Sophos Firewall IPS Configuration PDF

Summary

This document provides a guide on configuring IPS policies for the Sophos Firewall, version 1.0v1, for optimal performance. It covers topics such as intrusion prevention systems, IPS modules, and different policies.

Full Transcript

Advanced Sophos Firewall IPS
Configuration

Sophos Firewall
Version: 1.0v1

[Additional Information]
Sophos Firewall
FW2510: Advanced Sophos Firewall IPS Configuration

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Sophos Firewall IPS Configuration - 1
 Advanced Sophos Firewall IPS Configuration
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to fine tune IPS configuration for ✓ Configuring IPS policies, spoof protection, and
the best performance. denial-of-service protection

DURATION

13 minutes

In this chapter you will learn how to fine tune IPS configuration for the best performance.

Advanced Sophos Firewall IPS Configuration - 2
 Intrusion Prevention System (IPS)
Intrusion Prevention System (IPS) focuses on examining traffic passing through the firewall
for malicious content and blocking that traffic

Computer Internet

IPS Module

IPS should be fine tuned to work with the firewall policies

IPS, or Intrusion Prevention System, is a module that uses predefined rules to examine traffic that
is passing through the Sophos Firewall for any malicious content. It is then able to block this
content and log the events and report back to the administrator. Most people think of IPS as a
system to protect against incoming attacks, but it is important to realize that IPS policies can be
applied to any traffic passing through the Sophos Firewall. This could be WAN to LAN traffic, but it
could also be LAN to DMZ or DMZ to LAN. Even LAN to LAN or VPN traffic can be examined.

There are a set of default policies that come with the Sophos Firewall and prevent network attacks
for several common types of traffic. These are simply labeled and are ready for use right out of the
box. You can also create custom policies with rules for scenarios that are not covered by the
default rules. This may be due to compliance requirements or custom applications.

Advanced Sophos Firewall IPS Configuration - 3
 FastPath Offloading
Application identified
IPS determines there are
no files for AV to scan and
DPI Engine that the flow is trustworthy

App
TLS /
IPS AV
SSL
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS

DoS VPN FW FastPath VPN QoS

IPS is a fundamental component of the DPI engine and can offload traffic that is considered
trustworthy.

Offload can happen once the application has been identified and IPS has determined that there are
no files for the AV engine to scan. FastPath can now skip the AV scanning from that point forward,
thus saving on resources.

After examining enough of the packet stream, the different security modules can decide that the
traffic is considered trustworthy. At this point, the FastPath engine can further reduce the number
of modules in use.

Advanced Sophos Firewall IPS Configuration - 4
 FastPath Offloading

DPI Engine
App
TLS /
IPS AV
SSL
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS

DoS VPN FW FastPath VPN QoS

Even though the traffic is considered trustworthy and the categorization and IPS decisions have
been cached, traffic for the connection must still pass through the TLS module in order to keep
traffic flowing. Because of how TLS functions, if we were to suddenly offload the TLS, the other
side of the connection would notice a change in the packet signing and end up dropping the
connection.

So, this is the final offload state of the connection. Firewalling and categorization decisions are still
offloaded to the FastPath, but the DPI engine must still process the traffic due to its involvement in
the cryptographic processing.

Advanced Sophos Firewall IPS Configuration - 5
 Configuring IPS

IPS can be used to inspect any traffic passing through the Sophos Firewall

For optimal performance be selective about which traffic is inspected

Default IPS policies include a broad ruleset

For optimal performance create custom IPS policies based on the traffic being inspected

When configuring IPS there are two key things to keep in mind:
Firstly, do I need to inspect this traffic? To control which traffic is inspected, you may need to
create additional firewall rules. Create more specific firewall rules for the traffic you do want to
inspect higher up the chain
Secondly, do I need all of these rules? The default IPS policies are very general in their nature.
For optimal performance, you should create a ruleset that is appropriate to the traffic you are
inspecting. We will look at this in more detail throughout this chapter

Advanced Sophos Firewall IPS Configuration - 6
 Fine tuning IPS

Default IPS policies
cover wide range
of protocols
Meant to offer
good protection at
cost of
performance

The IPS module is one of the most resource intensive modules in the Sophos Firewall. Thanks to
the Xstream Architecture and FastPath, some of the processing load can be bypassed; however, the
work that still needs to be done is not optimized by default. The reason for this is that the default
policies are designed to cover all possibilities and are not optimized for each customers
environment.

