Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 7344 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic Configuration of Policies

Jeff Crist

I'm brand new to Sophos.  Have a basic understanding of firewall rules but want to confirm the correct setup.

Have an XG 115 for a small business.  Very simple network setup/needs.

Right now I just have one rule which is LAN to WAN, any host > any host, any service.  The only reason I can think of to block any services for LAN to WAN would be if some sort of bot got installed on the machines, but I would expect those are going to use pretty standard ports to communicate out anyway (80, 443, etc)  

So is there really any significant benefit to not use 'all services' for LAN to WAN (again this is a 9-user small business).

All the users need access to is the basics:

Web (http/https)

Outlook access to Cloud Email Exchange Server (IMAP / POP) I assume I don't need SMTP open since the Cloud Exchange server is sending/receiving the email.

 

 

What I am concerned about is WAN to LAN services.  I don't want anyone being able to try to hack internal machines or attempt to connect to Windows File Shares.  There's no WAN to LAN policy setup.  Am I protected or do I need to add one?

I'm also using LogMeIn but that uses port 443.  Do I need to setup a WAN to LAN polciy to allow LogMeIn access?



This thread was automatically locked due to age.
Parents
  • 0

    Jeff,

    When you configure a Firewall you need to use "implicit deny" concept. Using any as service does not make much sense.

    Make sense to allow only the services needed (HTTP/HTTPS), apply Web/Application filter, IPS Filter and enable ATP under Advanced Threat.

    Hope this helps!

    Thanks

Reply
  • 0

    Jeff,

    When you configure a Firewall you need to use "implicit deny" concept. Using any as service does not make much sense.

    Make sense to allow only the services needed (HTTP/HTTPS), apply Web/Application filter, IPS Filter and enable ATP under Advanced Threat.

    Hope this helps!

    Thanks

Children
  • 0 in reply to lferrara

    Yes, I'm familiar with implicit deny. But I don't see the significant benefit of a rule for internal to external (LAN to WAN) because as I pointed out malware could communicate out to the net using port 80.  But in the same notion, there's no point to have services open you're not using.  I get it.

    So is then the implicit rule when there is no WAN to LAN policy that all traffic initiated from the WAN is blocked because of NAT?  So I don't need a WAN to LAN rule as long as I have no need to connect to machines/servers from the Internet?  (Which I'd use a VPN for that, or put it on the DMZ if it was a public accessible service) I already verified Logmein works so Logmein must be architected so the agent on the target computer is 'pinging' the logmein server to see if it should initiate a session from the LAN out to the Logemein server which is essentially serving as a middle man for the Remote Desktop session.

  • 0 in reply to Jeff Crist

    Jess,

    Inside the firewall, if you do not create any rules, all traffic is blocked by default.

    What you are saying about lan to wan is incorrect nowadays. On old Cisco PIX firewalls, we only had layer 4 protection and not more. UTM are able to filter traffic at layer 7.

    You can use Web/Application/IPS filters that act at layer 7 and block unwanted traffic. You can scan and filter traffic inside any ports because you are acting at an upper layer.

    UTM cannot block all malware and bad connection because security is not achieved using only firewall or antivirus on workstations/computers, but you have to build multiple layers (not only IT).

    I am a Security Architect (Comptia CASP certified) and I deal with this problem every working day with new customers.

    Regards,