https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116973#M21759 <P>Thanks <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11764">@Marcel_Gramalla</a>&nbsp;! Exactly what I want to hear - real life stories <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Yes indeed both pinned sites and TLS 1.3 will make life even more challenging and pushing more security to the endpoint itself.&nbsp;</P> <P>Indeed, logging detail is the biggest challenge in our PoC. But else it seems to work quite ok. With exception of Trusted CA list updates, that part seems a bit wobbly</P> Mon, 26 Apr 2021 20:16:01 GMT Kaspars_Zibarts 2021-04-26T20:16:01Z https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116947#M21742 <P>Bit of a philosophical question.&nbsp;</P> <P>There are many ways to filter your internal traffic going out to internet, i.e.</P> <UL> <LI>IP based filtering</LI> <LI>good old explicit proxy, with or without TSL interception</LI> <LI>transparent proxy / gateway with TLS interception</LI> <LI>or combination of both</LI> </UL> <P>All have pros and cons. IP based being least efficient. Explicit proxy often is a burden to automation or impossible to apply in certain instances, whereas transparent option with TLS interception is less "visible" to client itself but issues with certificates keep causing headaches plus interception is resource intensive and expensive.</P> <P>One option to avoid these challenges would be using "HTTPS lite" or&nbsp;Categorization of HTTPS sites without HTTPS inspection. So clients don't need to specify a proxy nor there is a "man in the middle" messing with certificates.</P> <P>But of course the downside is the information available in logs - you don't get full URLs, but service names worked out from TLS handshake as seen below. It does limit your ability to determine all risks associated with that connection.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11532i9BC6CBCC90793DA1/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>Would you accept this as a"sufficient information" log in your organisation? As highlighted above, classification is not 100%. Is that OK? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> <P>just wondering how you do it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Mon, 26 Apr 2021 14:06:11 GMT https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116947#M21742 Kaspars_Zibarts 2021-04-26T14:06:11Z https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116953#M21746 <P>Keep in mind we’re also using SNI information in current releases and we actually verify the SNI out-of-band.</P> Mon, 26 Apr 2021 15:39:13 GMT https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116953#M21746 PhoneBoy 2021-04-26T15:39:13Z https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116957#M21749 <P>Yes indeed, I have taken that into account and that's also the reason to compare different options available. HTTPS lite would be "cheaper" and faster but with less logging and filtering options</P> Mon, 26 Apr 2021 15:47:07 GMT https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116957#M21749 Kaspars_Zibarts 2021-04-26T15:47:07Z https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116971#M21757 <P>Hi,</P><P>first I have so tay that the categorization with SNI works very well on the Check Point gateways from my experience. But I also have to say that the depth of the logs wouldn't be enough for a detailed analysis when needed. For example in case of an security incident we might have to know the exact URLs that were used or see precise GET/POST messages.</P><P>Also the ability to block specific file types and scan for malware etc. would be a reason alone to not trust the categorization mode in the environments I know. But these are always scenarios with many clients involved and a high chance of a human click on the wrong URLs etc.&nbsp;</P><P>But to be honest we are not super happy with the full HTTPS Inspection either with Check Point. The main reason is because of Content Awareness (very few default Data Types, problems with some file types and the bad experience with UserCheck (the UserCheck Client helps but it's not very user friendly in general) and the lack of TLS 1.3 ("supported" in R81 but a feature that isn't enabled in default always sounds like a beta feature and also only with User-Mode).</P><P>&nbsp;</P><P>All experiences are based on R80.40.</P> Mon, 26 Apr 2021 18:33:28 GMT https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116971#M21757 Marcel_Gramalla 2021-04-26T18:33:28Z https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116973#M21759 <P>Thanks <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11764">@Marcel_Gramalla</a>&nbsp;! Exactly what I want to hear - real life stories <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Yes indeed both pinned sites and TLS 1.3 will make life even more challenging and pushing more security to the endpoint itself.&nbsp;</P> <P>Indeed, logging detail is the biggest challenge in our PoC. But else it seems to work quite ok. With exception of Trusted CA list updates, that part seems a bit wobbly</P> Mon, 26 Apr 2021 20:16:01 GMT https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116973#M21759 Kaspars_Zibarts 2021-04-26T20:16:01Z https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116976#M21761 <P>Happy to share some opinions in the community. We are working with TAC on two cases with problems in Content Awareness - the last one was handled very fast and good (had some bad experiences in the past as well). In one server only environment we don't use Content or Identity Awareness and that makes life so much easier and was also very easy to deploy.</P><P>Regarding the Trusted CA issue in the other thread I have to say that I never experience any real world issues there. Have to check, if I can validate your findings. Maybe I will post some insight there tomorrow as well <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 26 Apr 2021 20:26:26 GMT https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/116976#M21761 Marcel_Gramalla 2021-04-26T20:26:26Z https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/117038#M21779 <P>These are the ones that I have added so far:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11540i223C3FD24710C031/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Tue, 27 Apr 2021 12:59:27 GMT https://community.checkpoint.com/t5/General-Topics/quot-HTTPS-lite-quot-would-you-trust-it/m-p/117038#M21779 Kaspars_Zibarts 2021-04-27T12:59:27Z