{"id":21491,"date":"2023-03-16T03:21:20","date_gmt":"2023-03-16T11:21:20","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/03\/16\/news-15222\/"},"modified":"2023-03-16T03:21:20","modified_gmt":"2023-03-16T11:21:20","slug":"news-15222","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/16\/news-15222\/","title":{"rendered":"Best Practices for Securing Your Firewall"},"content":{"rendered":"<p><strong>Credit to Author: Chris McCormack| Date: Thu, 16 Mar 2023 10:22:52 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Your Firewall is the heart of your network helping secure it from risks and threats.\u00a0 And while it\u2019s a security product, and a critically important one, it also needs to be secured.\u00a0 This article outlines some of the best practices for hardening your Sophos Firewall.<\/p>\n<h2>1. Update The Firmware with Every Release<\/h2>\n<p>If you only take away one thing from this article, it\u2019s this. And this recommendation doesn\u2019t just apply to your firewall, but all of your networking infrastructure. Most Sophos Firewall OS firmware updates include important security fixes.\u00a0 The best way to harden your firewall is to ensure it\u2019s running the latest firmware.\u00a0 For Sophos Firewall, we just released <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/02\/27\/upgrade-your-sophos-firewalls-to-v19-5-mr1\/\">v19.5 MR1<\/a> which includes a number of great new features, a significant performance boost, and several fixes.\u00a0 You can always find the latest firmware release for your firewall simply by navigating to <em>Backup and Firmware &gt; Firmware <\/em>(as shown below).<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-90553 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-1.png\" alt=\"\" width=\"640\" height=\"439\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-1.png 1430w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-1.png?resize=300,206 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-1.png?resize=768,527 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-1.png?resize=1024,703 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<h2>2. Enable Hotfixes<\/h2>\n<p>Occasionally, patches for vulnerabilities and other security fixes are released between regular firmware updates.\u00a0 This is done by applying hotfixes to your firewall automatically so its vitally important that this feature be enabled on your firewall.\u00a0 While it\u2019s enabled by default, some customers have disabled this. If you are one of those, it\u2019s highly recommended you go back and turn this feature on.\u00a0 This feature is found by navigating to <em>Backup and Firmware &gt; Firmware<\/em> \u2013 check that \u201c<em>Allow automatic installation of hotfixes<\/em>\u201d is enabled (as highlighted at the bottom of the screen shot above).<\/p>\n<h2>3. Limit Access to Firewall Services<\/h2>\n<p>Your Firewall offers a number of ways to limit access to services that are not required to reduce your exposure on the WAN. You should periodically check the device access settings and ensure that all unnecessary services are disabled (unchecked) on the WAN (see screen shot below).\u00a0 In particular, it\u2019s strongly recommended that you disable remote admin via HTTPS and SSH, as well as the Captive Portal and User Portal on the WAN. Use Sophos Central, VPN or ZTNA to manage your firewall remotely. See the <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/18.5\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Administration\/DeviceAccess\/index.html#local-service-acl-how-device-access-works\">product documentation<\/a> for instructions on how to manage device access.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-90552 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-2.png\" alt=\"\" width=\"640\" height=\"335\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-2.png 975w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-2.png?resize=300,157 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-2.png?resize=768,403 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<h2>4. Utilize Multi-Factor Authentication and Role-Based Administration<\/h2>\n<p>Enable multi-factor authentication (MFA) or one-time-passwords (OTP) and enforce strong passwords to protect your firewall from unauthorized access from stolen credentials or brute force hacking attempts.\u00a0 Sophos Firewall supports a rich set of <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/18.5\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Authentication\/OneTimePassword\/index.html\">MFA authentication<\/a> options including new Azure AD single-sign-on authentication for webadmin access which can be super convenient (<a href=\"https:\/\/techvids.sophos.com\/watch\/uaoFR1u7BnppeKgPNeYSrd\">video<\/a> \/ <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/19.5\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Authentication\/Servers\/AzureAD\/AuthenticationConfigureAzureAD\/index.html\">documentation<\/a>).<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-90551 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-3.png\" alt=\"\" width=\"640\" height=\"229\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-3.png 936w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-3.png?resize=300,107 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/Firewall-3.png?resize=768,275 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>You should also consider taking advantage of Sophos Firewall\u2019s granular <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/19.5\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Profiles\/DeviceAccess\/index.html\">role-based administration<\/a> profiles to limit access for administrators of the firewall. Provide read-only access to administrators that don\u2019t absolutely need control over various firewall functions.<\/p>\n<h2>5. Additional Best Practices for Securing Your Network from Ransomware<\/h2>\n<p>While you\u2019re looking at ways to better secure your network, I suggest you take a look at our recommended best-practices for securing your broader network from the latest ransomware and other advanced threats.\u00a0 If you\u2019re a Sophos Firewall customer, you\u2019re already well on your way to better protecting your network, but there may be other Sophos solutions you\u2019re overlooking that can further help secure your organization.<\/p>\n<p><a href=\"https:\/\/www.sophos.com\/en-us\/whitepaper\/secure-your-network-from-ransomware\">Download the Guide<\/a> to get the full set of best practices.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/16\/best-practices-for-securing-your-firewall\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/07\/Sophos-Firewall.png\"\/><\/p>\n<p><strong>Credit to Author: Chris McCormack| Date: Thu, 16 Mar 2023 10:22:52 +0000<\/strong><\/p>\n<p>While your Sophos Firewall is a security product, it also needs to be secured.\u00a0Follow these best practices to optimize the security of your network.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[129,10384,24562,3765,24567],"class_list":["post-21491","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-featured","tag-network","tag-products-services","tag-ransomware","tag-sophos-firewall"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21491"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21491\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21491"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}