Sophos Firewall Web

Protection Overview

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
4005: Sophos Firewall Web Protection Overview

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Sophos Firewall Web Protection Overview - 1

 Sophos Firewall Web Protection Overview
In this chapter you will learn how
Sophos Firewall can provide web
protection as a transparent or
explicit proxy.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ The multiple layers of protection provided by
Sophos Firewall to detect and block attacks

DURATION

10 minutes

In this chapter you will learn how Sophos Firewall can provide web protection as a transparent or
explicit proxy.

Sophos Firewall Web Protection Overview - 2

 Web Protection Overview

Protection Control

• Scan for malware with two antivirus • Allow, warn, block and quota access
engines to web content

• Sophos zero-day protection cloud- • Apply rules to users and groups

based sandbox scanning
• Control content based on categories,
• Scan for potentially unwanted file types, URLs and content
applications
• Surfing quotas

Web Protection on Sophos Firewall can be used to defend against malware and to control user
behaviour.

Sophos Firewall can scan for malicious content using two antivirus engines, Sophos and Avira, and
if additional checking is required, it can leverage zero-day protection, a Sophos cloud-based
sandbox solution. In addition to malicious content, you can also choose to block potentially
unwanted applications from being downloaded onto your network.

You can improve your network security by blocking access to risky websites and applying controls
to users’ browsing behaviour. Sophos Firewall comes with several predefined policies to get started
that can be further customized to meet your needs.

Sophos Firewall Web Protection Overview - 3

 Web Protection Overview

Transparent

Explicit

Web filtering on Sophos Firewall can be done either transparently, intercepting traffic as it passes,
or as an explicit proxy, where clients are configured to use the Sophos Firewall as their web proxy.

Sophos Firewall Web Protection Overview - 4

 DPI vs. Web Proxy Filtering
DPI Web Proxy Filtering

✓ Port agnostic protocol detection

✓ Support for FastPath ✓ Enforce SafeSearch
✓ Decrypts TLS 1.3 traffic ✓ Apply YouTube restrictions
✓ Offloads traffic trusted by ✓ Explicit proxy mode
SophosLabs

The DPI (Deep Packet Inspection) engine can perform web filtering for improved performance,
however you can still choose to use the legacy web proxy. Let’s take a look at some of the
differences between DPI and web proxy filtering.

DPI implements proxy-less filtering handled by the IPS (Intrusion Prevention System) engine. It
provides port agnostic protocol detection and supports the partial or full offload of traffic flows to
the network FastPath. It can decrypt and scan TLS 1.3 traffic and offloads the traffic trusted by
SophosLabs.

In comparison, you may want to use the web proxy filtering to enforce SafeSearch or YouTube
restrictions, or because your clients are configured to use the Sophos Firewall as an explicit proxy.

Let’s take a closer look at how the traffic is processed in each of these scenarios.

Sophos Firewall Web Protection Overview - 5

 Firewall Rule > Security Features

The Security Features section of the Firewall Rules provides settings to choose between the DPI
Engine and Web Proxy for each individual rule.

Sophos Firewall Web Protection Overview - 7

 DPI Filtering

Decrypt Web Content

sophos.com on port 80 HTTPS Policy Scan

sophos.com on port 443 Web Proxy

Firewall

sophos.com on port 8080

SSL/TLS Web Content App
IPS
Rules Policy Scan Control

DPI Engine

FastPath

Using the configuration shown here, all the traffic will be handled by the faster DPI engine for IPS
and proxy-less web filtering and SSL decryption on any port for HTTP and HTTPS using port
agnostic protocol identification.

In this configuration the SSL/TLS inspection rules are used to manage the decryption of secure web
traffic.

Using the DPI engine allows the Sophos Firewall to offload safe traffic to the FastPath. This is done
for traffic that the Sophos Firewall qualifies as being safe, or that matches identities for SophosLabs
trusted traffic.

Sophos Firewall Web Protection Overview - 8

 Web Proxy Filtering

Decrypt Web Content

sophos.com on port 80 HTTPS Policy Scan

sophos.com on port 443 Web Proxy

Firewall

sophos.com on port 8080

SSL/TLS Web Content App
IPS
Rules Policy Scan Control

DPI Engine

FastPath

If you enable the web proxy, then HTTP and HTTPS traffic on ports 80 and 443 will be processed by
the web proxy for decryption, web policy and content scanning, before being handed to the DPI
engine for application control and IPS.

HTTP or HTTPS traffic on other ports will still be handled by the DPI engine.

The web proxy is also used in explicit proxy configurations.

When the web proxy is being used none of the traffic can be offloaded to the FastPath.

