Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 18275 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Required 'Services' (outbound protocol/ports)

shred

Up until now, I’ve been running my firewall rules with the services (ports) set to ‘Any’ but I’d like to configure it such that only the services that I define are allowed. I know this will likely break a lot of things and require troubleshooting from time to time but it’s also a learning experience for me while creating a more secure home network. Based on some research, these are the ports I think I would need for basic web browsing and email:

Basic Web Browsing (i.e. Safari, Chrome, Firefox)

  • HTTP – TCP:80
  • HTTPS – TCP:443
  • DNS – TCP/UDP: 53 

Basic Email Client (i.e. Apple Mail w/ iCloud & Gmail)

  • IMAP – TCP:143
  • IMAP(S) – TCP: 993*
  • SMTP – TCP:25
  • SMTP(S) – TCP:587 (TLS)
  • SMTP(S) – TCP:465 (SSL) 

* These services are not created by default in Sophos XG.

Note: Not all of these are required depending on your setup. For example, I don’t use any of the unsecured ports or SSL for SMTP so I only needed TCP: 993 and TCP:587.

Is there anything else I’m missing for web browsing and email? One thing I’m not sure about is if ICMP is required for these two tasks. I was having some issues accessing Gmail via my Apple Mail application and after adding the ICMP service to my firewall rule, it appeared to be working again but that might have just been coincidence. 

As for the rest of the devices on my network, I’ve had pretty good luck finding the ports they require outbound but there’s some devices like Ring that appear to use ports beyond what’s listed on their website, which is frustrating. There’s also one device that the manufacturer claims they can’t provide that information for security reasons. 

Is there any way to drop all active connections (similar to what you can do in pfSense or OPNsense)? The reason being is after I make a change to a firewall rule, my understanding is that the firewall changes won’t apply to an already established connection so I have no way to really assess if my changes are working as intended or not.

Is there a way to log only ports that are being blocked?

Any additional information or inputs would be much appreciated. One thing I did notice is the ‘Policy Test’ tool in Sophos XG appears to show the wrong firewall rule. For example, I enter ‘www.google.com’ for the URL and set the ‘Source IP’ address to my Macbook Air. When I click ‘Test’, the results show up as expected except for the ‘Firewall Rule’ which is showing my last firewall rule which is not what my Macbook Air is using. Every device I test using this ‘Policy Test’ shows the same firewall rule.



This thread was automatically locked due to age.
  • 0

    You can first create the "allowed" rules for your services (btw, icmp is not needed for smtps/https) and just under a rule with all services allowed and log this one.

    So you can see what is used, and not in your basic rules, without breaking anything.

    And once in prod you can add a last rule (bottom) : from lan to wan/any services/denied and log. This way you see all blocked access.

  • 0 in reply to Fabien Martinet

    Fabien Martinet said:

    You can first create the "allowed" rules for your services (btw, icmp is not needed for smtps/https) and just under a rule with all services allowed and log this one.

    So you can see what is used, and not in your basic rules, without breaking anything.

    And once in prod you can add a last rule (bottom) : from lan to wan/any services/denied and log. This way you see all blocked access.

    Thanks for the reply! That's a great idea and after doing some research, I'm going to run a slightly different strategy since I think a 'Deny All' outbound by default policy for a home network is a bit overkill and I'm not convinced it's actually that much more secure unless it was for a highly secured environment where only select protocols/ports were allowed access at specific times. Otherwise, for a home network, I have to open up so many ports anyways that a hacker/malware could easily just use a port that's known to be open (like TCP 80 and 443). Anyways, I'm sure some of you networking experts will have something to say about that which I'd love to hear about.

    What I've done is setup all of my devices as a MAC Host and specified which firewall rules they should apply to. I've also added a lot of new Services for the ports that my devices should be using for those specific firewall rules. But, like Fabien mentioned, I created another 'Allow All' rule below all of those with logging enabled so if any of the devices on my network require a protocol or port outside of what's specified in their firewall rule, it can still pass but it's logged so I can see it, do some research to make sure it's legitimate then create a new Service to add to that firewall rule. For example, I noticed my computers using UDP 80 and 443 which seemed odd to me but after doing some searching, it's Google's new QUIC protocol for web browsing so I created a new service for UDP 80 and 443 called QUIC and added that to the firewall rule my computers use.

    I also ran across this article on Egress Filtering by the SANS Institute which specifies protocols and ports that should never be allowed outbound on most networks. So what I've done is created a firewall rule that sits at the top which denies anything trying to leave my network on these protocols/ports. For this firewall rule, I added the services that Sophos XG already has created that were in the article, such as IRC and SMTP (I don't use unsecured SMTP), and created another service called 'Deny' for the rest of the protocols/ports.

