{"id":25378,"date":"2024-10-25T05:20:56","date_gmt":"2024-10-25T13:20:56","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/10\/25\/news-19108\/"},"modified":"2024-10-25T05:20:56","modified_gmt":"2024-10-25T13:20:56","slug":"news-19108","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/10\/25\/news-19108\/","title":{"rendered":"Sophos Firewall hardening best practices"},"content":{"rendered":"<p><strong>Credit to Author: Chris McCormack| Date: Fri, 25 Oct 2024 12:41:06 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>At Sophos, your security is our top priority. We have invested in making Sophos Firewall the most secure firewall on the market \u2013 and we continuously work to make it the most difficult target for hackers.<\/p>\n<p>To enhance your security posture, we strongly encourage you to regularly review and implement these best practices across all your network infrastructure, whether from Sophos or any other vendor.<\/p>\n<p>Read on for full instructions or download the <a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/b88j53vc93vg6k73j3fhqj9m\/sophos-firewall-hardening-best-practices-guide.pdf\">Sophos Firewall hardening best practices<\/a>.<\/p>\n<h2>Keep firmware up to date<\/h2>\n<p>Every Sophos Firewall OS update includes important security enhancements \u2013 including our latest release, <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/10\/17\/sophos-firewall-v21-is-now-available\/\">Sophos Firewall v21<\/a>.<\/p>\n<p>Ensure you keep your firmware up to date under Backup &amp; Firmware &gt; Firmware. Check at least once a month for firmware updates in Sophos Central or the on-box console. You can easily schedule updates in Sophos Central to be applied during a period of minimal disruption.<\/p>\n<p>Online guides:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/BackupAndFirmware\/Firmware\/index.html#installing-hotfixes-automatically\">Firmware<\/a><\/li>\n<\/ul>\n<h2>Limit device service access<\/h2>\n<p>It\u2019s critically important that you disable non-essential services on the WAN interface. In particular, HTTPS and SSH admin services.<\/p>\n<p>To manage your firewall remotely, Sophos Central offers a much more secure solution than enabling WAN admin access. Alternatively, <a href=\"https:\/\/sophos.com\/ztna\">use ZTNA<\/a> for remote management of your network devices.<\/p>\n<p>Check your local services access control under Administration &gt; Device Access and ensure no items are checked for the WAN Zone unless absolutely necessary:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-958051 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/10\/Hardening.png\" alt=\"Hardening\" width=\"1430\" height=\"459\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/10\/Hardening.png 1430w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/10\/Hardening.png?resize=300,96 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/10\/Hardening.png?resize=768,247 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/10\/Hardening.png?resize=1024,329 1024w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/p>\n<p>Online guides:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Administration\/DeviceAccess\/index.html#local-service-acl-how-device-access-works\">Access Control<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/SophosCentral\/index.html\">Sophos Central Management<\/a><\/li>\n<\/ul>\n<h2>Use strong passwords, multi-factor authentication, and role-based access<\/h2>\n<p>Enable multi-factor authentication or one-time password (OTP) and enforce strong passwords, which will protect your firewall from unauthorized access \u2013 either from stolen credentials or brute force hacking attempts.<\/p>\n<p>Ensure your sign-in security settings are set to block repeated unsuccessful attempts and enforce strong passwords and CAPTCHA. Also use role-based access controls to limit exposure.<\/p>\n<p>Online guides:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Authentication\/OneTimePassword\/index.html\">Multi-factor Authentication (MFA).<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Administration\/AdminSettings\/index.html\">Admin and Sign-in Security Settings<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Profiles\/DeviceAccess\/index.html\">Device Role-Based Access<\/a><\/li>\n<\/ul>\n<h2>Minimize access to internal systems<\/h2>\n<p>Any device exposed to the WAN via a NAT rule is a potential risk. Ideally, no device should be exposed to the internet via NAT or inbound connections, including IoT devices.<\/p>\n<p>Audit and review all your NAT and firewall rules regularly to ensure there are no WAN to LAN or remote access enabled. Use ZTNA (or even VPN) for remote administration and access to internal systems \u2013 DO NOT expose these systems, especially Remote Desktop access to the Internet.<\/p>\n<p>For IoT devices, shut down any devices that do not offer a cloud proxy service and require direct access via NAT \u2013 these devices are ideal targets for attackers.<\/p>\n<p>Online guides:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/RulesAndPolicies\/NATRules\/index.html\">NAT Rules<\/a><\/li>\n<\/ul>\n<h2>Enable appropriate protection<\/h2>\n<p>Protect your network from exploits by applying TLS and IPS inspection to incoming untrusted traffic via relevant firewall rules. Tune your TLS and IPS inspection and take advantage of trusted application FastPath offloading to get the best protection and performance for your particular environment. Ensure you don\u2019t have any broad firewall rules that allow ANY to ANY connections.<\/p>\n<p>Also protect your network from both DoS and DDoS attacks by setting and enabling protection under Intrusion Prevention &gt; DoS &amp; spoof protection. Enable spoof prevention and apply flags for all DoS attack types.<\/p>\n<p>Block traffic from regions you don\u2019t do business with by setting up a firewall rule to block traffic originating from unwanted countries or regions.<\/p>\n<p>Ensure Sophos X-Ops threat feeds are enabled to log and drop under Active Threat Protection.<\/p>\n<p>Online guides:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/IntrusionPrevention\/index.html\">IPS and DoS<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/AdvancedServices\/Architecture\/index.html\">Offloading Applications<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/RulesAndPolicies\/FirewallRules\/FirewallRulesCountryBasedRuleCreate\/index.html\">Country Blocking<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/ActiveThreatResponse\/ActiveThreatResponseSophosXOpsThreatFeeds\/index.html\">Sophos X-Ops Threat Feeds<\/a><\/li>\n<\/ul>\n<h2>Enable alerts and notifications<\/h2>\n<p>Sophos Firewall can be configured to alert administrators of system-generated events. Administrators should review the list of events and check that system and security events are monitored to ensure that issues and events can be acted upon promptly.<\/p>\n<p>Notifications are sent via either an email and\/or to SNMP traps. To configure Notifications, navigate to Configure &gt; System services and select the Notifications list tab.<\/p>\n<p>Online guides:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/SystemServices\/NotificationList\/index.html\">Notifications<\/a><\/li>\n<\/ul>\n<h2>More info<\/h2>\n<p>Be sure to check out how Sophos Firewall is <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/07\/15\/sophos-firewall-secure-by-design\/\">Secure By Design<\/a> and consult the extensive <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/21.0\/help\/en-us\/webhelp\/onlinehelp\/StartupHelp\/index.html\">online documentation<\/a> and <a href=\"https:\/\/techvids.sophos.com\/\">how-to videos<\/a> to make the most of your Sophos Firewall.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/10\/25\/sophos-firewall-hardening-best-practices\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/10\/FWv21.png\"\/><\/p>\n<p><strong>Credit to Author: Chris McCormack| Date: Fri, 25 Oct 2024 12:41:06 +0000<\/strong><\/p>\n<p>Make the most of your Sophos Firewall.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[12235,10384,24562],"class_list":["post-25378","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-firewall","tag-network","tag-products-services"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25378"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25378\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25378"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}