Sophos Firewall Web Protection Overview - 9

 Deploying Sophos Firewall for Web Protection

Gateway or mixed mode deployments

LAN Zone WAN Zone

Internet
Sophos Firewall

Filter web traffic

If the Sophos Firewall is the network gateway or will be replacing an existing gateway, then web
filtering can simply be enabled for the traffic passing through it.

This deployment scenario is ideal as all traffic must pass through the Sophos Firewall before being
allowed out to the Internet. As such, all traffic entering the network must also pass through the
Sophos Firewall before reaching clients. By implementing in this fashion, all web traffic can be
scanned, decrypted, sent to zero-day protection if needed, and controlled so that users cannot
violate company policy, and hackers cannot pass unseen.

In this deployment scenario, the Sophos Firewall can be used as both a transparent and explicit
proxy.

Sophos Firewall Web Protection Overview - 10

 Deploying Sophos Firewall for Web Protection

Bridge mode deployments

Firewall Internet
Sophos Firewall

Transparently filter
web traffic Other networks such
as DMZ will not be
filtered

In scenarios where the Sophos Firewall will not be the primary network gateway there are two
deployment options.

The first is to add Sophos Firewall to the network in bridge mode, allowing it to transparently filter
the web traffic. This is a good solution if the existing edge device will not be replaced. Similarly, to
the previous solution, anyone behind the Sophos Firewall will not be able to bypass the filter and
will have their traffic inspected. The only exception would be if there were another network, such
as a DMZ hosting public servers, behind the edge firewall.

Sophos Firewall Web Protection Overview - 11

 Deploying Sophos Firewall for Web Protection

Explicit proxy deployments

Switch

Firewall Internet

Configure clients to use

Allow web traffic from
Sophos Firewall as web
Sophos Firewall only
proxy

Sophos Firewall

The other option is for the Sophos Firewall to be on the network but not in the direct flow of
traffic, and to have the clients configured to use it as an explicit proxy.

In this configuration, the Sophos Firewall doesn’t have any control over traffic that is sent directly
to the default gateway, and so it is important that the edge device is configured to only allow web
traffic from allowed devices, including the Sophos Firewall.

Sophos Firewall Web Protection Overview - 12

 Transparent vs. Explicit Proxy
Transparent Explicit

Typically deployed at the gateway

Does not require client configuration
Client (operating
system/browser/application) is unaware
the traffic is being filtered
Users cannot circumvent the filtering
Requires client (operating
system/browser/application) to be
configured with the proxy details
Firewall must be configured to only
allow web traffic from the proxy to
prevent users from circumventing it

The key differences between transparent and explicit proxy web filtering are:

In a transparent proxy configuration, the proxy is typically deployed at the Internet gateway and
the proxy service is configured to intercept traffic for a specified port. The client (e.g., browser,
desktop application etc.) is unaware that traffic is being processed by a proxy. For example, a
transparent HTTP proxy is configured to intercept all traffic on port 80/443. This provides a
standard enterprise configuration where all clients routed to the Internet will be filtered and
protected, no matter what the end users do or change on their machines. An added benefit is a
reduction of client-proxy configuration troubleshooting. Transparent proxies also handle mobile
and guest devices without any additional configuration.

In an explicit proxy configuration, the client is explicitly configured to use a proxy server, meaning
the client knows that all requests will go through a proxy. The client is given the hostname, IP
address, and port number of the proxy service. When a user makes a request, the client connects
to the proxy service and sends the request. The disadvantage of the explicit proxy is that each
client must be properly configured to use the proxy.

Sophos Firewall Web Protection Overview - 13

 Chapter Review

DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic
protocol detection and supports offload of traffic flows to the network FastPath. It can
decrypt and scan TLS 1.3 traffic.

When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be
processed by the web proxy for decryption, web policy and content scanning before
being handed to the DPI engine for application control and IPS

If Sophos Firewall is the network gateway, web filtering can be enabled for the traffic
passing through it. When it is not the primary network gateway it can operate in bridge
mode, transparently filtering the web traffic, or be configured as an explicit proxy

Here are the three main things you learned in this chapter.

DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic protocol
detection and supports the partial or full offload of traffic flows to the network FastPath. It can
decrypt and scan TLS 1.3 traffic.

When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be processed by the
web proxy for decryption, web policy and content scanning before being handed to the DPI engine
for application control and IPS. Add Sophos Firewall to the network in bridge mode, allowing it to
transparently filter the web traffic.

If Sophos Firewall is the network gateway, then web filtering can be enabled for the traffic passing
through it. When Sophos Firewall is not the primary network gateway it can operate in bridge
mode, allowing it to transparently filter the web traffic, or be configured as an explicit proxy.

Sophos Firewall Web Protection Overview - 18

Sophos Firewall Web Protection Overview - 19