Security management and best practices
Sophos Firewall makes it incredibly easy to configure and manage everything needed for modern protection and do it all from a single screen.
You can easily view and set security and control policies for the DPI engine AV scanning, sandboxing and threat intelligence file analysis, IPS, traffic shaping, web and application control, and Security Heartbeat all in one place. All this can be done on a rule by rule, user by user, or group by group basis.
Web protection and control is a staple of any firewall. We’ve implemented a top-down inheritance policy model, which makes building sophisticated policies easy and intuitive.
Pre-defined policy templates, available right out of the box, are included for most common deployments, such as typical workplace environments, CIPA compliance for education, and much more. It means you can be up and compliant immediately with easy fine-tuning and customization options at your fingertips. You can create new policies and edit existing ones directly from the firewall rule.
When it comes to configuring firewall rules, there are countless ways these could be configured and most of this will depend on your own network configuration. However, there are still certain best practices that can be followed when deciding how you will configure Sophos Firewall to protect your network.
Segregate your networks and apply IPS policies
You should separate your networks so that at a minimum any internet-facing services, such as web servers or remote access servers are on a different network segment and zone to your main LAN network. Internet-facing services such as these should be placed in a DMZ zone and firewall rules configured to block connections from the DMZ to the LAN.
You should also segment other LAN zones down as required by using smaller subnets and assigning these to separate LAN zones and configure firewall rules to manage traffic flowing between these networks.
In the diagram below, the network has not been segmented and this allows the infection to spread easily between endpoints.
By separating the network into segments, for example the DMZ and LAN networks, an infection in one area is prevented by Sophos Firewall from spreading to other areas.
Doing this and applying an IPS policy to rules that govern traffic between these networks reduces the risk of malware or hackers being able to move laterally through your networks if they do manage to perform a successful initial attack. It also provides more time for the threat to be detected and mitigated.
Lock down remote access
Where possible, only allow access to internal resources over a VPN connection and do not use port forwarding. If you must use port forwarding, make sure you apply an IPS policy to the rule-handling traffic.
Configure SSL/TLS inspection rules
You should have an SSL/TLS inspection rule configured to scan most network traffic, with exceptions configured only for services that SSL scanning will cause problems for.
For further details about SSL/TLS inspection rules and how to configure them, see SSL/TLS inspection rules.
Only allow authenticated users to connect to the internet from your LAN
When configuring firewall rules to handle user traffic, make sure that you select the option "Match known users". This will ensure that only authenticated users can access external resources from within your LAN network.
Only use NAT for those services that are explicitly needed
Network Address Translation (NAT) allows you to pass traffic easily between different networks. However, you should only configure NAT rules for services that require it and not for ANY service. Doing this cuts down the surface area malware or hackers can target if one part of your network is breached.
For further information about NAT rules and how to configure them, see NAT rules.
Isolate infected system automatically
Use Security Heartbeat to monitor systems and automatically isolate those that show signs of infection or compromise. You can configure this to stop the compromised systems connecting to others on your network and to stop clean systems connecting to those that may have been compromised.