UTM is Unified Threat Management system which is characterised as a type of virtual appliance or an appliance in the form of network hardware or as a cloud service to deliver protection to businesses from security threats in a simplified way by incorporating various security techniques and methods. UTM Web Protection. This is also included if you subscribe to our BasicGuard or FullGuard UTM license.

1. Utm Sw Web Protection
2. Sophos Utm Web Protection Setup
3. Sophos Utm Web Protection

Utm Sw Web Protection

Our Secure Web Gateway prevents malware infections and gives you control over your employees' web use. Spyware and viruses are stopped before they can enter the network. And, you can quickly create policies that set where and how employees spend time online

Highlights

• Prevent infection with dual, independent antivirus engines
• Enforce time-based web browsing policies
• Monitor web activity by users or department
• Maintain privacy with anonymity in reports
• Email scheduled reports directly to managers
• Hardware, virtualized, software or cloud- based appliance

Proven protection against web threats

We block the latest web threats using advanced techniques like javascript emmulation to detect malicious web code before it reaches the browser. It also prevents infected systems from calling home with sensitive data. Our engine inspects all HTTP, HTTPS, FTP, SMTP and POP3 traffic, including active content like Active X, Flash, cookies, VBScript, Java and JavaScript.

Customizable URL Filtering boosts productivity

Our continuously updated database contains over 35 million sites in 96 categories. This lets you create safe web browsing policies, minimizing legal concerns around inappropriate content and maximize productivity. Set up policy by user or group using a variety of authentication options including IP Address, Active Directory SSO, eDirectory SSO and LDAP.

Control apps - block Facebook, accelerate Salesforce

You get complete control to block, allow, shape and prioritize web applications with Deep Layer-7 inspection (Next-Generation Firewall). It identifies over 900 applications, and you'll get feedback on unclassified applications too. Download word excel powerpoint for mac.

Dynamic reports provide unrivalled insight

You get detailed reports as standard, stored locally with no separate tools required. Predefined and customizable reports show key web activity like domains visited and bandwidth consumed. At-a-glance flow graphs show usage trends by IP address or user name. And report anonymization hides user names, requiring the four-eyes-principle to unhide them.

HTTPS scans stop hidden threats

Our HTTPS Scanner covers a common blind spot – encrypted web traffic. It uses transparent de-encryption and re-encryption via a trusted man-in-the-middle technique to block malicious content. It also blocks programs tunneling over HTTPS, like anonymizing proxies. It also automatically validates certificates, taking the decision about which sites to trust away from users.

Technical specifications

Choose a hardware, virtual or software UTM

UTM hardware options support between 10 and 4000 users from a single appliance. Software appliances run on Intel- compatible PCs and servers. Virtual appliances are certified as VMware Ready and Citrix Ready and also run in Microsoft Hyper-V and KVM environments.

Required subscriptions

UTM Web Protection. This is also included if you subscribe to our BasicGuard or FullGuard UTM license.

Extend your protection

• Add UTM Network Protection all the Next-Gen Firewall features you need
• Add UTM Endpoint Protection to Sync endpoint and gateway web policies
• Add UTM Wireless Protection to simplify and secure Wi-Fi
• Add UTM Web App Firewall to harden your web servers and web applications

Pricing Notes:

• Pricing and product availability subject to change without notice.

Sophos Utm Web Protection Setup

Sophos Utm Web Protection

'Users' includes workstations, clients, servers, and devices that communicate through the firewall to reach the Internet. It also includes VPN connections from remote VPN clients ('road warriors') and from remote VPN gateways (each remote gateway counts as one user)

August 2015

Please note that republishing this article in full or in part is only allowedunder the conditions described here.

Intro

This article describes several ways of employing uncommon or invalid HTTPresponses to transport malware from server to client without being detected bySophos UTM Web Protection.All of these bypasses got reported to Sophos and most of them are fixed by now.

What is Sophos UTM Web Protection

Sophos UTM is a firewall with deep inspection capabilities, i.e. not a simplepacket filter. Formerly called IPS or Secure Gateway these class of firewallsare now mostly advertised as Unified Threat Managment (UTM) or Next GenerationFirewall (NGFW).