One of the easiest ways to fine tune IPS policies is to make sure that they are inline with the
existing firewall policies. For example, if there is a firewall policy that only allows web traffic (HTTP,
HTTPS, DNS, etc.), and it has the default LAN to WAN IPS policy applied, then the IPS engine is
performing a lot of extra work for each packet that passes though the firewall. This is because the
default policies are designed to scan for all common types of traffic including web, mail, FTP,
database, ERP, and several other traffic types.

Also, all operating systems are covered in the rules including Windows, Linux, Unix, Mac, Solaris,
BSD, and an Other category. This can also be adjusted to ensure that only necessary signatures are
being processed. For example, if the company is mostly Windows machines with a few Mac
computers, then there would be no need to load signatures for Linux, Unix, BSD, or Solaris.

While this ensures that the default policies cover all types of traffic that may pass through the
system, they are not optimized for processing speed and thus can have an impact on performance.

Advanced Sophos Firewall IPS Configuration - 7
 Creating a fine tuned IPS Policy

PROTECT > Intrusion prevention > IPS policies

To get started, first create a new IPS policy. This is done from PROTECT > Intrusion prevention >
IPS policies.

Add a name to identify the policy. The name is limited to fifteen characters including spaces.

The description should be used to better identify the purpose of the policy.

Advanced Sophos Firewall IPS Configuration - 8
 Fine Tuning IPS Policies

Ensure that you click Save once you have
selected the rules to clone

There is an option to clone an existing policy to bring in all the existing rules. When this
information is filled in, click the Save button and it will take you back to the main screen. From
there, edit the policy to begin adding or editing the rules.

Advanced Sophos Firewall IPS Configuration - 9
 Fine Tuning IPS Policies

Select filter criteria from drop-down fields

The IPS policy editor enables quick and easy selection of desired IPS patterns, which helps you
create the most efficient IPS policies and keep them current.

Only needed IPS signatures should be active, to save CPU and Memory use and reducing the IPS
performance impact.

There are three types of IPS policy rule that can be created:
1. You can filter the signatures using pre-defined criteria
2. You can filter signatures using text-based smart filters
3. You can search for and select specific signatures to include

We will look at each of these in more detail. This first example of a policy rule filters the signatures
using the pre-defined criteria in the drop-down fields, and because all the filtered signatures are
selected, this rule will dynamically update to include new signatures when they are updated.

Advanced Sophos Firewall IPS Configuration - 10
 Fine Tuning IPS Policies

Text-based smart filter
Press Enter to add

The second type of policy rule uses a text-based smart filter. The signatures are filtered using the
text entered in the smart filter and all the matched signatures are selected. The smart filter cannot
be used to select individual signatures; however, it can be combined with pre-defined criteria in
the drop-down fields. This type of policy rule will also be dynamically updated with new signatures
when they are added.

Advanced Sophos Firewall IPS Configuration - 11
 Fine Tuning IPS Policies

In this last example, the option to Select individual signature is enabled. This type of policy rule
will only include the selected signatures and will not dynamically update when new signatures are
added.

Advanced Sophos Firewall IPS Configuration - 12
 Fine Tuning IPS Policies

Filters can also be applied to the columns to help you identify the signatures you want to include in
the policy rule when selecting individual signatures.

