This is done with SSL/HTTPS inspection, which usually comes with a range of issues including bogging down the performance of your firewall. In order to protect your network from threats, your firewall needs to be able to ‘read’ (decrypt) the encrypted traffic. Greater encryption is usually at odds with network security and performance.
Together with this, 2020 saw the deprecation of TLS 1.0 and 1.1. The iteration from TLS 1.2 took 10 years, longer than any other iteration before, so it is a significant step forward. There have been several enhancements over the years and finally, in August 2018 there was an official consensus to standardize on the new TLS 1.3 protocol ( RFC 8446). There is an ever-growing need for stronger cryptography on the public web.
Fortunately, with some creative firewall rules, you can get the best of both worlds and enable the faster DPI engine for most traffic while keeping the Web Proxy enabled for the situations that the DPI engine does not cover. This effectively replaces the previous ‘Web Proxy’ decryption engine, however, there are a few features the Web Proxy engine provides that the XStream DPI Engine does not, including SafeSearch Enforcement and YouTube restrictions.įor many organizations (especially education), enforcing SafeSearch and restricting YouTube is a must. Sophos XG’s XStream DPI engine was introduced in version 18, providing better performance over decrypting SSL/HTTPS traffic including TLS 1.3.
0 kommentar(er)
