Good day everyone!
I am currently implementing an emergency firewall ruleset, which looks like this:
- Allow all communications towards sophos central (for Live Response etc. to work)
- Allow all communications coming from the physical Management Port of the firewall
- Drop everything else
In case of an emergency (ransomware outbreak or whatever) the plan would be to enable this set of rules to prevent any potentially malicious communication from happening, while still allowing the MDR team to get to work.
On top of that I was considering adding an ACL exception drop rule, to further restrict communications towards services of the firewall. Sadly these rules cannot be added and kept disabled, like it is possible with firewall rules. At least to my knowledge?
Another thing I haven't quite found a solution for: How can I prevent all DNS resolution (firewall is the main source of DNS internally) except those towards specific domains (Central...)? I was thinking this could maybe be implemented using a custom IPS rule?
Has anyone ever done anything like this and can share some ideas?
Thanks in advance!
Regards,
Ben
This thread was automatically locked due to age.
