Sophos Firewall DoS Protection Overview

Questions and Answers

What is the primary purpose of configuring DoS policies?

• To establish firewall rules for IPv6
• To configure rate limits for different attack types (correct)
• To prioritize traffic based on type
• To monitor network bandwidth usage

What must be specified when configuring each attack type in a DoS policy?

• The duration of the attack
• The IP addresses of potential attackers
• The packets per second limit and its scope (correct)
• The protocol type being used

Which of the following statements regarding DoS rules is true?

• DoS rules are only effective against SYN flood attacks
• A single DoS policy can be referenced in multiple DoS rules (correct)
• DoS rules can be applied to both IPv4 and IPv6 traffic
• The order of DoS rules does not affect how they are evaluated

What is the significance of the rule position in DoS rules?

It affects the evaluation order of the rules (B)

Which section of the DoS rule configuration specifies the type of traffic to apply the policy to?

Options section (B)

What does DoS protection primarily aim to achieve when configured on the Sophos Firewall?

Blocking denial-of-service attacks (C)

When DoS protection is enabled on the Sophos Firewall, how is it applied to traffic?

To all traffic regardless of its source or destination (A)

What potential issue may arise when using strict DoS protection rules?

False positives affecting legitimate outgoing traffic (D)

What is recommended when configuring DoS rules on the Sophos Firewall for best outcomes?

Targeting specific traffic to optimize protection (D)

What is a common misconception about the behavior of DoS protection on the Sophos Firewall?

It can only protect against incoming threats (C)

What is the purpose of configuring Advanced DoS protection rules?

To manage different traffic types with tailored rules (B)

Which command syntax is correctly used to create a DoS policy?

system dos-config add dos-policy policy-name [SYN-Flood pps] (A)

What is a key feature of the traffic tracking methods for DoS protection?

Traffic from each source IP and to each destination IP can be tracked separately (B)

In Advanced DoS protection, what aspect can be refined for targeted configuration?

Specific protocols and port numbers of the traffic (D)

What is required to configure Advanced DoS protection for Sophos Firewall?

Console access to execute configuration commands (C)

Flashcards

DoS Protection

A security feature that protects network resources from denial of service attacks by filtering out malicious traffic.

Denial of Service (DoS) Attack

A type of attack that aims to make a service unavailable to legitimate users by overwhelming it with requests.

False Positive

A situation where a network security rule mistakenly blocks legitimate traffic due to its strictness.

Bidirectional Traffic

Traffic that originates from the same network and travels in both directions.

Targeted DoS Rules

The ability to configure DoS rules specifically for certain traffic, providing more granular protection.

Advanced DoS Protection

A feature in Sophos Firewall that allows you to configure more specific rules for DoS protection.

DoS Policy

A set of limits that are applied to specific attack types. For example, you can limit the number of SYN packets per second (pps) for a SYN flood attack.

DoS Policy Types

Types of DoS policies: "per-src": Each source IP is tracked separately. "per-dst" :Each destination IP is tracked separately. "global": All traffic is considered together.

Configuring DoS Policies

A way to configure policies that define the limits for each attack type. For example, you could set a limit for SYN flood attacks, UDP flood attacks, ICMP flood attacks, or IP flood attacks.

DoS Rules

A set of rules that define which traffic the DoS policy is applied to.

DoS Rule

Used to configure the traffic that a DoS policy is applied to. This rule specifies the source, destination, protocols, and ports to which the DoS policy should be applied.

Packets per Second Limit

The rate limit that a DoS policy applies to a specific attack type, controlling the number of packets per second allowed.

Per Source, Per Destination, Global

A setting in a DoS policy that determines whether packets per second limits are applied to individual sources, destinations, or globally.

Rule Position

Specifies the order in which DoS rules are evaluated. Rules higher up in the list are evaluated before those lower down.

Study Notes

Sophos Firewall DoS Protection

• Sophos Firewall DoS protection is configured globally for all traffic when enabled in the WebAdmin
• Advanced DoS protection consists of DoS policies and DoS rules
• DoS policies set limits for each attack type (e.g., SYN flood, UDP flood, ICMP flood, IP flood)
• DoS rules specify which traffic the DoS policy applies to
• Advanced DoS configuration requires using packets per second (PPS) calculations
• PPS calculations need software details like concurrent connections, protocol, transaction size, and frequency

Additional Information

• Copyright: 2022 Sophos Limited. All rights reserved.
• No unauthorized reproduction allowed without prior written consent.
• Sophos and the Sophos logo are registered trademarks of Sophos Limited
• Other names, logos, and marks in the document might belong to other trademark holders

DoS Protection Configuration

• DoS protection is enabled/configured in the WebAdmin
• Applies to all traffic irrespective of source or destination
• While providing maximum protection, it can cause false positives in complex networks due to bidirectional traffic (outgoing traffic may be blocked)
• Advanced configuration allows targeting specific protocols, ports, zones, interfaces, networks ensuring relevant traffic is safe

DoS Policies

• Configure limits for each attack type
• Examples: SYN flood, UDP flood, ICMP flood, IP flood
• Each attack type's limit is configurable: packets per second (pps) with options per-source, per-destination, or global

DoS Rules

• Configure which traffic to apply the DoS policy to
• Available only for IPv4 addressing
• Rules are evaluated from top to bottom
• Configured via command-line interface or GUI
• Allows selecting traffic and parameters like source IP/zone/interface, destination IP/zone/interface, protocol, and ports.
• Only one DoS policy can be assigned to a DoS rule

Example Scenarios

• VoIP service, game servers: require separate rules due to different traffic flow direction and protection needs (inbound and outbound).
• Protection of specific network zones, interfaces, and protocols, using rules for inbound/outbound traffic
• Example policy: "UDP-GameServers" policy to protect 10000 PPS per-source UDP-flood

PPS Calculation

• Needed for advanced DoS policy configuration
• Factors include max transactions/second, packet size, concurrent connections, and transaction frequency
• Detailed calculation example in supplemental material
• Use calculated PPS values in DoS policy creation