Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 11323 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy bypasses network protection?

sgict_01
Hi,

Ive stumbled across a strange issue but don't know if its by design or not.

Scenario is

1 isolated network with 1 web server. Its sole job is to provide an internal website to NetworkA (another internal network on a different interface) for a bunch of people. NetworkA does not have access to the internet.

NetworkB is another internal network, again different interface, for the rest of the company who like most people have internet access, email, etc. This network is filtered by the UTM's web proxy.

I was testing bits and bobs and accidently tried to access the isolated web server on NetworkB (using IP and not DNS) and to my surprise it worked. 

I checked the firewall, there are no firewall rules that permit traffic from networkB to the isolated network. I checked the firewall logs, nothing but in the web proxy live log I noticed the traffic from NetworkB was being passed onto the isolated network. So I created a deny rule on the firewall section to block the traffic and it didn't stop it. I then created a block rule on the content filter and that did stop it.

So is that normal behaviour?


This thread was automatically locked due to age.
  • 0

    I ran into this same situation myself after creating a new Guest interface. It may not be just web proxy traffic that can 'hop between' networks, but rather all other networks that the UTM knows about. I opened a support case for this and the tech helped me find a creative solution that works:

    I have now put all my internal networks into a group and I have a DNAT that essentially blackholes these attempts when coming from the Guest interface.

    Happy to provide more details if needed.

  • 0

    Hi,

     

    yes thas correct see  great rulz post https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

     

    in short from his post :

    Rule #2:

    Do you wonder why traffic is allowed through even when you have an explicit firewall rule blocking it?  In general, a packet arriving at an interface is handled only by one of the below, in order (see attachment below):

    1. the connection tracker (conntrack) first
    2. then Country Blocking
    3. then Intrusion Prevention
    4. then DNATs
    5. then VPNs
    6. then Proxies (except the SMTP Proxy in Transparent mode which captures traffic forwarded by a DNAT)
    7. then manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
    8. and, finally, Application Control.
  • 0 in reply to KevinMeininger

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    hi  

    could you send that do to me also ? Very interested.

     

     

    regards,

Unfiltered HTML