According totheirproduct page Sophos sees its UTM and Next-Gen Firewall as 'The UltimateSecurity Package' and sees itself as an 'Industry leader' because of reports ofGartner and 'Sophos SG Series was named Best UTM Solution at the SC Awards2015.'.

Web traffic is handled by Sophos UTM at the application layer by aproxy which allows deeper inspection and also modification of the content.

From theproduct description of Sophos UTM Web Protection:

We block the latest web threats using advanced techniques like JavaScript emulation andLive Protection cloud lookups to detect malicious web code before it reaches the browser. Italso prevents infected systems from calling home with sensitive data. Our engine inspectsall HTTP, HTTPS and FTP traffic, including active content like Active X, Flash, cookies,VBScript, Java and JavaScript.

Unfortunately, in order to inspect the web code their engine must get reliableaccess to the content first. And while the trivial bypass bysimply using the deflate compresssionwas fixed in 12/2014 a closer look revealed more bypass vectors.

Bypass Using Double Compression

The first bypass was possible by using multiple compressions at the same time.This is the same attack I've alreadypublished in 07/2013 where I reportedbypasses for several IDS and virustotal.com. And while Sophos UTM could not bebypassed if the first encoding was gzip, it could be bypassed when the firstencoding was deflate like in

The issue was reported to Sophos on 2015/05/03 and was fixed with version 9.314-13
on 2015/07/31. Affected are all browsers which support multiplecompressions, that is all modern browsers except Internet Explorer. Fromtheannouncement:

Unfortunately this short description does not tell the impact of the problem,i.e. the full bypass of protection. Nor does Sophos acknowledge that this bugreport came from an external researcher (me).

Bypass Using Weird Content-Length

The Content-length is used to give the size of the content. By using a weirdvalue for the Content-length together with line-folding another bypass was possible.To bypass the firewall with theEICAR test virus (68 byte) thefollowing response could be used:

Different variations of this bypass were possible.

The issue was reported to Sophos on 2015/05/13 and was fixed with version 9.314-13on 2015/07/31. All modern browsers are affected. I did not find anyissue in the change log pointing to this exact problem, but from thecommunicaton with Sophos I know that there was some code cleanup which probablyfixed this issue too.

Bypass Using Invalid Headers

Browsers are way too tolerant when parsing HTTP. It looks like that in case ofspecifically broken responses Sophos UTM does not inspect the content butinstead simply passes the broken response to the client. Such broken responseheaders might contain plain invalid header lines, fields which are notASCII-only or simple HTTP/0.9 responses which do not contain any headers.Example:

Or simply giving the HTTP version in lower case worked too:

All modern browsers are affected by this issue.It was reported to Sophos on 2015/06/25 and was partly fixed with version 9.314-13on 2015/07/31. But, this fix needs to be explicitly enabled byactivating the option 'Block unscannable and encrypted files' because Sophosseems to fear that customers run into compatibility issues with broken websites. They are probably right in that customers will notice if a web site getsbroken by the firewall but will not notice if a malicious website simplybypasses the firewall. Too bad a firewall should protect against the latter one:(

There is no specific issue in the change log about the bug and it's impact andthat it is not fixed in the default settings. Also, the issue is only partlyfixed since some bypasses still work (for more information try my test tooldescribed below).

Acknowledgments and Further Reads

Even though Sophos did not publically acknowdledge me for the bug reports and eventhough they did not manage to fix everything I still like to thank them fortheir courage to offer a version of their UTM for home use and that they are open for bug reports from outside.

And while these kind of bypasses can be trivially executed by an attacker oneshould be aware that firewalls from other vendors are not necessarily better inprotecting the client. I'm currently investigating reports that some highlypraised Next Generation Firewalls by other vendors can be bypassed with similartechniques.

Thus if you are behind a firewall and are not yet fully lulled into theadvertisements of your vendor you might want to check out by yourself howresistent your firewall is against these kind of attacks. This check might beas simple as pointing you browser to my test siteand run the 'Bulk test firewall evasion with EICAR test virus' there. This testtries to download the harmlessEICAR test virus which shouldbe detected by every virus scanner. But even though no harm will be done to yourcomputer by running these tests some firewall vendors still consider this test sitemalicious, maybe because it shows that their own products can be bypassed. Inthis case you might set up your own server by using thepublically available code.

Information about other kinds of bypasses at the application level can be foundat my page about employing the semantic gap forbypasses.