Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 8962 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall UTM

Paul Brennecke

Hallo geschätzte Community,

mir geht es um folgendes: Bei dem Großteil unserer Kunden haben wir Sophos(e) im Einsatz. Konfiguriert werden die aber immer nur so, das der nötigste Traffic rausgeht und fertig, sprich Server -> Any -> Any als Beispiel.

Als neugieriger Lehrling der bei halben Sachen Plack bekommt versuche ich dann den Traffic so gut es geht auszuwerten und diese Regeln zu verfeinern.

Ich frage mich wie andere User es mit der Firewall halten? Wie viel Violations am Tag sind "ok" oder "egal"? Erstellt ihr am Bottom eurer Regeln eine 3xA Drop Regel damit der überflüssige Traffic nicht dokumentiert wird? Ich hab mich auch gefragt ob die Sophos dadurch etwas besser arbeitet.



This thread was automatically locked due to age.
Parents
  • 0

    My thoughts:

    1) I push all web traffic through the web proxies, not through the firewall.   This provides better logging information.   More details at my post from last month.

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/101117/optimizing-web-proxy-lessons-learned

    2) When investigating whether traffic should be allowed or not, I enable logging.    Once I identify some traffic that is necessary and repetitive, I drop logging.   An example is DNS traffic from my internal DNS servers.    (On the other hand, DNS from any other PC would be logged.  After investigation, it would probably be blocked.)   Similarly, I have started blocking UDP 443 because I don't want Google Chrome to operate in QUIC mode.    I block the packets without logging, because the volume is high and the packets are not a threat.

    3) Next, I monitor the logs to understand my "normal" traffic profile.   I am looking for blocked traffic that needs to be allowed, and for allowed traffic that is unexplained or questionable.   Recently, I have been using the firewall logs to study UDP traffic.

    Philosophy:

    We block pretty aggressively.  My boss says that if the users are not complaining, blocked traffic must not be a significant problem for them.   He is right, but I still check the logs.

    I did this mental exercise recently:   Assume only 1 in 10,000 web sites are hostile.   Also assume that UTM blocks all but 1 in 10,000 attacks.  That means my odds of a successful attack are 1  in 100,000,000.   That seems pretty good.   Then I counted how many web logs entries I have per day.   Depending on your user base and the amount of data that you log, you can reach 100,000,000 log entries pretty quickly.  For me, it is probably about 3 months.   If the goal is 0 infections, a penetration rate of 1 in 100,000,000 is not sufficient.

    I think of my network traffic as falling into three categories:   essential, optional, and hostile.  In order to block all of the hostile traffic, a lot of the optional traffic has to be blocked as well.   That configuration is defensible, because what the organization requires to stay in business is only the essential traffic. 

  • 0 in reply to DouglasFoster

    Also, I do not read the log files directly.   I load the logs into a database and analyze the logs using database queries.   This log explained the general approach and provided sample code.

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/100770/how-to-using-a-sql-database-to-interpret-utm-log-files

    Web proxy and reverse proxy (WAF) logs are more complicated.   I'll provide the details on request.

Reply Children
No Data