Sophos Web Appliance & Endpoint network traffic

I too am in the final stages of putting in Web Appliances though we have a bit more traffic. We will be filtering about 20K endpoints/users when it is all said and done. In my tests I deployed a the endpoint web control via the enterprise console and it works great. I didnt see a rise in traffic really and these are about 400 students, teachers, and admins at one of our sites. We have had Sophos Antivirus running for 2 years now and the network traffic they generate is no problem or really signifigant at all. When deploying web-filtering using the endpoint protection, the traffic doesnt come back to your appliance. Endpoints will get all of the policies from Sophos Live Connect. So you're network is not acting as a gateway for remote users. I would have gone this route if the endpoint filtering would do HTTPS filtering. Seems like that is the only real drawback for this. 

Thanks for the feedback bloodborn.

>  When deploying web-filtering using the endpoint protection, the traffic doesnt come back to your appliance. Endpoints will get all of the policies from Sophos Live Connect.

This is true when the endpoint is roaming.  However, the endpoint does actually try to connect directly to your appliance before going to LiveConnect.  It's only when this fails that LiveConnect is used.

The 'extra' traffic generated by using endpoint web control:

• An extra HTTP request is generated when you visit a site.  This is to check the category of the website using Sophos servers.  However, these will be very small (less than 1kb including request and response)
• Approximately once a minute the endpoint checks for new policy on the appliance using HTTP.  Again this should only be a matter of a few kb even when the policy has changed.
• The endpoint sends reporting data to the appliance every 15 minutes (or almost immediately when something is blocked).  The size of this data is completely dependant on how much traffic there is.

There are ways you could see how much reporting data is generated on a test client.  For example, the data is generated in this directory:  C:\ProgramData\Sophos\Web Control\Activity\

Bear in mind that this directory will clear when the upload happens though.  

Alternatively, you could monitor your network traffic using tools like wireshark.

Hope this is of some help,

Tom.

Thanks Tom, I did not know that it would try and connect to the appliance when roaming. I was told by the sales engineer that it would always go through Live Connect when roaming. This is good to know. 

No problem!  Glad that helped.

Effectively, yes it will always use LiveConnect when roaming because the DNS lookup for the appliance hostname will fail, or it won't be able to connect on port 80 anyway (your firewall should block this).  When that fails the endpoint knows it is now roaming and will try LiveConnect instead.

Tom - Thanks for clarifying the way the filter works.  Is any of this documented anywhere for review? 

            I’’’’m also a little curious as to why the endpoint doesn’’’’t do the filtering locally on the workstation?  It seems odd that it updates it policies at the endpoint level once every 60seconds and also verifies with the appliance every time someone goes to a website.  Wouldn’’’’t it be less network load and just as effective to have the endpoint do the heavy lifting?

            Also, can you please verify the location of the logs for windows XP systems? 

Hi Joe,

At the moment the documentation doesn't cover the functionality at this level of detail I'm afraid.

>            I’’’’m also a little curious as to why the endpoint doesn’’’’t do the filtering locally on the workstation?  It seems odd that it updates it policies at the endpoint level once every 60seconds and also verifies with the appliance every time someone goes to a website.  Wouldn’’’’t it be less network load and just as effective to have the endpoint do the heavy lifting?

Sorry if I wasn't entirely clear.  The purpose of getting the policy every 60 seconds is to pick up changes you make to the appliance.  Eg.  If you block UserA access to 'Search Engines' you want this to take effect as soon as possible - This is contained in the policy.

The verification that takes place is to determine what category the website is.   This isn't taken from the appliance but rather directly from Sophos servers.  So when you go to google.com an extra HTTP request is sent to Sophos servers to determine the category of the site.  Eg. google.com = Search Engines.

This is much more efficient for several reasons:

• The endpoint doesn't need to keep and update a huge set of data containing every website/domain
• Categorization changes made at Sophos take effect immediately with no updates require
• The system also works when the endpoint is roaming

So the endpoint does actually do the filtering, it just needs to send some extra traffic to work out what category the site is.  In reality this should only have a very minor affect on bandwidth and is much better than having the category data stored locally.

--------------------------------------------

The activity data is here on a Windows XP system:

C:\Documents and settings\all users\application data\sophos\web control\activity\

This data isn't human readable but will give you an idea of how much report data is generated.  To prevent the logs being cleared you may want to stop them being uploaded.  Either:

- Break communication with the appliance at firewall level or with invalid host entry 

- Take the machine off the LAN and make sure LiveConnect is disabled

I hope this helps to clear things up!  Do let me know if you have any other questions though.

-Tom.