiting for some really feedback from Sophos and not answer like "please add the wrong URL on Sophos Website..." URL are changing everyday and web filtering is one of the most difficult and changing engine on UTM/Next Generation Firewall.

    Regarding case 3# and 4#, Web Fitering in general cannot do nothing. This is called Typosquatting. You can find more info here:

    https://en.wikipedia.org/wiki/Typosquatting

    For best protection, train your users. Make sure they know what they type and what they click. Firewall can block 90% of the Web attacks, the remaining part is done by training.

    We are looking forward to seeing what the v17 brings to us and if Sophos understands that Web Filtering needs a big improvement (such as IPS, WAF and Logging).

    Regards

  • 0 in reply to lferrara

    I certainly understand Sophos' desire to be self-sufficient on website classification.   McAfee has its own web protection product, and Sophos has to worry about being dependent on a direct competitor.   Using someone else's data also involves royalties, and this is presumably one reason, or possibly the main reason, that XG Firewall is less expensive than UTM.  

    One of the conceptual challenges to building such a database is how to collect the data.   If your site is entering category overrides into XG and if you have also enabled the Sophos Adaptive Learning feature, then perhaps you are helping them to build the improved database that you and they need.   I don't know whether they have this implemented or not, but it certainly seems like a reasonable approach to the massive data collection problem that is needed, both now and on a continuous basis in the future.