Sophos XG SFOS 16.01 - Anti-Portscan?

Hi Luk and Mike,

Take a look at my guide here. Now, start a port scan on XG and take a drop packet capture. You can see a denied log id=0103021, check the system log format attached to my guide. This is the denied entry for appliance access.

By default, XG will drop such traffic unless the ports are explicitly allowed through the device access option.

Hope that helps :)

sachingurung 

can you make sure that Anti-port scan will be added on XG soon?

Honestly we do not need to open a feature request for this basic feature. [:#][:#][:#]

Anti-port scan is like having NAT on a router!

Thanks

Hi Luk,

Anti Port Scan is available in XG. I have initiated a communication with other internal teams to discover other details over it. I will update this thread once I receive any information further.

Thanks

sachingurung said:

Hi Luk,

Anti Port Scan is available in XG. I have initiated a communication with other internal teams to discover other details over it. I will update this thread once I receive any information further.

Thanks

 

We are looking forward to hearing from you!

We need an answer ASAP.

Thanks

sachingurung said:

Hi Luk,

Anti Port Scan is available in XG. I have initiated a communication with other internal teams to discover other details over it. I will update this thread once I receive any information further.

Thanks

 

We are looking forward to hearing from you!

We need an answer ASAP.

Thanks

sachingurung, 

do you have any update on this from internal team? This is very important for selling and installation phases.

Thanks

Hi Luk,

After a bit of research, I have discovered IP Flood option inside IPS > DoS Attack. I think it is related to the Anti Port Scan feature but, we don’t find any way to configure any value or even an option to simply enable or disable it. I have initiated a request to the developers to know about the use of this feature and how to enable and configure it? Also, is it associated to the Anti Port Scan feature as I  think!

Why? because, according to the UTM 9 HELP doc; Port Scan is something that is detected and countered on the basis of the Source address. "portscans from the same source address can be blocked automatically. Please note that the portscan detection is limited to Internet interfaces, i.e. interfaces with a default gateway.

Technically speaking, a portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded”

Awaiting response from the developers.

Hi Sachin Gurung!

Do you have any update?

Thanks

Alexander

 Hi Alexander,

Thanks for bringing this up. I have reinitiated a conversation internally, will get back to you shortly.

Thanks

sachingurung do you have any update on this question?

This is very important.

Thanks

Anti Port Scan is not available in the XG firewall. After a long discussion with the Dev. Team, SFOS supports packet based DoS protection. We are enhancing it further to do connection based DoS protection. Please raise it as a feature request on Sophos Ideas and cast your votes. I have personally initiated a request internally.

Thank you

Unbelievable!

XG does not have an anti-port scan feature. Guys is a NGFW.

[:@]

http://ideas.sophos.com/forums/330219-xg-firewall/suggestions/19243372-anti-portscan

Vote please!

This is what is so frustrating about XG. They work on items that look good on paper but basic items that you would expect from NGFW are missing.

It's really irritating when astaro has been doing this stuff for years and yet Sophos completely ignores to even try to bring basic UTM9 functions to XG.

Here is a KB about how portscan actually works in UTM 7 and 8[:O] https://community.sophos.com/kb/en-us/115153 Looks like the mechanism is a little smarter than I thought. It weighs different connection attempts and then blocks the connection after a certain threshold. 

A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The detection score is calculated as follows:
Scan of a TCP destination port less than 1024: 3 points
Scan of a TCP destination port greater or equal 1024: 1 point
Scan of ports 11, 12, 13, 2000: 10 points

Here are the portscan rules in UTM9 for example but multiple rules are combined to achieve what is mentioned in the KB article above.

gatekeeper:/home/login # iptables -L PSD_ACTION -v
Chain PSD_ACTION (1 references)
pkts bytes target prot opt in out source destination
0 0 NFLOG all -- any any anywhere anywhere limit: avg 5/sec burst 5 LOGMARK match 60017 nflog-prefix "PORTSCAN: "
0 0 DROP all -- any any anywhere anywhere

gatekeeper:/home/login # iptables -L PSD_MATCH -v
Chain PSD_MATCH (2 references)
pkts bytes target prot opt in out source destination
0 0 PSD_ACTION all -- eth1 any anywhere anywhere -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1

Is portscan detection planned for v17?