Planning firewall policies
Plan your firewall policies and what you want them to do before creating or editing firewall rules (global, application, or other).
When planning your firewall policies, you should take into account:
- Which computers should have Sophos Client Firewall.
- Whether a computer is a desktop or a laptop. You may want to set up dual location for laptops.
- Which location detection method you want to use, that is, DNS lookup or gateway MAC address detection.
- Network-wide systems and protocols.
- Remote connections.
Based on applications and network access rights required by different groups of users, decide how many firewall policies you will need to create. The policies would cover different applications, and vary in restrictiveness. Remember that multiple policies require multiple groups in Sophos Enterprise Console.
- You should not use just one Sophos Client Firewall policy. You would be forced to add rules for only one or two computers (for example, the administrator's workstation), but these rules would be present over the whole network. This is a security risk.
- Conversely, using large numbers of configurations will mean extra time spent on monitoring and maintenance.
Network-wide systems and protocols
Take into account the services that your network relies upon. For example:
- DHCP
- DNS
- RIP
- NTP
- GRE
Rules exist in the default firewall configuration to govern most of these services. However, be aware of those that you should allow, and those that you don't need.
Remote access to computers
If you use remote access software to monitor and fix computers, you must build rules into your configuration to enable you to work this way.
Identify the technologies that you use to access the computers on your network. For example:
- RDP
- VPN client/server
- SSH/SCP
- Terminal services
- Citrix
Check what sort of access is needed, and create your rules accordingly.