sophos

Implementing Exceptions in Sophos UTM Without Relaxing Security

by

Etienne Liebetrau

Etienne Liebetrau

Any firewall or proxy administrator who has had to maintain a deployment for any period of time will confirm that the only constant is change. It's as if users need varying levels of access during different phases of the moon, on even years only, excluding leap years, for people with birthdays that are on prime numbered days, but not months, who also happen to be wearing purple on any given day. Slight exaggeration, but you know what I mean.

The unfortunate reality is that users often legitimately need the access that they are requesting, and that problem sites are most often secondary content providers such as CDNs like Akamai. The elements they need to access also tend to vary from site to site. One site might present an expired HTTPS certificate, while another site might be fine on the HTTPS front but has caching related issues.

A good firewall needs to be able to enforce strong, strict rules, but it also needs to be flexible enough to allow web browsing exceptions. Such exceptions should not (negatively) affect the overall security because they are too vague or too relaxed.

Web Protection exceptions in Sophos UTM offer both of these features, in a simple to use and administer solution.

Web Protection Exceptions in Sophos UTM

Sadly, network security is somewhat of a double-edged sword. Almost all features Sophos UTM offers to enhance security for your network have the potential to break or block content on websites. That said, this should be the exception (no pun intended), and not the norm.

Typically, if you need to create an exception for a site, it is because of something non-standard or non-compliant. Web browsing exceptions allow you to selectively turn off security features that are causing issues with specific sites.

Exceptions are segmented according to security categories:

  • General
    • Authentication
    • Caching
    • Block by Download Size
  • Antivirus
    • Antivirus – Scanning
    • Extension Blocking
    • MIME Type Blocking
    • Download / Scan Page
  • Content Filter
    • URL Filter
    • Content Removal
  • HTTPS Scanning
    • SSL Scanning
    • Certificate Trust Check
    • Certificate Date Check
  • Logging
    • Accesses Pages
    • Blocked Pages

Exception Conditions

Configuring an exception not only requires you to specify which security check to disable, but also when to do so. Being able to be accurately specify the condition(s) where that exception must be applied is crucial for maintaining the overall security of the rule, and subsequently the network.

Sophos UTM allows you to specify exceptions based on:

  • Coming from source networks
  • Coming from source endpoint groups
  • Matching URLs
  • Coming from users/groups
  • Going to categories of websites
  • Coming from user agents
  • Going to tagged websites

Using Regular Expressions in Sophos UTM Exceptions

The Target Domains and User Agents fields allow you to specify wildcards and regular expressions, enabling exceptions based on the client type and the destination. Regular expressions are extremely powerful in what they allow you to specify. This is significantly superior to simply sticking an "*" in the URL. Here are two examples:

  • ^https?://

    [^.]*\.domain.com

  • ^https?://([A-Za-z0-9.-]*\.)?microsoft\.com/

For more detailed information on understanding and generating your own REGEX, see Sophos' article on Regular Expressions for Defining URL Patterns in Sophos UTM.

I personally also use RegExTester.com to test my expression to see if they match what I expect them to match.

What’s more is that Sophos UTM allows you to string together the conditions with either “and” or “or” operators**.** This method allows you to specify up to seven conations of extremely specific matching rules.

Building Exceptions in Sophos UTM

Let's put together an exception that will do the following and only the following:

  1. Allow only a specified computer on the network,
  2. using only Chrome as the browser,
  3. to access a site signed with an untrusted site certificate,
  4. to download an .exe  file,
  5. without requiring the user agent to authenticate.

Sound complicated? Don't worry the steps are set out below. And you will see that other than the Regular expressions, it's pretty straight forward.

  1. Open the Sophos UTM management console and browse to: Web Protection | Filtering Options | Exceptions | + New Exception List….
  2. Name: FastvueDownloads
  3. Comment: Allow Fastvue Product Downloads with security exceptions
  4. Skip These Checks: Authentication, Extention Blocking, Certificate trust check, Certificate Date check
  5. Matching these URLs:  ^https?://[A-Za-z0-9.-]*installs\.fastvue\.co([A-Za-z0-9.-\/]+)\.exe
  6. AND
  7. Coming from these Networks : Select a server from the internal network
  8. AND
  9. Coming from the user agent Strings: .[A-Za-z0-9.-]*Chrome*
  10. Click Save and Enable the exception with the toggle switch

Web Browsing Execptions - With Sophos UTM

 

Web Exceptions Affects on Logging and Reporting

The exception does provide the option to enable logging of Accessed pages and Blocked pages. Unless you explicitly enable this logging, all traffic being allowed (or blocked) by an exception will not show up in the Web Filter live log. With these logging options enabled you will see that exceptions are listed as part of the log record in a field named exceptions.

The image below shows a few log records where exceptions are applied. Fastvue Sophos Reporter will therefore still pick up and report on this traffic providing logging is enable in web browsing exceptions.

Web Browsing Execptions - Sophos UTM logging

Using Fastvue Site Clean to find website domains to exclude

Unfortunately, adding an exception for the website domain that a user needs to access is often not enough to enable the website's full functionality, as the content of a website (images, videos, scripts etc) may be hosted on CDNs such as Akamai. For example, when you browse facebook.com, most of the content actually comes from akamaihd.net.

One of the central features of Fastvue Sophos Reporter is Site Clean. Site Clean is a comprehensive algorithm baked into all web reports to help identify the actual site visited, rather than simply showing the domains of every CDN, advertising banner and social sharing widget that make up the content of web pages.

You can use the Clean (on) , Clean (off) and Show Both options in Fastvue Sophos Reporter's Overview Reports to view the domains that a particular website uses, and then add these to your exclusions.

This video shows how to use Fastvue Site Clean to find all the domains used to build nationalgeographic.com.

Conclusion

Web browsing exceptions in Sophos UTM are flexible and powerful. The near-infinite options, enable you to apply exceptions without relaxing the security of your general rules. Getting to grips with Regular Expressions can seem a little daunting at first, but you will soon appreciate the flexibility they provide. There are stacks of regex resources on the web, and finding the expression you need is usually a simple google search away.

OK. So they don't let you define “Different phases of the moon on even years only, etc...” But Sophos UTM's web browsing exceptions certainly provide reasonable conditions and scope for very selective exclusion.

Further Resources:

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story
    facebook
    twitter
    linkedIn

Attacking and Testing Sophos SG Web Application Firewall

Learn how to set up a Sophos SG Web Application Firewall testing environment where you can test and hone your WAF configuration skills.
Sophos

Attacking and Testing Sophos XG Web Application Firewall

Continuing our series on the Web Security Dojo, now testing Sophos XG web application firewall with easy to follow step by step instructions.
Sophos