    All of this is in addition to running Intrusion Prevention, anti-virus, web policies and advanced threat protection inside of Sophos XG. Additionally, I have a separate IDS/IPS system that runs between Sophos XG and my access point (Cujo), so I think it I have a pretty secure setup for a home network.

  • 0 in reply to shred

    Hi shred,

    a couple of items.

    1/. you do not need a default block all rule at the bottom of your rule list, the XG has one by default. During the last beta there was discussion about adding a block all rule that could cause issues with the XG default rule.

    2/. blocking unwanted ports at the top is a waste with the ports you are allowing out of your network, they will be dropped by the XG default rule because there is no match in the rule list to allow them out.

    3/. Hacks cannot access your network regardless of open ports in the XG unless you allow the in with incoming rules or you start a session to one the hacker sites.

    4/. I assume you are not using any of the web or application functions so the web proxy will not be used. If you created a rule to allow http and https out then the UDP version is already covered. The next release of XG will have a QUIC block feature enabled because it is seen as a security risk bypassing application and web checking security.

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    Hi shred,

    a couple of items.

    1/. you do not need a default block all rule at the bottom of your rule list, the XG has one by default. During the last beta there was discussion about adding a block all rule that could cause issues with the XG default rule.

    2/. blocking unwanted ports at the top is a waste with the ports you are allowing out of your network, they will be dropped by the XG default rule because there is no match in the rule list to allow them out.

    3/. Hacks cannot access your network regardless of open ports in the XG unless you allow the in with incoming rules or you start a session to one the hacker sites.

    4/. I assume you are not using any of the web or application functions so the web proxy will not be used. If you created a rule to allow http and https out then the UDP version is already covered. The next release of XG will have a QUIC block feature enabled because it is seen as a security risk bypassing application and web checking security.

    Ian

    Hey Ian,

    1. I'm not running a block all rule at the bottom of the list. I do remember those threads though and I understand Sophos XG is a stateful firewall so by default, it will block all incoming and only allow connections that were originated from the local network.

    2. As mentioned above, since Sophos XG is a stateful firewall, it will allow all connections outbound by default, so why would there have to be a rule to allow traffic outbound? What I'm doing (or at least I think I'm doing) is by creating a firewall rule at the very top that denies specific services (ports/protocols), if a device on my network tries to initiate a connection using one of those services I have blocked, it should assess it against that firewall rule (since it's first) and deny the connection from being made. At least that's what I think will happen in theory.

    Basically, that first deny rule is set with the Source: LAN, Any Host, Destination: WAN, Any Host, Services: As specified per above.

    3. While I understand someone can't access my network from the outside if no ports are exposed, I'm assuming the network is already compromised (i.e. malware got onto a device on the network) and now that device is initiating a connection outbound to retrieve or send more data. So the idea of egress filtering (controlling which ports are allowed outbound) isn't trying to prevent the network from being compromised, but how to mitigate the damage that can be done once it's compromised such that you have more time to resolve the issue before too much damage is done.

    4. I'm using Web policies and Scan HTTP & HTTPS, so the web proxy is being used. One of my firewall rules is for all of the computers on my network which has the HTTP and HTTPS service added. However, when I view both the HTTP and HTTPS service, they only apply to the TCP protocol. I think the web UI can be a bit misleading since the second column shows TCP/UDP as the protocol but it's the third column that shows specifically which protocol and ports apply. Here's a screenshot:

    Good to know about the security concerns with QUIC. I'll have to do some more research to see if the benefits of QUIC outweigh the security risk(s).

  • 0 in reply to shred

    Hi shred,

    you are confusing a couple of issue,

    1/. a stateful firewall wil; examine packets to ensure they are valid and have a valid connection

    2/. if you do not have a firewall rule allowing traffic out then the stateful inspection will drop the packet eg no connection. The same applies to incoming packets.

    3/. if you network is compromised then the traffic generated will be on allowed ports, usually the crackers have search software to find a way around security.

    ian

  • 0 in reply to rfcat_vk

    Ah, yeah I misspoke above - I'll correct that in the post so as to not spread incorrect information. I'd obviously need a rule for outbound traffic to specify who/what can establish a connection outbound, to which the "stateful firewall" will then allow traffic inbound on that connection. Also, I should clarify that when I'm talking outbound and inbound, I'm simply referring to traffic leaving my local network and entering the local network (as to not be confused with outbound/inbound in relation to each interface).

    I'd have to think about your last point some more as that still doesn't make sense to me. Let's say some malicious software got onto my network and at some point, that malicious code executes which tries to establish a connection with the hacker on UDP 69. Since that malicious software is on my local network, when it tries to establish a connection to the hacker ono UDP 69, it should be denied since I have a firewall rule that does not allow outbound connections (LAN to WAN) on UDP 69. Now I'm sure any smart hacker would just use a protocol/port that is likely not blocked... but that's just the theory behind denying certain protocol/ports outbound.

