Security

You can configure security settings for Sophos Switch, such as DoS protection, 802.1X authentication, port security, and add and remove RADIUS and TACACS+ servers.

DoS

Sophos Switch can monitor and block denial-of-service (DoS) attacks. A DoS attack is network traffic intended to overwhelm a host and disrupt its connection to the network.

Select On or Off to turn DoS protection on or off. Select Not set to use the settings configured locally on the switch.

After turning DoS on or off, click Update to save your changes.

When you turn on DoS, the switch drops packets that match the following types of DoS attacks:

• Destination MAC equal to Source MAC: Drops traffic where the source and destination MAC addresses are the same.
• LAND Attacks Destination IP equal to Source IP (IPv4/IPv6): Drops packets where the source and destination IP addresses are the same.

• TCP Blat (Destination TCP Port equal to Source TCP Port): Drops TCP packets where the source TCP and destination TCP ports are the same.

  Note

  The Network Time Protocol (NTP) client sometimes uses the same source and destination port. When you turn on DoS protection, Sophos Switch detects it as a TCP Blat attack and drops the packets. We recommend turning off DoS protection if you're running older NTP clients that use the same source and destination ports.

• UDP Blat (Destination UDP Port equal to Source UDP Port): Drops UDP packets where the source UDP and destination UDP ports are the same.

• Ping of Death (IPv4/IPv6): Drops packets with a length larger than 64K Bytes through fragments.
• IPv6 Minimum Fragment (Bytes): Limits the minimum size of IPv6 fragments to 1240 Bytes.
• ICMP Fragments (IPv4/IPv6): Drops fragmented ICMP packets.
• IPv4 Ping Max Size: Limits the maximum length of an IPv4 ping packet to 512 bytes.
• IPv6 Ping Max Size: Limits the maximum length of an IPv6 ping packet to 512 bytes.
• Smurf Attack (Netmask Length): Limits the netmask length of broadcast ICMP packets to 24 (x.x.x.255).
• TCP Minimum Header Size (Bytes): Limits the minimum size of the TCP header to 20 Bytes.
• TCP-SYN: Drops TCP packets where the SYN flag is set, the ACK flag isn't set, and the source port is smaller than 1024.
• Null Scan: Drops TCP packets where no flags are set and the sequence number is zero.
• Xmas: Drops TCP packets with the sequence number zero and the FIN, URG, and PSH flags set.
• TCP SYN-FIN: Drops TCP packets with the SYN and FIN flags set.
• TCP SYN-RST: Drops TCP packets with the SYN and RST flags set.

802.1X

Sophos Switch supports 802.1X port-based network access control to authenticate users and devices using either a RADIUS or TACACS+ server.

Global settings

The Global settings tab is where you turn on or off 802.1X authentication. You can also manage guest VLAN assignments, set the guest VLAN ID, and select the authentication method.

You can configure the following global settings:

• Status: Select On or Off to turn 802.1X authentication on or off. Select Not set to use the settings configured locally on the switch.
• Guest VLAN: Select On or Off. You must select On to set a Guest VLAN ID. Select Not set to use settings configured locally on the switch.
• Guest VLAN ID: Select a VLAN from the list of defined VLANs.
• Authentication method: Select Local user, RADIUS, or TACACS+ from the drop-down list.

Configuration source shows the origin of the settings.

Click Update to save the settings or Clear to delete any unsaved changes.

Port settings

On the Port settings tab, you can configure the port settings and set authentication using 802.1X, MAC authentication bypass (MAB), or a combination of both. To configure MAB, see Configure MAC authentication bypass (MAB).

Select the ports you want to configure and click Edit.

You can configure the following options:

• Mode: Select the port mode from the following options:

  • Not set: Use the settings configured locally on the switch.
  • Auto: Turn on 802.1X authentication on the interface. When using Host-based for the Authentication mode, you must select Auto.
  • Force authorized: Block all unauthenticated traffic on the interface.
  • Force unauthorized: Allow all unauthenticated traffic on the interface.

