Advanced Sophos Firewall IPS Configuration

Questions and Answers

What is the primary function of the Intrusion Prevention System (IPS) in the Sophos Firewall?

To examine traffic for malicious content and block it (correct)

To manage user access control for firewall policies

To improve internet speed by caching data

To analyze incoming traffic for performance metrics

Which of the following is NOT recommended knowledge or experience for configuring IPS?

Setting up VPN connections (correct)

Denial-of-service protection

Configuring IPS policies

Spoof protection

How can the IPS in Sophos Firewall be optimized for performance?

By using generic rules for all traffic

By regularly updating user permissions

By fine tuning IPS configuration (correct)

By increasing bandwidth capacity

What happens when the IPS detects malicious content in the traffic?

It blocks the traffic and logs the events

In what scenario should IPS be fine-tuned?

To align with specific firewall policies

What types of traffic can IPS policies be applied to within the Sophos Firewall?

Any traffic passing through the firewall, including WAN to LAN, LAN to DMZ, and LAN to LAN

What happens once the IPS identifies that an application is trustworthy?

FastPath can offload the traffic, skipping AV scanning

Which of the following statements is true regarding default IPS policies in Sophos Firewall?

They are predefined and immediately usable out of the box

What is the function of the FastPath engine in relation to IPS?

To reduce resource usage by offloading trustworthy traffic

What is a key function of the DPI engine within the Sophos Firewall?

To facilitate IPS in offloading trusted traffic

What is a primary reason default IPS policies may impact performance?

They cover a wide range of protocols and traffic types.

What can be done to improve the efficiency of IPS policies?

Align IPS policies with existing firewall policies.

Which systems need not be covered by IPS signatures if a network predominantly uses Windows machines?

Linux, Unix, BSD, and Solaris

What is one advantage of the Xstream Architecture and FastPath in the Sophos Firewall?

They allow some processing load to be bypassed.

Why are default IPS policies not optimized for processing speed?

They are designed to cover all possibilities.

Study Notes

Advanced Sophos Firewall IPS Configuration

• Sophos Firewall version 1.0v1, FW2510 configuration
• Document version 19.0v1, April 2022
• Copyright 2022 Sophos Limited
• All rights reserved. No part of the document can be used or reproduced without prior written consent of Sophos.
• Sophos and the Sophos logo are registered trademarks of Sophos Limited.
• Other names, logos, and marks mentioned may be trademarks or registered trademarks.
• Sophos makes no warranties, conditions, or representations, express or implied.
• The document is subject to change at any time without notice.
• Sophos Limited registered in England, company number 2096520.
• Registered office: The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Intrusion Prevention System (IPS)

• IPS is a module that examines traffic passing through a Sophos Firewall for malicious content.
• It blocks malicious content and logs events.
• IPS can examine WAN to LAN, LAN to DMZ, DMZ to LAN, LAN to LAN and VPN traffic.
• Default policies are included for common network attacks.
• Custom policies can be created for specific scenarios or to meet compliance requirements.

FastPath Offloading

• IPS is a fundamental component of the DPI (Deep Packet Inspection) engine.
• Offloads trustworthy traffic from further examination.
• Offloading happens when the application is identified, no files to scan by AV, and the flow deemed trustworthy.
• The FastPath engine reduces the number of modules in use, saving resources.

Configuring IPS

• IPS can inspect any traffic through the Sophos Firewall.
• For optimal performance, select the inspected traffic.
• Default policies include a broad ruleset.
• Custom policies based on inspected traffic improve performance.
• Consider whether you need to inspect traffic, and create specific firewall rules for that traffic.
• Default policies are very general. Create a ruleset appropriate for the inspected traffic.

Fine Tuning IPS Policies

• The IPS Policy editor allows easy selection of desired patterns to create efficient policies effectively.
• Keep policies current to save CPU and memory.
• Three types of IPS policy rules can be created:
  • Predefined criteria filtering.
  • Text-based smart filters.
  • Selecting specific signatures.
• The IPS policy editor dynamically updates to reflect new signatures.

Strict Policy

• A set of protection policies enabled by default.
• It checks for common attacks, drops specific traffic and attacks (like WinNuke, Land, or Zero IP Protocol).
• If false positives are detected, the strict policy can be disabled.
• Individual components of the strict policy cannot be enabled or disabled.

Chapter Review

• Default IPS policies are designed for a broad range of scenarios but might not be optimized.
• Each firewall rule should have a custom IPS policy specific to that rule's traffic.
• When creating a new policy, existing policies can be cloned for efficiency.

Description

This quiz delves into the advanced configurations of the Sophos Firewall, focusing particularly on the Intrusion Prevention System (IPS). Understand how IPS examines and blocks malicious content across various network zones. Test your knowledge and mastery of Sophos Firewall version 1.0v1 configurations.