  • 0 in reply to shred

    Hi shred,

    assume worst case, you have installed some software on your PC which has a call home hack installed, the software will more than likely search through all the ports on your network until it can find away out, so just putting an extra block in for the MS insecure ports is not going to stop the abuse, now the exception to this being if you are using 'any' as a service rather than the list of services that you are using.

    Now as you are using an independent IPS/IDS application you will not get the benefit of the XG IPS seeing these as internal attacks and blocking them. Further the XG IPS is part of the web and application security.

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    Hi shred,

    assume worst case, you have installed some software on your PC which has a call home hack installed, the software will more than likely search through all the ports on your network until it can find away out, so just putting an extra block in for the MS insecure ports is not going to stop the abuse, now the exception to this being if you are using 'any' as a service rather than the list of services that you are using.

    Now as you are using an independent IPS/IDS application you will not get the benefit of the XG IPS seeing these as internal attacks and blocking them. Further the XG IPS is part of the web and application security.

    Ian

     
    Yeah, I definitely see what you're saying with your example but the important distinction is you're making the assumption that the malware is doing a network port scan to find a way out. I'm not saying there isn't malware out there that won't do that, I'm just saying what I explained above still holds true - having a firewall rule at the top will block the specified services from being used because the connection outbound will not be allowed to be established (on the denied services). I'm definitely no expert on computer hackers/malware but I wouldn't be surprised if there is, or ever will be, malware that tries to utilize some obscure protocol and/or port that most networks don't block (without doing a network scan). But the point you bring up is valid, and is one of the reasons I don't think a "block all" by default security is very effective for a home network.
     
    My independent IPS/IDS (Cujo) seems to work fine in conjunction with Sophos XG. My setup is:
     
    Internet Modem -> Sophos XG (DHCP server, router, firewall) -> Cujo IDS/IPS -> Apple Airport Time Capsule (access point for local network)
     
    All Cujo is doing is monitoring all of my traffic and doesn't alter the traffic in any way (meta data inspection from my understanding). Both Cujo and Sophos XG IDS/IPS will pick up stuff from time to time. It's redundant but they obviously use different threat libraries so some stuff Sophos XG doesn't pick up, Cujo will and vice versa. The only thing I don't like about it is no VLAN support so I'm running a separate Airport Express as a wireless access point for my guest network.
  • 0 in reply to shred

    Hi shred,

    I think you completely miss the point, no rule no internet access very simple no matter how hard the application tries, it will be dropped by the default rule.

    What do you mean by no vlan, the XG does vlans, but you need a smart switch?

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    Hi shred,

    I think you completely miss the point, no rule no internet access very simple no matter how hard the application tries, it will be dropped by the default rule.

    What do you mean by no vlan, the XG does vlans, but you need a smart switch?

    Ian

     
    Sorry, one important assumption with everything I've been saying is that there is a firewall rule that sits at the bottom which allows access to all services. Here is an example (not what I'm actually running):
     
    Firewall Rule #1: Denies LAN, Any Host to WAN, Any Host; blocks IRC service.
    Firewall Rule #2: Allows LAN, Any Host to WAN, Any Host; allows DNS, HTTP, HTTPS services.
    Firewall Rule #3: Allows LAN, Any Host to WAN, Any Host; allows ANY service.
     
    When a new connection is trying to be made that is initiated from the local network, it will get to Sophos XG and begin assessing against the firewall rules to see if it's allowed. If that connection was someone trying to access some host using the IRC service, it matches Firewall Rule #1 which denies/blocks the connection from being made. It will no longer assess against any other firewall rules. Without Firewall Rule #1, it would eventually get to Firewall Rule #3 which allows access. Now, if I didn't have Firewall Rule #3, it would not match any firewall rule therefore be dropped by default, which is what I think you're saying.
     
    When I started this "experiment", I didn't have that firewall rule on the bottom but after realizing it's 1) a hassle and almost impossible to find every specific port each device uses without a lot of time/effort and 2) I'm having to open a lot of ports which goes back to your point - malware could do a quick scan for an open port, I decided to add the 'Allow All' rule on the bottom back but turn on logging. The idea is I'll do my best to setup custom services for protocols/ports that should be used, but anything outside of that will be logged based on the last firewall rule.
     
    I saw your other thread where it looked like you tried to do something similar - 'Deny All' by default. Did you ever get everything working the way you wanted? I just found that a lot of manufacturers list the ports their products should be using, but in reality they use more (Ring cameras, Apple devices, etc.). I figure I'd run the method I mentioned above and once I can create services for everything by watching my firewall logs, I can eventually get back to a 'Deny All' by default.
     
     
    As for the VLAN, I meant the Cujo IDS/IPS device I have doesn't do VLANs.