• MAB mode: Select the MAB mode from the following options:

  • Not set: Use the settings configured locally on the switch.
  • MAB: Use MAB only.
  • Hybrid: Try to authenticate using 802.1X first. After three failed attempts, the switch uses MAB instead.
  • Disabled: Don't use MAB.

• Authentication mode: Select the authentication mode from the following options:

  • Not set: Use the settings configured locally on the switch.
  • Port based: Authenticate hosts connected to each port.
  • Host based: Authenticate all traffic on a single port.

• Maximum hosts: This setting only applies when Authentication mode is set to Host based. It sets the maximum number of hosts that can be connected to a port. Set a value from 1 to 10.

• Guest VLAN: Turn on or turn off Guest VLAN. You must turn it off when using Host-based for the Authentication mode.
• RADIUS VLAN assignment: Turn on or turn off RADIUS VLAN assignment. You must turn it off when using Host-based for the Authentication mode.
• Reauthentication: Turn on or turn off port reauthentication.
• Reauthentication period: The time, in seconds, before the port must reauthenticate. Set a value from 30 to 65535. The default is 3600.
• Quiet period: The time, in seconds, before the switch attempts to reauthenticate after a failed authentication attempt. Set a value from 0 to 65535. The default is 60.
• Supplicant period: This setting controls the frequency at which the switch sends EAP requests, in seconds. The switch sends three requests at this interval before switching to MAB. Set a value from 0 to 65535. The default is 30.
• Authorized status: Shows the authentication status of the specified port.

Configuration source shows the origin of the port settings.

Click Update to save the settings or Clear to delete any unsaved changes.

Authenticated host

The Authenticated host tab shows information about authenticated hosts.

Port security

On the Port security tab, you can limit the number of MAC addresses that the switch can learn on a specific port.

You can configure the following options:

• Port: The port to which the settings apply.
• Status: Select Enabled or Disabled to turn Port security on or off.
• Max number of MAC addresses: Enter the maximum number of MAC addresses the switch can learn on the specified port. The range is from 1 to 256.

Configuration source shows the origin of the port security settings.

Click Update to save the settings or Clear to delete any unsaved changes.

RADIUS server

You can use a RADIUS server to authenticate users accessing a network. The RADIUS server maintains a user database, which contains authentication information. The switch passes information to the RADIUS server to authenticate a user before authorizing network access.

You can configure the following options:

• Server ID: The ID of the RADIUS server.
• Server IP: The IP address of the RADIUS server.
• Authorized port: The port used for communicating with the RADIUS server. The default port is 1812.
• Shared secret: The string used for encrypting all RADIUS communication between the device and the RADIUS server.
• Timeout: The amount of time the device waits for an answer from the RADIUS server before switching to the next server. The default is 3.
• Retry: The number of transmitted requests sent to the RADIUS server before a failure occurs. The default is 3.

Configuration source shows the origin of the RADIUS server settings.

To create a new RADIUS server entry, click Add.

To delete RADIUS server entries, select the servers you want to remove and click Delete.

TACACS+ server

TACACS+ servers provide centralized authentication for network access. TACACS+ is used primarily for the administration of network devices.

You can configure the following options:

• Server IP: The IP address of the TACACS+ server.
• Priority: The priority of the TACACS+ server. The priority determines which server is contacted first for authentication when you have more than one TACACS+ server.
• Authorized port: The port that the server communicates on for authentication. The default port is 49.
• Shared secret: The encryption key that's configured on your TACACS+ server. This must match your TACACS+ server exactly.
• Timeout: The timeout in seconds. The timeout specifies the time that Sophos Switch waits for an authentication response before trying the next TACACS+ server in the list. The default is 5.

Configuration source shows the origin of the RADIUS server settings.

To create a new TACACS+ server entry, click Add.

To delete TACACS+ server entries, select the servers you want to remove and click Delete.

MAC ACL & ACE

The MAC ACL & ACE tab shows the currently defined MAC-based ACLs.

MAC ACL

To add a new ACL, click Add, enter a Name, from 4 to 30 letters and numbers, and click Save.

