Sophos Firewall DoS Protection PDF
Document Details
Uploaded by ConsistentAntigorite2330
2022
Tags
Summary
This document provides a detailed guide on configuring DoS (Denial-of-Service) protection on Sophos firewalls. It covers policies, rules, and calculation methods (including PPS) for advanced DoS configurations.
Full Transcript
Advanced Sophos Firewall DoS Protection Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW2515: Advanced Sophos Firewall DoS Protection April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in a...
Advanced Sophos Firewall DoS Protection Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW2515: Advanced Sophos Firewall DoS Protection April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Advanced Sophos Firewall DoS Protection - 1 Advanced Sophos Firewall DoS Protection In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE to configure DoS rules on the ✓ Configuring Denial of Service (DoS) protection console that can target specific traffic. DURATION 8 minutes In this chapter you will learn how to configure DoS rules on the console that can target specific traffic. Advanced Sophos Firewall DoS Protection - 2 DoS Protection When DoS protection (denial-of-service) is enabled and configured in the WebAdmin it is applied to all traffic no matter its source or destination. While this behaviour provides maximum protection, it is not optimized for all networks and can be the cause of false positives in certain environments. For example, if the same type of traffic is traversing the edge in multiple directions, outgoing valid traffic may be caught by DoS protection because more strict rules are needed to keep the incoming traffic safe. Advanced Sophos Firewall DoS Protection - 3 Advanced DoS Protection WAN Zone VoIP Service Internet Gamer UDP VoIP traffic from LAN to UDP gaming traffic from WAN to WAN DMZ Sophos Firewall Computer Computer Computer Server Server Gaming Gaming Gaming Server Server Server LAN Zone DMZ Zone 172.16.16.0/24 10.0.1.0/24 In cases where the incoming and outgoing traffic would need different rules in order to keep the network safe but the traffic flowing, Advanced DoS protection rules will need to be configured. In these instances DoS protection can be configured more intelligently to work on traffic that is coming from specific zones, interfaces or networks, and that is destined for selected networks. The DoS protection can be further refined to specific protocols and port numbers. This targeted approach to configuring DoS protection allows administrators to enable protection where it is needed without unintentionally impacting other traffic. Advanced Sophos Firewall DoS Protection - 4 DoS Policies Configure limits for each attack type Create one or more DoS policy Here is an example syntax for creating a rule system dos-config add dos-policy policy-name [SYN-Flood pps ] [UDP-Flood pps ] [ICMP-Flood pps ] [IP-Flood pps ] per-src Traffic from each source IP is tracked separately for flooding per-dst Traffic to each destination IP are tracked separately for flooding global All traffic is considered together Advanced DoS protection can only be configured via the console, and there are two parts to configuring advanced DoS protection, policies that set the limits for each attack type, and rules that set which traffic the policy is applied to. We will start by looking a the policy configuration. DoS policies are used to configure the rate limits for each of the attack types you want to protect against, and the first step in configuring advanced DoS is to configure one or more DoS policies that will be used in the DoS rules. A DoS policy can be used in multiple DoS rules. Here you can see the syntax for creating the rule, which may look complicated at first glance, but is pretty straight forward when you break it down. The first section is the command to add the policy and sets the policy name that will be used to reference it in the rule. The rest of the command is the same syntax repeated four times, once for each attack type, SYN flood, UDP flood, ICMP flood and IP flood. You must configure one or more attack types in the policy, and for each attack type you configure, you specify the packets per second limit, and whether that limit is per source, per destination or global. Advanced Sophos Firewall DoS Protection - 5 DoS Rules Configure which traffic the DoS policy is applied to Only available in IPv4 Here is an example syntax for system dos-config add dos-rule rule-name creating a DoS rule [options] [rule-position ] dos-policy Option Parameters srcip [netmask ] src-zone src-interface dstip [netmask ] protocol tcp [dst-port ] udp [dst-port ] icmp [icmptype [icmpcode ]] ip [protonumber The DoS rules define which traffic the Sophos Firewall should apply the DoS policy to. Please note that the advanced DoS rules can only be configured for IPv4. Here is the syntax for creating a DoS rule. This table shows the options that are available for selecting the traffic and the parameters you can use with each. You can use one or more of these options. The first part is the command for creating the rule and sets the rule name The second part contains the options that select the traffic; we will look at these in a moment DoS rules are evaluated from top to bottom, so you can optionally configure the position of the rule relative to other rules The final part of the rule selects which policy will be applied to the selected traffic. You can only use a single