Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible to bypass clientless filtering

Joshua Mallow

I am a home user of Sophos XG.

My home network is broken out like this:

IP Ranges Purpose

172.16.16.1 - 172.16.16.19 Network Devices / Servers

172.16.16.20 - 172.16.16.149 Primary DHCP

172.16.16.150 - 172.16.16.169 Personal Phones / Tablets / Laptops

172.16.16.170 - 172.16.16.199 IOT Devices

172.16.16.200 - 172.16.16.219 Kid Devices w/ Filtering

172.16.16.220 - 172.16.16.229 Streaming Devices

172.16.16.230 - 172.16.16.254 Unassigned

I use static mapping in DHCP to assign the proper IP range. I have firewall rules for each of these groups based on the needs and desired protection for each of these. But I realized it’s possible to bypass those protections if a user on the kid devices group does a manual IP change on their device to a group that has less filtering. Is there a way to prevent this from happening? Should I enable most restrictive rules for all devices then bypass the one or two devices that need more access? My kids are only toddlers, so I’m not having this problem now I’m just curious how I should handle it.

Is there a better way to set this up? All devices that have internet browsing capabilities are WiFi. No Ethernet PCs on my network.



This thread was automatically locked due to age.
Parents
  • 0

    Interesting question.   I can think of these additional defenses:

    1) Restrict privileged logins on client devices, so that the IP address cannot be changed.

    2) Block any unused IP addresses in privileged ranges, so that they cannot used.   Guest devices should be drawn from the non-privileged address pool.    

    3) Keep devices powered on to prevent a rogue user from taking its IP address.  Most systems seem to resolve IP address conflicts in favor of the first device, so it should be difficult to change to an IP address that is in use.    

    4) Use authentication for privileged users when operating on devices that support authentication. 

  • 0 in reply to DouglasFoster

    Good call. I was skipping the device authentication on our iPhones just to make it easier. But I’m testing it out now and it’s super easy to use and get authentication on the network.

    What’s the best way to block unused IPs? All together I have about 55 IP devices in my house, so quite a few open IP ranges with varying access to the Internet at the firewall.

    The devices my kids use and severely locked down too. So this isn’t really a “problem”, just wanting to learn all the ins and outs, and have a relatively secure network at home.

  • 0 in reply to Joshua Mallow

    Hi,

    I have all my addresses as clienteles users. So you do not assign a clientless user to them until to you are ready to use them, if they are not in a group and you use group checking in the firewall rules, they don't get out to the internet. Only really becomes a pain if you want to allow guest devices internet access.

    Ian

Reply
  • 0 in reply to Joshua Mallow

    Hi,

    I have all my addresses as clienteles users. So you do not assign a clientless user to them until to you are ready to use them, if they are not in a group and you use group checking in the firewall rules, they don't get out to the internet. Only really becomes a pain if you want to allow guest devices internet access.

    Ian

Children
No Data