You can see the following details for MAC ACLs:

• Profile name: The name of the ACL.
• Configuration source: Shows the source of the specified ACL's settings.

To delete ACLs, select the ACLs you want to remove and click Delete.

MAC ACE

Access control entries (ACEs) are the rules that determine traffic classifications for access control lists (ACLs). You can define MAC address ACEs based on criteria, such as source and destination MAC addresses and masks, VLAN IDs, and quality of service (QoS).

The MAC ACE tab shows details of the MAC ACEs configured on your switch.

To create a new MAC ACE, click Add, configure the ACE, and click Save to save your settings.

To delete an ACE, select the ACEs you want to remove and click Delete.

To update an ACE's settings, click Edit .

You can configure the following settings:

• ACL name: The ACL the ACE belongs to.
• Sequence: The sequence number is the order in which the switch applies the ACE. Choose a value from 1 to 2147483647, with 1 being the first rule processed.
• Action: The action taken by the switch if a packet matches the criteria. Select Permit to forward traffic that matches the ACE criteria or Deny to drop it.
• VLAN ID: The VLAN ID to which the MAC address belongs. The range is from 1 to 4094. For any VLAN, leave the field empty.
• Source MAC address: The MAC address from which the traffic originates.
• Source MAC address mask: The wildcard mask for the source MAC address. You can use any combination of f and 0. f matches the specified bits exactly. 0 matches any bit. See Examples.
• Destination MAC address: The MAC address to which the traffic is sent.
• Destination MAC address mask: The wildcard mask for the destination MAC address. You can use any combination of f and 0. f matches the specified bits exactly. 0 matches any bit. See Examples.
• 802.1p value: 802.1p is a QoS priority standard. Select a value from 0 to 7. 0 is the lowest priority. See QoS.
• EtherType value: EtherType is a hexadecimal value that indicates the protocol used and is the basis of 802.1Q VLAN tagging. You can only use this option to filter Ethernet II-formatted packets. See EtherTypes.

Configuration source shows the source of the MAC ACE's settings.

Examples

Here are some examples of how to use MAC address wildcard masks.

IPv4 ACL & ACE

The IPv4 ACL & ACE tab shows the IPv4-based ACLs configured on the switch.

IPv4 ACL

To add a new ACL, click Add, enter the name of the new ACL, from 4 to 30 letters and numbers, and click Save.

You can see the following details for IPv4 ACLs:

• Profile name: The name of the ACL.
• Configuration source: Shows the source of the specified ACL's settings.

To delete ACLs, select the ACLs you want to remove and click Delete.

IPv4 ACE

Each IPv4 access control list (ACL) contains up to 16 individual rules called access control entries (ACEs). Each ACE is a set of parameters for specific network traffic and the switch's action when it identifies matching traffic.

To create a new IPv4 ACE, click Add.

To delete ACEs, select the ACEs you want to remove and click Delete.

To update an ACE's settings, click Edit .

You can configure the following settings:

• ACL name: The ACL the ACE belongs to.
• Sequence: The sequence number is the order in which the switch applies the ACE. Choose a value from 1 to 2147483647, with 1 being the first rule processed.
• Action: The action taken by the switch if a packet matches the criteria. Select Permit to forward traffic that matches the ACE criteria or Deny to drop it.
• Service type: Allows you to set the Differentiated Services Field Codepoints (DSCP) value. Enter a value from 0 to 63. See Differentiated Services Field Codepoints (DSCP).
• Source IP address: The source IP address for the traffic.
• Source netmask: The subnet mask of the Source IP address.
• Destination IP address: The destination IP address for the traffic.
• Destination netmask: The subnet mask for the Destination IP address.
• Destination port range: Select a destination port range for the traffic. See Port range.
• Source port range: Select a source port range for the traffic. See Port range.

• Protocol: Select one of the following options from the drop-down list:

  • Any: Matches all protocols.

