IP Reputation Checking?

XG does not check reputation of IP addresses, just the URL.

Next issue is you do not have any scanning setup, eg no ATP rules as part of your firewall rule.

rfcat_vk said:

Next issue is you do not have any scanning setup, eg no ATP rules as part of your firewall rule.

Hi,

that case welcome.

At the moment my. XG is not on line. Will be in an hour or so while I try out some extra features.

Please review a screenshot from my XG

Ta,

I have WAN > LAN policy on my IPS for the inbound (and on the outbound rule I have LAN > WAN policy)

I don't have a web policy as this is home and i want to access everything (no kids)

I thought the point of application control is to block legitimate apps; i don't need or want to do this.  

What i am interested in blocking is bad actors trying to get to legitimate apps.

Alex

Without a web policy you won't get any scanning of urls to determine if good or bad.

I am not sure what you mean by incoming traffic, do you have your own server?

Otherwise the IPS is for the outgoing LAN to WAN and there is no need for an incoming rule.

Got it, not too interested in URL scanning outbound but I will take a look.

It's inbound protection I am most interested in, shame the XG is missing multiple classes of attack :-(

---edit---

Yup looked at the app filters, I have no interest or need to block, for example, the 'Block very high risk (Risk Level 5) apps' set.

---edit--

actually this IPS rule is in place from WAN > LAN, but it isn't trapping the reconnaissance attacks, they are passing through the XG and be captured by cujo...

All

Category = Reconnaissance

Severity = All Severity

Platform = All Platform

Target = Server

You are confusing yourself. There is no need for an inbound rule. All traffic from the internal network even the returning traffic. It cannot return unless there is an internal request.

Source any zone on any network

destination zone host on any network

IPS LAN to WAN take your choice

This is an extract form my general rule. It is more complex than required because I do beta testing as well.

No I am not, while I am noob at XG you are confusing me with someone who knows nothing.

I have an inbound rule because a) having an inbound and outbound allows for different policies (I.e. More restrictive on traffic coming in) and b)I absolutely have inbound coming traffic that is EXTERNALLY initiated .

Maybe this is old skool best practice way of doing policies, it is what we did circa 2000 when I did military network security, it is a valid approach and has unique benefits in terms of reporting too.

Moreover the web application policies that have been suggested to only look at some 2.5k well know app definitions that you may want to block, it DOES NOTHING to block unknown threats.

Lastly one NEVER wants to masquerade incoming IP adressses as then it is impossible to do secondary and tertiary analysis on threats as you never know where the traffic came from (another reason to have separate incoming and outgoing rules as masquerading your internal addresses is a reasonable precautions).

Thanks for your insights, but it sounds like I have a much more complex situation then you realise or maybe are used to.  Bottom line is the XG is failing or not designed to protect against certain classes of reconnaissance and inbound initiated attacks on my nearly dozen open NAT ports and CUJO is doing (and it surprises me to say this) a better job.  Thats bad for a commercial grade firewall.

I look forward to being corrected and shown how to block the class of inbound attacks I am asking about in this thread........

Alex

No I am not, while I am noob at XG you are confusing me with someone who knows nothing.

I have an inbound rule because a) having an inbound and outbound allows for different policies (I.e. More restrictive on traffic coming in) and b)I absolutely have inbound coming traffic that is EXTERNALLY initiated .

Maybe this is old skool best practice way of doing policies, it is what we did circa 2000 when I did military network security, it is a valid approach and has unique benefits in terms of reporting too.

Moreover the web application policies that have been suggested to only look at some 2.5k well know app definitions that you may want to block, it DOES NOTHING to block unknown threats.

Lastly one NEVER wants to masquerade incoming IP adressses as then it is impossible to do secondary and tertiary analysis on threats as you never know where the traffic came from (another reason to have separate incoming and outgoing rules as masquerading your internal addresses is a reasonable precautions).

Thanks for your insights, but it sounds like I have a much more complex situation then you realise or maybe are used to.  Bottom line is the XG is failing or not designed to protect against certain classes of reconnaissance and inbound initiated attacks on my nearly dozen open NAT ports and CUJO is doing (and it surprises me to say this) a better job.  Thats bad for a commercial grade firewall.

I look forward to being corrected and shown how to block the class of inbound attacks I am asking about in this thread........