policy in a DoS rule Advanced Sophos Firewall DoS Protection - 6 Example Scenario WAN Zone VoIP Service Internet Gamer UDP VoIP traffic from LAN to UDP gaming traffic from WAN to WAN DMZ Sophos Firewall Computer Computer Computer Server Server Gaming Gaming Gaming Server Server Server LAN Zone DMZ Zone 172.16.16.0/24 10.0.1.0/24 Let’s look at an example of how this can be used. Here we have a company that uses a cloud VoIP (Voice over IP) service for it’s phone calls that are made from the LAN. The company sells game server hosting, with all the game servers being in the DMZ. Both the VoIP service and the game server traffic are UDP. The game servers need to be protected from denial-of-service attacks, but the outbound VoIP traffic from the LAN does not. Advanced Sophos Firewall DoS Protection - 7 Example DoS Policy Create a policy to protect against UDP flood attacks system dos-config add dos-policy policy-name UDP- GameServers UDP-Flood 10000 pps per-src console> system dos-config add dos-policy policy-name UDP-GameServers UDP-Flood 10000 pps per-src console> console> system dos-config show dos-policies DoS Policy : UDP-GameServers UDP Flood : 10000 PPS per_src console> First we create a DoS policy called ‘UDP-GameServers’ that protects against UDP-Flood attacks by limiting the number of UDP packets per second from each source to ten thousand. Advanced Sophos Firewall DoS Protection - 8 Example DoS Rule Create a rule for UDP traffic from the WAN zone to the DMZ network system dos-config add dos-rule rule-name WAN-to-DMZ-UDP src-zone WAN dstip 10.0.1.0 netmask 255.255.255.0 protocol udp dos-policy UDP-GameServers console> system dos-config add dos-rule rule-name WAN-to-DMZ-UDP src- zone WAN dstip 10.0.1.0 netmask 255.255.255.0 protocol udp dos-policy UDP-GameServers console> console> system dos-config show dos-rules DoS Rule : WAN-to-DMZ-UDP Position : 1 Destination : 10.0.1.0/255.255.255.0 Source Zone : WAN Protocol : udp DoS Policy : UDP-GameServers console> The next step is to create a DoS rule that applies the ‘UDP-GameServers’ policy to traffic that is coming from the WAN zone and is going to the DMZ network 10.0.1.0/24. When running the command there is no confirmation displayed that it has been completed. You can use the system dos-config show dos-rules command to confirm the configuration has been applied. To delete a rule, you can use the system dos-config delete dos-rules command. Advanced Sophos Firewall DoS Protection - 9 Calculating PPS for Advanced DoS Policies What do you need to know in order to calculate what PPS to use for an advanced DoS policy? Please review the PPS example in the supplemental document then view the following scenario Download PPS example CONTINUE What do you need to know in order to calculate what PPS to use for an advanced DoS policy? Please review the PPS example in the supplemental documents then view the scenario in the next slide. Advanced Sophos Firewall DoS Protection - 11 PPS Calculation Example Protect server with a per-source DoS policy Sophos Firewall Application Performs a maximum operates over TCP Client Default MTU Application Server of 9 transactions per second Transactions require up to 2KB You have an application server that you want to protect against DoS attacks. You are going to configure an advanced DoS policy per-source. The application server uses TCP, and each transaction with a client will require up to 2 KB of data The client can perform a maximum of 9 transactions per second You estimate that there will be 200 concurrent connections What DoS policy do you create? Advanced Sophos Firewall DoS Protection - 12 PPS Calculation Example Default MTU: 1,500 (MSS: 1,460) 2KB transaction size x 1,024 = 2,048 bytes 2,048 / 1,460 = 1.4 packets per transaction Round up to 2 packets per transaction 9 transactions per seconds x 2 packets per transaction = 18 packets per second Protocol is TCP, use IP-Flood system dos-config add dos-policy policy-name PPS-Example-Policy IP-Flood 18 pps per-src Apply the policy to specific servers or networks system dos-config add dos-rule rule-name PPS-Example-Rule src-zone WAN dstip 10.0.1.0 netmask 255.255.255.0 protocol tcp dos-policy PPS-Example- Policy CONTINUE Advanced Sophos Firewall DoS Protection - 13 Chapter Review When denial-of-service, or DoS protection is configured in the WebAdmin it is applied globally for all traffic Advanced DoS is made up of DoS policies and DoS rules. DoS policies configure limits for each attack type. DoS rules configure which traffic the DoS policy is applied to Advanced DoS configuration requires you to use packets-per-second, or PPS. To calculate this, you need to know details of the software such as how many concurrent connections there will be, protocol used, and the size and frequency of transactions Here are the three main things you learned in this chapter. When denial-of-service, or DoS protection is configured in the WebAdmin it is applied globally for all traffic. Advanced DoS is made up of DoS policies and DoS rules. DoS policies configure limits for each attack type. DoS rules configure which traffic the DoS policy is applied to. Advanced DoS configuration requires you to use packets-per-second, or PPS. To calculate this, you need to know details of the software such as how many concurrent connections there will be, protocol used, and the size and frequency of transactions. Advanced Sophos Firewall DoS Protection - 18 Advanced Sophos Firewall DoS Protection - 19
