Restrict Webadmin and SSH access (limit access to specific IP addresses)
Critical
Explanation
It is recommended to limit exposure of firewall administration services from WAN/untrusted zone. When necessary, leverage on remote VPN or limiting only from selected IP addresses, or use of Sophos Central for firewall administration.
For additional security control, enable RBAC and administrative accounts with 2-factor authentication using built-in RADIUS Server.
Disabling HTTPS, SSH and network services (Ping/Ping6, DNS, SMTP Relay, SNMP) on the WAN zone protect against reconnaissance attempts, network scanners, and potential adversaries.
Rationale
When the device is exposed to the internet with service ports, it could be subjected to DoS, brute force attempts, and underlying vulnerability on service ports can be discovered by the attacker.
Impact
When left enabled, it could lead to brute force attempts on the Webadmin interface, Denial-of-Service (DoS) attacks from a wide range of IP addresses, and increased attack surface from potential adversaries.
Resolution
Limit exposure of firewall administration services from WAN/untrusted zone
- Go to Administration > Device access > Local service ACL.
- Uncheck HTTPS, SSH, Ping/Ping6, DNS, SMTP Relay, and SNMP on WAN zone.
- Click Apply.
Limit access to admin services only from selected IP addresses
See Add local service ACL exception rule.
Related information