Sophos Firewall Device Access Guide PDF

Summary

This document provides a comprehensive guide on configuring device access for a Sophos firewall. Security measures, such as CAPTCHA and SSH, are covered in this guide. It also explains how to configure local service ACL exceptions to enhance security.

Full Transcript

Considerations for Configuring
Device Access on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1555: Considerations for Configuring Device Access on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Considerations for Configuring Device Access on Sophos Firewall - 1
 Considerations for Configuring Device Access on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to secure administrative access ✓ Using the Device Access page to manage the zones
to Sophos Firewall and configure which are allowed access to Admin services
when CAPTCHA is required for
login.

DURATION

10 minutes

In this chapter you will learn how to secure administrative access to Sophos Firewall and configure
when CAPTCHA is required for login.

Considerations for Configuring Device Access on Sophos Firewall - 2
 WebAdmin

Default IP address: 172.16.16.16 (/24)
Port: 4444
WebAdmin URL: https://DeviceIP:4444

The Sophos Firewall can be accessed in multiple ways; the preferred method for most
administrative tasks is to use the WebAdmin.

By default, the devices’ IP address will be 172.16.16.16 and the WebAdmin on a Sophos Firewall
runs on port 4444. So, to connect to the WebAdmin interface you would need to connect to
HTTPS://172.16.16.16:4444 on a brand-new device.

The default administrator username is admin, and the password for this is set as part of the initial
setup.

Considerations for Configuring Device Access on Sophos Firewall - 3
 User Portal
https://

There is also a User Portal which can be accessed using HTTPS on port 443.

Considerations for Configuring Device Access on Sophos Firewall - 4
 Additional information in
Command Line Interface (CLI) the notes

SSH Console

Default credentials
Username: admin
Password: admin

This is changed as part of the initial
setup wizard

Although the Sophos Firewall is managed through a web interface, it also has a command line
interface (CLI) that is accessible through SSH or a console connection. You may want to use the CLI
to change the IP address of the management port to be in your LAN IP range so that you can
connect to the WebAdmin to complete the initial setup wizard.

To login to the CLI use the password of the built-in ‘admin’ user. The default admin password is
‘admin’; you change this as part of the initial setup wizard.

[Additional Information]

Here are the parameters for a console connection.

Console connection parameters:
baud rate or speed: 38,400
Data bits: 8
Stop Bits: 1
Parity and Flow Control: None or 0

Considerations for Configuring Device Access on Sophos Firewall - 5
 Additional information in
SSH Public Key Authentication the notes

Authenticate SSH access using keys
Supported
Algorithms: RSA, DSA, ECDSA
Key lengths: 1024, 2048, 4096
Logged in
/log/sshd.log

For deployments where multiple administrators will have access to the CLI, Public key
authentication can be used for SSH access. This provides access without needing to share the
admin password, and the public keys of multiple users can be uploaded. This also allows for better
logging and auditing as changes and actions will not all show as performed by ‘admin’.

Keys can be created using a tool such as PuTTY Key Generator on Windows, or ssh-keygen on Linux.
Sophos Firewall supports RSA, DSA and ECDSA keys of 1024, 2048 and 4096 bits in length. When
the SSH connection is authenticated using keys, the thumbprint of the key is logged in sshd.log
with the IP address that the connection was initiated from.

Here you can see a key that has been generated using PuTTY. The Public Key Authentication section
of Administration > Device access is used to add the public keys. To access the CLI, the
corresponding private key must be entered in the SSH tool.

[Additional Information]
Example log extract: /log/sshd.log:
Jul 20 09:20:45 Child connection from 172.16.16.10:49634
Jul 20 09:20:45 Pubkey auth succeeded for 'admin' with key sha1!!
cb:10:6e:38:37:27:e5:66:90:41:8a:36:c9:ae:53:ce:52:51:ca:05 from 172.16.16.10:49634

Considerations for Configuring Device Access on Sophos Firewall - 6
 Zone-Based ACL

Device access allows an administrator to define what services are allowed or available in which
zones.

The default settings in device access allow minimal services in the WAN zone while allowing most
services in the LAN and WiFi zones. Best practice dictates that any services that are not needed
should be disabled for any zone in which they will not be used.

Services are grouped into four categories:
Admin services, for administrative access to the Sophos Firewall.
Authentication services, for clients to authenticate themselves with the Sophos Firewall.
Network services, for clients to PING the firewall and use it as a DNS server.
And other services, which includes various other services including wireless and VPN services,
access to the user portal, routing, proxy services, mail, and SNMP.

Considerations for Configuring Device Access on Sophos Firewall - 7
 Local Service ACL Exceptions
Select Bottom or Top

Source Network/Host
and Destination Host

Services

The Device access page also allows you to create local service ACL exception rules. These rules let
an administrator allow or deny access to specific services for specific hosts or networks.
You begin by adding a name for the rule and then selecting whether the rule should be placed at
the bottom or top of the existing list of rules.

Device access ACLs are applied to either IPv4 or IPv6. If you want to do both you need to create
separate rules.

