Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 11325 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy bypasses network protection?

sgict_01
Hi,

Ive stumbled across a strange issue but don't know if its by design or not.

Scenario is

1 isolated network with 1 web server. Its sole job is to provide an internal website to NetworkA (another internal network on a different interface) for a bunch of people. NetworkA does not have access to the internet.

NetworkB is another internal network, again different interface, for the rest of the company who like most people have internet access, email, etc. This network is filtered by the UTM's web proxy.

I was testing bits and bobs and accidently tried to access the isolated web server on NetworkB (using IP and not DNS) and to my surprise it worked. 

I checked the firewall, there are no firewall rules that permit traffic from networkB to the isolated network. I checked the firewall logs, nothing but in the web proxy live log I noticed the traffic from NetworkB was being passed onto the isolated network. So I created a deny rule on the firewall section to block the traffic and it didn't stop it. I then created a block rule on the content filter and that did stop it.

So is that normal behaviour?


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

     

    yes thas correct see  great rulz post https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

     

    in short from his post :

    Rule #2:

    Do you wonder why traffic is allowed through even when you have an explicit firewall rule blocking it?  In general, a packet arriving at an interface is handled only by one of the below, in order (see attachment below):

    1. the connection tracker (conntrack) first
    2. then Country Blocking
    3. then Intrusion Prevention
    4. then DNATs
    5. then VPNs
    6. then Proxies (except the SMTP Proxy in Transparent mode which captures traffic forwarded by a DNAT)
    7. then manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
    8. and, finally, Application Control.
Reply
  • 0

    Hi,

     

    yes thas correct see  great rulz post https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

     

    in short from his post :

    Rule #2:

    Do you wonder why traffic is allowed through even when you have an explicit firewall rule blocking it?  In general, a packet arriving at an interface is handled only by one of the below, in order (see attachment below):

    1. the connection tracker (conntrack) first
    2. then Country Blocking
    3. then Intrusion Prevention
    4. then DNATs
    5. then VPNs
    6. then Proxies (except the SMTP Proxy in Transparent mode which captures traffic forwarded by a DNAT)
    7. then manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
    8. and, finally, Application Control.
Children
No Data
Unfiltered HTML