  • Select from a List: Select one of the following protocols from the Protocol list:

    • IPv4:ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.
    • IPinIP: IP in IP encapsulates IP packets to create tunnels between two routers. An IP in IP tunnel appears as a single interface rather than several separate interfaces.
    • TCP: Transmission Control Protocol (TCP) allows two hosts to communicate and exchange data streams. It guarantees packet delivery and ensures that packets are transmitted and received in the order sent.
    • EGP: Exterior Gateway Protocol (EGP) allows two neighboring gateway hosts to exchange routing information in an autonomous system network.
    • IGP: Interior Gateway Protocol (IGP) allows the exchange of routing information between gateways within an autonomous system network.
    • UDP: User Datagram Protocol (UDP) is a communication protocol that transmits packets but does not guarantee delivery.
    • HMP: The Host Mapping Protocol (HMP) collects network information from various hosts. It monitors hosts across the internet and within a single network.
    • RDP: Reliable Data Protocol (RDP) is similar to TCP, guaranteeing packet delivery but not requiring sequenced delivery.
    • IPv6:Rout: Routing header for IPv6.
    • IPv6:Frag: Fragment header for IPv6.
    • RSVP: Matches the packet to the reservation protocol (RSVP).
    • IPv6:ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.
    • OSPF: The Open Shortest Path First (OSPF) protocol is a link-state hierarchical interior gateway protocol (IGP) for network routing.
    • PIM: Matches the packet to Protocol Independent Multicast (PIM).
    • L2TP: Layer 2 Tunneling Protocol (L2TP) supports the creation of VPNs by ISPs.

  • Select from ID: Enter a Protocol ID from 0 to 255. See Protocol Numbers.

• ICMP: Select one of the following from the drop-down list:

  • Any: Matches all ICMP traffic.

  • Select from List: Select one of the following options from the ICMP list:

    • Echo Reply: The response a device sends after receiving an ICMP echo request.
    • Destination Unreachable: The ICMP packet couldn't reach its destination.
    • Source Quench: ICMP message sent by a router to ease network congestion in busy environments.
    • Echo Request: A message sent from one device to another to check if they can communicate and measure the time it takes.
    • Router advertisement: A message a device sends to announce its availability as a router.
    • Router solicitation: A message sent by a host to request router information.
    • Time Exceeded: This message indicates the ICMP packet's time-to-live (TTL) expired in transit.
    • Timestamp: Timestamps can be added to ICMP messages to record when they're sent.
    • Timestamp Reply: When a device receives an ICMP packet with a timestamp, it can record the timestamp and add its timestamp reply field to the ICMP packet.
    • Traceroute: Shows all routers a packet passes through on its way to its destination.

  • Select from ID: Enter a value from 0 to 255 for ICMP ID.

• ICMP code: Enter a value from 0 to 255. See Internet Control Message Protocol (ICMP) Parameters.

• TCP Flags: You can filter TCP traffic by whether the Urg, Ack, Psh, Rst, Syn, and Fin flags are Set or Unset. Select Don't care to ignore TCP flags.

Configuration source shows the source of the IPv4 ACE's settings.

IPv6 ACL & ACE

The IPv6 ACL & ACE tab shows the IPv6-based ACLs configured on the switch.

IPv6 ACL

To add a new ACL, click Add, enter the name of the new ACL, from 4 to 30 letters and numbers, and click Save.

You can see the following details for IPv4 ACLs:

• Profile name: The name of the ACL.
• Configuration source: Shows the source of the specified ACL's settings.

To delete ACLs, select the ACLs you want to remove and click Delete.

IPv6 ACE

Each IPv6 access control list (ACL) contains up to 16 individual rules called access control entries (ACEs). Each ACE is a set of parameters for specific network traffic and the switch's action when it identifies matching traffic.

To create a new IPv6 ACE, click Add.

To delete ACEs, select the ACEs you want to remove and click Delete.

To update an ACE's settings, click Edit .

