At Sophos, your safety is our high precedence. We’ve got invested in making Sophos Firewall essentially the most safe firewall available on the market – and we constantly work to make it essentially the most troublesome goal for hackers.
To reinforce your safety posture, we strongly encourage you to usually assessment and implement these greatest practices throughout all of your community infrastructure, whether or not from Sophos or every other vendor.
Learn on for full directions or obtain the Sophos Firewall hardening greatest practices.
Maintain firmware updated
Each Sophos Firewall OS replace consists of essential safety enhancements – together with our newest launch, Sophos Firewall v21.
Make sure you hold your firmware updated beneath Backup & Firmware > Firmware. Examine a minimum of as soon as a month for firmware updates in Sophos Central or the on-box console. Deploy each replace, together with all upkeep releases (MRs) as each replace might embrace essential safety fixes.
You’ll be able to simply schedule updates in Sophos Central to be utilized throughout a interval of minimal disruption.
In the event you don’t have one already, contemplate a high-availability (HA) deployment, which has the good thing about with the ability to improve machine firmware with out disruption.
Maintain updated on the most recent firmware updates and information on the Sophos Firewall Group
On-line guides:
Restrict machine service entry
It’s critically essential that you simply disable non-essential providers on the WAN interface which exposes them to the Web. Specifically, HTTPS and SSH admin providers.
To handle your firewall remotely, Sophos Central provides a way more safe answer than enabling WAN admin entry. Alternatively, use ZTNA for distant administration of your community units.
Examine your native providers entry management beneath Administration > Machine Entry and guarantee no objects are checked for the WAN Zone until completely needed.
Additionally remember to lock down admin entry out of your inner LAN as nicely by guaranteeing admin interfaces are both disabled or solely accessible from particular trusted LAN IPs.
For distant customers, contemplate ZTNA , which is rather more safe than VPN. Nevertheless, if utilizing VPN, make the most of the brand new hardened containerized VPN Portal and solely allow it when configurations change and customers have to replace – in any other case hold it disabled. Disable Consumer Portal entry on the WAN and supply entry through VPN solely. Use multi-factor authentication on all portals (see beneath).
On-line guides:
Use sturdy passwords, multi-factor authentication, and role-based entry
Allow multi-factor authentication or one-time password (OTP) and implement sturdy passwords throughout all admin and person accounts, which can shield your firewall from unauthorized entry – both from stolen credentials or brute power hacking makes an attempt.
Guarantee your sign-in safety settings are set to dam repeated unsuccessful makes an attempt and implement sturdy passwords and CAPTCHA. Additionally use role-based entry controls to restrict publicity.
On-line guides:
Reduce entry to inner techniques
Any machine uncovered to the WAN through a NAT rule is a possible threat. Ideally, no machine ought to be uncovered to the web through NAT or inbound connections, together with IoT units.
Audit and assessment all of your NAT and firewall guidelines usually to make sure there aren’t any WAN to LAN or distant entry enabled. Conduct common assessments and audits of firewall guidelines to identify dangerous configuration drift, paying explicit consideration to providers uncovered to the WAN facet of the machine.
Use ZTNA (and even VPN) for distant administration and entry to inner techniques – DO NOT expose these techniques, particularly Distant Desktop entry to the Web.
For IoT units, shut down any units that don’t provide a cloud proxy service and require direct entry through NAT – these units are ultimate targets for attackers.
On-line guides:
Allow applicable safety
Defend your community from exploits by making use of IPS inspection to incoming untrusted visitors through related firewall guidelines. Make sure you don’t have any broad firewall guidelines that enable ANY to ANY connections.
Additionally, shield your community from each DoS and DDoS assaults by setting and enabling safety beneath Intrusion Prevention > DoS & spoof safety. Allow spoof prevention and apply flags for all DoS assault sorts.
Block visitors from areas you don’t do enterprise with by establishing a firewall rule to dam visitors originating from undesirable nations or areas.
Guarantee Sophos X-Ops risk feeds are enabled to log and drop beneath Lively Menace Safety.
Use Community Detection and Response (NDR) to observe visitors to/from the firewall in addition to visitors flowing by the firewall for attainable assaults.
On-line guides:
Allow alerts and notifications
Sophos Firewall might be configured to alert directors of system-generated occasions. Directors ought to assessment the listing of occasions and test that system and safety occasions are monitored to make sure that points and occasions might be acted upon promptly.
Notifications are despatched through both an e mail and/or to SNMPv3 traps. To configure Notifications, navigate to Configure > System providers and choose the Notifications listing tab.
Additionally, guarantee your firewalls are sending logs to Sophos Central and/or your SIEM of selection.
On-line guides:
Extra information
Be sure you take a look at how Sophos Firewall is Safe By Design and seek the advice of the in depth on-line documentation and how-to movies to profit from your Sophos Firewall.
