Hardening your Sophos Firewall
See the best practices for hardening your Sophos Firewall. You must also apply these best practices to your network infrastructure, including any third-party firewalls in your network.
Keep your firmware up to date
Every SFOS update includes important security enhancements.
-
Update the firmware:
- Go to Backup & firmware > Firmware and make sure you keep your firmware up to date. See Firmware.
- Maintenance releases: Deploy every update, including all maintenance releases (MRs), because each update may include important security fixes.
-
Keep track of updates:
- Check at least once a month for firmware updates in Sophos Central or the firewall's web admin console.
- You can track the latest updates and news in the Sophos Firewall community. See Sophos Firewall community.
- Check the release notes. See Sophos Firewall release notes.
-
Schedule updates: You can easily schedule updates in Sophos Central to be applied during a period of minimal disruption to your network.
- High availability (HA): You can deploy an HA cluster. It enables you to upgrade the firmware without disruption to your network. See About HA.
Limit access to firewall services
-
Go to Administration > Device access and make sure no services are selected for the WAN zone unless absolutely necessary.
-
Admin access:
- It's critically important that you turn off non-essential services on the WAN interface, which exposes them to the internet, particularly HTTPS (web admin console) and SSH (CLI) admin services. See Local service ACL: How device access works.
- Make sure admin interfaces are turned off or only accessible from specific trusted LAN IP addresses.
-
Don't turn on WAN access to the user portal. Instead, use VPN to access it remotely.
-
-
Use multi-factor authentication for all portals.
- To manage your firewall remotely, Sophos Central offers a much more secure solution, including single-sign on, than turning on WAN access to the web admin console. See Enable Sophos Central management of Sophos Firewall.
Use strong passwords, MFA, and role-based access
- Turn on Multi-factor authentication (MFA) for all administrators and users, so that they can access the portals and VPN more securely. See Multi-factor authentication (MFA).
- Enforce strong passwords for all administrators and users to protect your firewall from unauthorized access gained through stolen credentials and brute force attacks.
-
Make sure your sign-in security settings are configured to block repeated unsuccessful attempts.
-
Don't turn off the CAPTCHA. It's turned on by default.
- Use role-based administrator access to limit exposure. See Device access.
Minimize access to internal systems
Any device exposed to the WAN through a NAT rule is a potential risk. If possible, don't expose any internal device, including Internet of Things (IoT) devices, to the internet through NAT or inbound connections.
- Audit and review all your NAT rules and Firewall rules regularly to make sure you don't allow unrequired WAN to LAN or remote access. See NAT rules.
- Conduct regular tests and audits of the firewall rules to spot risky configuration drifts, paying particular attention to services exposed to the WAN side of the firewall.
- Use VPN for remote administration and access to internal systems.
- Don't expose internal systems to the internet, especially through Remote Desktop access.
- Shut down IoT devices that don't offer a cloud proxy service and require direct access through NAT. These devices are ideal targets for attackers.
Configure appropriate protection
-
Do as follows to protect your network from exploits:
- Apply Intrusion prevention policies to firewall rules for incoming untrusted traffic.
- Go to Intrusion prevention > DoS & spoof protection and set up protection settings and policies to protect your network from DoS and DDoS attacks.
- Turn on spoof prevention and apply flags for all the DoS attack types.
See Intrusion prevention.
-
Firewall rules
- Make sure you don't have any firewall rules that allow ANY-to-ANY connections.
- Set up firewall rules to block traffic from unwanted countries and regions and regions you don't do business with. See Create a country-based firewall rule.
-
Go to Advanced protection, turn on Advanced threat proection, and set it to Log and drop. See Advanced protection.
Turn on alerts and notifications
- Go to System services > Notification list and select the alerts and notifications of system-generated events to alert administrators. You can select email notifications and SNMP traps.
- Review the list of events, monitor the system and security events, and promptly act upon issues.
- Make sure your firewalls send logs to Sophos Central and a Security Information and Event Management (SIEM) solution of your choice. See Logs.