Select the network zone from which the traffic or requests will be originating, and the source
networks or hosts within the zone that are going to be allowed or blocked.

Select the services that the ACL will apply to, and finally, select whether this is an accept or drop
rule.

Considerations for Configuring Device Access on Sophos Firewall - 8
 Local Service ACL Exception Rules

This shows the ACL Exception rules with the newly created one placed at the bottom. These rules
are processed in order and override the Local Service ACL rules.

Considerations for Configuring Device Access on Sophos Firewall - 9
 Securing Administrative Access

The default Device Access settings allow anyone in the LAN zone to
access the login page for the WebAdmin and to connect to the SSH
login

Based on the default configuration of the device access section, if
you were to lock down the Sophos Firewall, what would you change?

The default Device Access settings allow anyone in the LAN zone to access the login page for the
WebAdmin if they know the address, and then to connect to the SSH login.

What could be done on the Sophos Firewall in order to secure these connections, assuming that
you would like to allow access to the WebAdmin or SSH through the LAN zone?

Based on the default configuration of the device access section, if you were to lock down the
Sophos Firewall, what would you change?

Considerations for Configuring Device Access on Sophos Firewall - 10
 Securing Administrative Access

Disable unnecessary
Disable zone-based services in zones
access to admin services
Optionally create ACLs on Disable PING where
Create specific ACL managed switches or possible to help prevent
exception rules to allow routes for the admin discovery and probing
access to admin services services
from specific network Remove SMTP relay and
segments/hosts SNMP from any zone that
does not require it

The simplest step to take is to disable the zone-based access to admin services and to only allow
access using targeted ACL exception rules. Create specific ACL exception rules to allow access to
admin services from specific network segments/hosts.

In addition, you could create ACLs on managed switches to control access to the admin services.

You should disable unnecessary services in the zone.

Disable PING where possible to help prevent discovery and probing.

Remove SMTP relay and SNMP from any zone that does not require it.

Considerations for Configuring Device Access on Sophos Firewall - 11
 CAPTCHA Configuration

We do not recommend disabling CAPTCHA in the WAN zone

Sophos Firewall displays a CAPTCHA on the WebAdmin and user portal login pages when they are
being accessed from the WAN zone and VPN zone. This is found to be very effective in preventing
automated attacks against the user portal and webadmin portals.

Disabling CAPTCHA in the WAN zone is not recommended.

Considerations for Configuring Device Access on Sophos Firewall - 12
 Additional information in
CAPTCHA Configuration the notes

CAPTCHA can be enabled or disabled for VPN and WAN zone or just the VPN zone
console> system captcha-authentication-global show
Captcha authentication status:
Webadmin console: enabled
User portal: enabled
console> system captcha-authentication-vpn disable

Captcha authentication serves as an extra security defense against scripted
automated login attempts.

Are you sure you want to disable captcha authentication when they are exposed on
the VPN zone (Y/N) ?
y
Captcha authentication for the webadmin and user portal is disabled on the VPN
zone
console> system captcha-authentication-vpn enable
Captcha authentication for the webadmin and user portal is enabled on VPN zone

You can enable and disable the CAPTCHA either globally, for both the WAN and VPN zone, or just
for the VPN zone. You cannot disable access for just the WAN zone on its own.

The configuration is managed via the console using the commands shown here.

[Additional Information]

system captcha-authentication-global [show|enable|disable]
system captcha-authentication-vpn [show|enable|disable]

Considerations for Configuring Device Access on Sophos Firewall - 13
 CAPTCHA Configuration
CAPTCHA can be enabled or disabled for the user portal and web admin console separately or together

console> system captcha-authentication-global disable for userportal

Captcha authentication serves as an extra security defense against scripted
automated login attempts.

Are you sure you want to disable captcha authentication (Y/N) ?
y
Captcha authentication for the user portal is disabled
console> system captcha-authentication-vpn show
Captcha authentication status on the VPN zone:
Webadmin console: enabled
User portal: disabled
console> system captcha-authentication-global enable for userportal
Captcha authentication for the user portal is enabled

You can also optionally specify to enable or disable it for the user portal or the WebAdmin by
appending for userportal or for webadminconsole to the commands:

Considerations for Configuring Device Access on Sophos Firewall - 14
 Chapter Review

Public key authentication can be configured for secure access to the CLI. This allows
access without the need to share the admin password

Administrative access can be secured by disabling zone-based access to services and
creating local service ACL exception rules to allow access to admin services from specific
network segments/hosts

You can enable and disable the CAPTCHA either globally, for both the WAN and VPN
zone, or just the VPN zone. The configuration is managed via the console

Here are the three main things you learned in this chapter.

Public key authentication can be configured for secure access to the CLI. This allows access without
the need to share the admin password.

Administrative access can be secured by disabling zone-based access to services and creating local
service ACL exception rules to allow access to admin services from specific network
segments/hosts.

You can enable and disable the CAPTCHA either globally, for both the WAN and VPN zone, or just
for the VPN zone. The configuration is managed via the console.

Considerations for Configuring Device Access on Sophos Firewall - 21
Considerations for Configuring Device Access on Sophos Firewall - 22