Dear colleagues,
I would like to discuss methods of restricting a (Windows) clients internet access with using only sophos firewall (XGS 3100 running 19.0 with full subscrition), no Client antivirus.
I researched some other topics concerning wildcard fqdn hosts like this one. Say there is one Host Host1 in a separated Network Zone LAN, and a certain Service running on this client, in need of Internet connection towards a certain (maybe even dynamic) set of FQDNs. For example (Windows/OS) Updates, or a Server-Client connection like TeamViewer, or any other installed Software.
The most intuitive guess of configuring would be a Firewall Rule as follows:
LAN Host1
WAN Wildcard-FQDNHosts (possibly dynamic FQDNHosts)
Required Services (HTTPS amongst others)
Probably no need for Webprotection or Application Filter (as there is only this one Host and only these well defined number of destinations), IPS set to strict LAN to WAN, SSL/TLS Inspection activated but no further configuration as Webprotection is not required in this Szenario.
As Wildcard-FQDNHosts seem to not properly work, we were trying to widen the range of allowed Networks as follows:
LAN Host1
WAN InternetIPv4
Required Services (HTTPS amongst others)
Webprotection with TLS inspection (LAN Host1 to WAN InternetIPv4 set to decrypt) in Webprotection specified the allowed Domains via URL groups (thus including domains and their respective subdomains) with HTTP allowed (if included) and HTTPS allowed and a default action to block.
With this rule it is possible to use the wanted services, however a possible attacker having access on this mashine would be able to connect to "telnet c&c.server.wan 443" as the firewall allows HTTPS to all the InternetIPv4 and Telnet does not use HTTP(S) the webprotection and the tls inspection will not stop it.
I figured Application Filtering should be added as well to solve this issue, Denying all worked out, however, HTTPS Services were blocked as well. Creating a new Application filter based on Allow all with settings "allow Smart filter = windows update" (as an example) and "deny All Applications" turned out to not work properly, as well (HTTPS worked, as well as a Telnet Test via 443).
In this szenario the created firewall rule was always on first position, directly followed by a second rule:Reject
LAN Host1
Any Any
Any Service
Both rules with activated logging, to make sure, that nothing goes missing.
Is it possible to restrict Internet access to only a minimum to have the smallest possible crosssection? How do you guys solve this problem?
This thread was automatically locked due to age.