Advanced Sophos Firewall IPS Configuration - 13
 Applying an IPS Policy

Apply the IPS policy to the associated firewall network
rule

PROTECT > Rules and policies > Firewall rules

Select the policy and scroll down to the ‘Other security
features’ section

Once you have created a custom IPS policy, make sure to apply it to the associated firewall network
rule by editing the existing rule and then scroll down to the Other Security Features section.

Click on the dropdown list for ‘Detect and Prevent Exploits (IPS)’ and select the IPS policy you
would like to apply to the firewall rule. Make sure to save the rule using the save button in the
bottom left of the screen.

It is important to note that each firewall policy should have its own custom IPS policy in order to
fully optimize the IPS engine.

Advanced Sophos Firewall IPS Configuration - 14
 IPS Tuning Example

Let's take a look at a simple example using a default installation of the firewall. Here we can see
the default rules created by the startup wizard with the default IPS policy called lantowan_general
applied to the #Default_Network_policy firewall rule. As mentioned earlier, the default polices
offer good protection but at the cost of processing speed.
In this example, users browsing the web are complain that accessing certain web pages is taking
longer than they expect. You suspect that this is due to the general policy that IPS is currently
using.

Advanced Sophos Firewall IPS Configuration - 15
 IPS Tuning Example

To solve this, we need to first create a new IPS policy and then a firewall rule that targets the type
of traffic.
The IPS policy should be built with web based protection in mind. By doing this, we can
significantly reduce the number of signatures that are processed for any traffic that uses this policy.
This brings us to the next step, creating a firewall rule to target the correct traffic. This rule would
be placed above the default rule and have the new IPS policy applied to it
By doing this, any web traffic will be caught by the new firewall rule and processed by the IPS
policy with less signatures, resulting in a faster result. Any non-web traffic will proceed to the
default firewall rule and be processed by the slower lantowan_general policy. While slower, it will
still be scanned.

Advanced Sophos Firewall IPS Configuration - 16
 IPS Tuning Example

The advantage of this method is that additional rules can be added at any time to further reduce
the overhead of IPS by creating rules and policies for any additional traffic that may be slowing
down the system. The administrator can choose how granular or general to make the rules and
policies based on the current situation.

Advanced Sophos Firewall IPS Configuration - 17
 Strict Policy
Set of protection policies that are enabled by default
Used to check for common attacks that are easily detected and prevented
When applied, the device drops specific traffic, specific attacks and other IP
based attacks

If false positives are detected and strict policy is suspected of blocking legitimate
information it can be disabled using the following command:

console > set advanced-firewall strict-policy on/off

NOTE: The command disables ALL policies included in the strict policy module

Strict policy is a set of protection policies that are enabled by default on the Sophos Firewall. Strict
policy is used to check for common attacks that are easily detected and prevented.

When strict policy is applied, the device drops specific traffic and attacks such as the Winnuke
attack, Land attack, Zero IP Protocol, and various other IP based attacks against the firewall.

If false positives are detected and strict policy is suspected to be blocking legitimate information,
then it can be disabled. To turn the strict policy on or off, in the console use the command: set
advanced-firewall strict-policy (on/off)

Please note that individual components of strict policy cannot be enabled or disabled. The
command disables all policies included in the strict policy module.

Advanced Sophos Firewall IPS Configuration - 18
 Chapter Review

Default IPS policies are designed to cover a wide range of scenarios and are therefore
not optimized

Each firewall rule should have its own customized IPS policy that only includes the
signatures for the services and hosts that will be using it

When creating a new IPS policy you can clone rules from an existing policy to streamline
the process

Here are the three main things you learned in this chapter.

Default IPS policies are designed to cover a wide range of scenarios and are therefore not
optimized.

Each firewall rule should have its own customized IPS policy that only includes the signatures for
the services and hosts that will be using it.

When creating a new IPS policy you can clone rules from an existing policy to streamline the
process.

Advanced Sophos Firewall IPS Configuration - 23
Advanced Sophos Firewall IPS Configuration - 24