Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 28 subscribers
  • Views 2473 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clientless Users vs. Static IP MAC Mapping

CMC

I'm attempting to set more defined rules for IOT devices.  To make life easier, the first thing I've done is created a number of Clientless Users, with Names assigned. This is to help me identify what is what on the network. 

However, I've found what may be a more simple option (as opposed to adding a username, email address etc) under DHCP > Static IP MAC Mapping, with the ability to simply add a hostname. 

 

So, what's the difference between the two or do they go hand in hand? Rather than create Clientless Users, can one just add a number of Static IP Mac Mapping options and then create a firewall rule around those IP addresses? When viewing "Current activities" will the hostname display rather than IP addresses? 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I use both and create dummy mail addresses. If you want names to appear you need to use clientless as well static mapping. Using clientless allows you to use groups for identification/authorisation in rules eg you can restrict which device/s are allowed to use that rule.

    Ian

  • 0 in reply to rfcat_vk

    hmm quite a lot of work. Is there an easy way to locate mac address within the GUI or should this be done with a 3rd party scanner. 

  • 0 in reply to CMC

    Actually yes - it is quite a lot of work for those setups - tbh. 

    But Clientless users are important for the "layer 8 firewall concept". You can use those clientless users in firewall rules and reporting.

    There is a nice trick to work with: 

    I have multiple devices and multiple persons. So i create a clientless user group per person. Then i created each device with a associations to the proper group. 

    For example: 

    Test (Group).

    Testphone (User) 

    Testpc(User)

    TestTV(User)

     

    So i can call the firewallrule : Test(Group) and allow the access to everywhere. 

    If the person gets a new device, i simply add the IP to the Clientless group and the access will allowed etc. 

  • 0 in reply to LuCar Toni

    In order for this to work:

     

    So i can call the firewallrule : Test(Group) and allow the access to everywhere. 

     

    Is your Default Network Policy set to Block All? Meaning that, if a new device enters the network, it can only have access "will allow" after you've moved them into their respective corresponding Clientless Group? 

  • 0 in reply to CMC

    XG blocks all traffic, not matching with any firewall rule.

    XG is a first match firewall. 

    XG replaces the User with the IP in regards of finding a matching firewall policy. 

     

    So if XG knows, UserA has IP 1.2.3.4 (for example Clientless User), it will look for a matching rule for ether UserA or for IP 1.2.3.4. 

     

    If you place a rule for UserA (Zone LAN) as rule 1, it will always match.

    Then you create a second "default" rule below, with LAN to WAN. This will match for all other clients. 

  • 0 in reply to LuCar Toni

    Hmm, I'm still a little confused then on Default Network Policy. 

     

    Let's start with an example with the following conditions: 

     

    1. We have 10 IOT devices. Each IOT device has been setup as a "Clientless User" 

    2. All IOTs have been placed into a group called "IOTs" 

    3. In firewall rules, we want to block everything except HTTP, HTTPS and say for example NTP (I think this is probably enough for most IOTs)

     

    There seems to be two different way to do this

     

    The First Way - Default Network Policy is set "LAN > WAN ALLOW ALL" (Sophos Default Out of Box)

    We go to the firewall and we create a "Drop" rule. We cannot create an "Allow" rule, because the Default Network Policy already does that (top or bottom makes no difference in this case). We create: 

    Action: DROP

    Source: Any (Devices IOTs)

    Destination: Any

    Services: Unselect "any" and place a check mark next to every single service except HTTP, HTTPS and NTP (<This part is a little cumbersome)

    The problem with this rule, is that if someone plugs an IOT into my network, they have default access until I find the IP and restrict it. This of course is very highly unlikely. But I would imagine in a corporate environment, the default setup above would be a bad idea (I'm no expert, just learning here). Also more work to create a drop rule vs allow rule. 

     

    The second way - Default Network Policy is set "LAN > WAN DROP/REJECT ALL"

    We go to the firewall and we create an "Allow" rule. We cannot create a "Drop" rule, because the Default Network Policy is now set to default "Drop"

    Action: ALLOW

    Source: Any (Devices IOTs)

    Destination: Any

    Services: HTTP, HTTPS, NTP (Much faster this way because less check marks) 

    With this method, in one sense, it's easier to create the firewall rule. But now, it's more work because everytime a new device is added, you must then go and provide it permission. For home use, I think this is probably fine. But how do enterprise companies deal with this madness?? 

     

    I'm curious, how does a Sophos staff member set their default network policy? (Or suggested best practice) 

     

    By the way, you guys are awesome. I appreciate all of the advice. The more I dive into this, the more I realize Sophos is quite powerful. 

  • 0 in reply to CMC

    Hi,

    from my experience you will find http/s for IoT devices will not be enough. My IoT devices all use proprietary ports and not that much http/s.

    Of course you will not get https scanning because most IoT devices have no facility to import a CA and also the proprietary ports are not scannable.

    Ian

  • 0 in reply to rfcat_vk

    Hey Ian, 

     

    Thanks, I suspected that might be the case. So it appears in the example that you provided, that it's an allow rule.  Does that mean you have a default deny in place? (This is really the only part of the firewall so far that's confusing me). 

     

    I ask because let's say I create a firewall rule for the IOTs. It's top listed and perhaps I include HTTP, HTTPS, CUSTOM (just as an example I know there are more) but I exclude in the service list PING (again just as an example). Well, the next rule down is the default "LAN > WAN allow all services/networks/etc) << Won't this  rule just allow whatever was excluded in the rule before it? Meaning that really, having a default LAN to WAN allow really screws up the other rules???

  • 0 in reply to CMC

    Hi,

    you do not need a default drop rule unless you are interested in looking at what fails. All traffic that does not match a rule is handled by the XG inbuilt default rue which I have disabled logging of.

    The reason I use the clientless groups in the allowed groups rule is I can manage where I place the rule and not worry about traffic bypassing my rules. I can also shuffle them around to see what affect the placement has on performance.

    Your default rule would come into play if your IoT devices use other than allowed ports, so most of my rules are controlled by allowed clientless groups except for NTP and some outgoing country blocking rules which sit at the top of the rule list.

    Ian

Reply
  • 0 in reply to CMC

    Hi,

    you do not need a default drop rule unless you are interested in looking at what fails. All traffic that does not match a rule is handled by the XG inbuilt default rue which I have disabled logging of.

    The reason I use the clientless groups in the allowed groups rule is I can manage where I place the rule and not worry about traffic bypassing my rules. I can also shuffle them around to see what affect the placement has on performance.

    Your default rule would come into play if your IoT devices use other than allowed ports, so most of my rules are controlled by allowed clientless groups except for NTP and some outgoing country blocking rules which sit at the top of the rule list.

    Ian

Children
No Data