Alex

Alex,

Take note that now Firewall are stateful firewall, so in order to allow a traffic from one source to a specific destination, only one rule is needed and not the reverse because they track the connection and open the reverse connection when needed.

I remember that configuration on PIX 506E in 1999. Protect apps: IPS can protect certain type of attacks (if a signature exists) otherwise the attack is not blocked. If you want to protect for example RDP, you can use IPS for lan to wan or wan to lan (use a vpn instead).

XG uses even module like ATP and Sandbox in order to control unknow traffic and block bad traffic.

Can you explain in few lines what is your goal?

Thanks

Yes i know all about stateful firewalls, thanks.

Do you know if you have only one rule that has ANY  <>  ANY  then the rule set applies equally to any traffic initiated from outbound or inbound. Personally i prefer to have much harder set of rules on inbound traffic that is initiated externally.  If you want the same level of protection then great for you but please don't presume to tell me to have less security.

In terms of the scenario.

I am trying to protect services (multiple types on multiple ports) inside my network that are exposed outside my network over a pre-existing NAT firewall (no its not going to be replaced by the sophos).

I am trying to determine if the SophosXG can protect these services better / worse / different than say something like a Cujo (this is a hobby/home scenario).

It appears multiple classes of attack are NOT stopped by the sophos XG; i am trying to determine if that is because it isn't designed to stop those classes or because of a config error.

At the moment the XG is missing ~465 penetration attempts over 7 days (reconnaissance, port scans, logon attempts from known botnet infection points, spam points etc) this is all traffic that was initiated from outside my network so has nothing to do with 'stateful firewalls'.

Hi Alex,

you are confusing UTM configuration and XG configuration. To design XG firewall rules you need to think differently, the any in the source zone is not the any in the destination zone.

More than likely your attacks are getting through your incoming rule, try disabling it.

Alex,

rfcat_vk is right. Make sure you understand zones. Even in bridge mode, zones are still considered. You are using a general IPS policy which is not restricted. To protect web services, make sure to configure WAF where there are more than 250 protection features.

Give us some logs and what attacks is not blocked (logs).

Thanks

Thanks Luk

I think I understand zones, i am relying on the fact they apply in a transparent bridge.  I can see in the logs that the IPS is blocking some forms of traffic on multiple ports and traffic, HTTP is included in standard scan whether or not a WAF is included.

Given the sophos WAF doesn't support websockets i have moved to nginx for the reverse proxy function, i still expect the XG to protect the http and https stream using IPS, Sandstorm etc irrespective of WAF.

Things that are not blocked include things like this:

These pass through the XG.

Maybe my expectations are too high / wrong? Maybe the issue is I should have downloaded the UTM home edition instead?

At this point the XG is offline, i discovered it was generating 2Mbps of downloads (and no it wasn't a host on my network generating this traffic it was the XG) i have yet to identify what it was doing.  If i put it back online I will come back, if not it means i gave up with XG Home and went with something else.  And don't get me started on some of the weird ARP behaviour and IP assignment issues where the UI clearly shows what IP is bound to the bridge or the management interface but all evidence shows that the IPs are swapped (or rather ARP packets seems to be doing bad things).  I am sure you think I have basic config / user error issue - i assure this box is doing VERY weird and inconsistent stuff, maybe it doesn't like my hardware config....  i do understand in quite some detail the low level mechanism of IP, and ethernet and how packets get constructed and put on the wire so please trust me when i ask you to stop assuming i am making high level mistakes (i accept i may be making mistakes but not simple ones :-) )

Regards

Akex

Don't see this as a personal attack more clarification of your post. What you are telling us (XG users) is our networks are not secured by the XG, yet many XG sites pass PCI testing.

I would suggest you let someone like Luk have access to your XG, he is a certified XG architect.

rfcat_vk i never said it wasn't secure I was asking why it appeared to allow threats through that another device blocked, thats all, i got the runaround on 'my rules being wrong so my IPS wasn't working' when the answer was my expectations were wrong as Aditya nicely clarified that the feature i was expecting isn't there and in sophos view doesn't need to be there.  There was nothing wrong with my rules or settings.

So until Aditya's post no one was making sense to me. 

The only difference between a home licence (same software) and commercial licence is how much you can personalise it and IP licence count.

The only difference between a home licence for XG is the amount of memory and cpu cores you can assign to it and no sandstorm which also applies to the UTM.