You can configure the following settings:

• ACL name: The ACL the ACE belongs to.
• Sequence: The sequence number is the order in which the switch applies the ACE. Choose a value from 1 to 2147483647, with 1 being the first rule processed.
• Action: The action taken by the switch if a packet matches the criteria. Select Permit to forward traffic that matches the ACE criteria or Deny to drop it.
• Service type: Allows you to set the Differentiated Services Field Codepoints (DSCP) value. Enter a value from 0 to 63. See Differentiated Services Field Codepoints (DSCP).
• Source IP address: The source IP address for the traffic.
• Source IPv6 prefix length: The IPv6 prefix length for the Source IPv6.
• Destination IP address: The destination IP address for the traffic.
• Destination IPv6 prefix length: The IPv6 prefix length for the Destination IPv6.
• Destination port range: Select a destination port range for the traffic. See Port range.
• Source port range: Select a source port range for the traffic. See Port range.

• Protocol: Select one of the following options from the drop-down list:

  • Any: Matches all protocols.

  • Select from a List: Select one of the following protocols from the Protocol list:

    • TCP: Transmission Control Protocol (TCP) allows two hosts to communicate and exchange data streams. It guarantees packet delivery and ensures that packets are transmitted and received in the order sent.
    • UDP: User Datagram Protocol (UDP) is a communication protocol that transmits packets but does not guarantee delivery.
    • IPv6:ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.

  • Select from ID: Enter a value from 0 to 255 for Protocol ID. See Protocol Numbers.

• ICMP: Select one of the following from the drop-down list:

  • Any: Matches all ICMP traffic.

  • Select from List: Select one of the following options from the ICMP list:

    • Destination Unreachable: The ICMP packet couldn't reach its destination.
    • Packet Too Big: This indicates that the ICMP packet exceeds the network's MTU and is too large to travel on that network.
    • Time Exceeded: This message indicates the ICMP packet's time-to-live (TTL) expired in transit.
    • Parameter Problem: The device can't interpret an invalid parameter.
    • Echo Request: A message sent from one device to another to check if they can communicate and measure the time it takes.
    • Echo Reply: The response a device sends after receiving an ICMP echo request.
    • Router Solicitation: A message sent by a host to request router information.
    • Router Advertisement: A message a device sends to announce its availability as a router.
    • Nd Ns: This is an IPv6 Neighbor Discovery Protocol (NDP) neighbor advertisement message.
    • Nd Na: This is an IPv6 NDP neighbor advertisement message.

  • Select from ID: Enter a value from 0 to 255 for ICMP ID.

• ICMP code: Enter a value from 0 to 255. See Internet Control Message Protocol (ICMP) Parameters.

• TCP Flags: You can filter TCP traffic by whether the Urg, Ack, Psh, Rst, Syn, and Fin flags are Set or Unset. Select Don't care to ignore TCP flags.

Configuration source shows the source of the IPv4 ACE's settings.

Port range & binding

The Port range tab lets you specify port ranges to use in your IPv4 and IPv6 access control entries (ACEs). This feature increases security by letting you use ACEs to block a large range of ports or allow only a small range for hosts with specific functions.

Port range

To create a new port range, click Add.

You can configure the following settings:

• Name: Enter a name for your port range.

  Tip

  We recommend a port range name that clearly identifies the ports it contains. You can only see this name when selecting a port range for your ACEs. You can't see the ports it contains.

• Minimum port: The starting port for your range.

• Maximum port: The end port for your range.

Configuration source shows the source of the port range's settings.

Port binding

Binding an access control list (ACL) to ports applies all the rules you define for that ACL to those ports. For ports that have an ACL bound to them, the switch drops all traffic that doesn't match the ACL.

You can see the following information for the ports on the switch:

• Port: The port to which the ACLs are bound.
• MAC ACL: The MAC ACL bound to the port.
• IPv4 ACL: The IPv4 ACL bound to the port.
• IPv6 ACL: The IPv6 ACL bound to the port.

Configuration source shows the source of the port binding settings.

To bind ACLs, select the MAC ACL and IPv4 ACL or IPv6 ACL you want to bind to the port from the drop-down lists. Select None to assign no ACLs to the port or Not set to use the port binding settings in the local switch UI.

Click Update to save your changes.