Sophos Https Inspection

[mickfoldee]

In a matter of weeks I am moving house to somewhere that thankfully has internet speeds over 50Mbps (currently on 1Mbps, yay for the UK internet) and have been looking at a filtering and firewall solution. For now I have gone with Sophos UTM 9 (home license) and have been playing around with it. I have enabled HTTPS inspection on the network and because of that you need to install the CA in the clients so you don't get security warnings all over the place. I am wondering if anyone else has been using https inspection (with any firewall) and if this is viable for devices such as Ipads and guest devices? Any suggestions would be welcomed. 

[leadeater]

12 minutes ago, mickfoldee said:

In a matter of weeks I am moving house to somewhere that thankfully has internet speeds over 50Mbps (currently on 1Mbps, yay for the UK internet) and have been looking at a filtering and firewall solution. For now I have gone with Sophos UTM 9 (home license) and have been playing around with it. I have enabled HTTPS inspection on the network and because of that you need to install the CA in the clients so you don't get security warnings all over the place. I am wondering if anyone else has been using https inspection (with any firewall) and if this is viable for devices such as Ipads and guest devices? Any suggestions would be welcomed. 

I use basic SSL inspection on my FortiGate not full inspection, this checks things like if the certificate is valid and not revoked or known to be compromised etc.

 

I don't like doing full SSL inspection as this breaks the fundamental purpose of secure communication and the PKI framework. If I ever do deploy it then it must be made known that it is being done and advise not to login to any personal banking sites or other places that are important.

 

You can do everything you need to without full SSL inspection; DNS lists, IP lists, categorized websites etc gives you enough vectors to block almost anything. I leave SSL full inspection to the most ultra paranoid places that insist on having it, I don't even offer it you have to want it.

 

Also keep in mind full SSL inspection is very CPU demanding, my Fortigate 60D has 1.5Gbps of firewall throughput but only 32Mbps of SSL inspection. Your Sophos VM will be able to do more than 32Mbps though but be warned it's not a CPU free feature.

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60D_Series.pdf

[mickfoldee]

Thanks for the reply Leadeater. Yea I am planning on running it in vm on an old duel xeon hp workstation, was also planning on running 2012 r2 on another vm for AD authentication and remote access so would like the extra horse power. Have not decided on which virtualisation platform i will use, at the moment just running a small network in vmware for testing.  After your advice i think i will go without SSL inspection. It doesn't seem to have much point in my environment and will only cause hassle for me and end users.