PowerPoint Presentation [Additional Information] Sophos Firewall FW2010 Advanced Firewall Rule Management on Sophos Firewall April 2022 Version 19 0v1 © 2022 Sophos Limited All rights reserved No part[.]
Advanced Firewall Rule Management on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW2010: Advanced Firewall Rule Management on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited All rights reserved No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos Sophos and the Sophos logo are registered trademarks of Sophos Limited Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy This document is subject to change at any time without notice Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP Advanced Firewall Rule Management on Sophos Firewall - Advanced Firewall Rule Management on Sophos Firewall In this chapter you will learn how packets flow through the firewall, how they are offloaded to the FastPath, and how to order firewall rules for performance and protection RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Creating and managing firewall rules DURATION 28 minutes In this chapter you will learn how packets flow through the firewall, how they are offloaded to the FastPath, and how to order firewall rules for performance and protection Advanced Firewall Rule Management on Sophos Firewall - Additional information in the notes Firewall Framework Incoming packets Outgoing packets PREROUTING ROUTING FORWARD POSTROUTING Filter RAW packet processing Conntrack Mangle DNAT Mangle Filter Conntrack NAT Tables Packet Filter NAT When configuring firewalls, it is useful to consider how packets flow through the device and are processed Over the coming slides, we will look at the general firewall framework, and then more specifically at the architecture and FastPath In this first example we will consider the packet flow for traffic being forwarded through the device, either inbound or outbound Firewall subsystems offer a way to intercept and manipulate the packets at the different positions in a network stack in order to implement the firewall functionality These subsystems are: • Prerouting • Forwarding • Postrouting [Additional Information] PREROUTING • Protocol anomaly checks are performed on incoming packets If necessary, fragmented packets are reassembled prior to these checks • After anomaly checks, packets are processed through DOS & Spoof prevention modules If the traffic is for the local loopback interface or HA dedicated interface the packets will bypass the DoS & Spoof check • In the next stage packets are submitted to the connection tracking module (Conntrack) If packet doesn’t match an existing connection a new entry is created If the packet matches an existing connection the packet is associated with it If the connection is Related (e.g., FTP connection) then a child connection entry is added, which is then associated with its parent connection entry Advanced Firewall Rule Management on Sophos Firewall - • The packet is associated with a user ID based on the source IP address • The packet state is inspected, and packets with an invalid state are dropped • For the first packet in a connection the link ID is set as per configured routes for multilink management, then the packets is associated with its destination zone • DNAT rules are applied FORWARD • Packets undergo application classification, and are associated with an application where possible • The packets pass through the packet filter based on the firewall rules • If the packet is accepted it will be submitted to the IPS if it is applied to the matching firewall rule, or it will go straight to POSTROUTING POSTROUTING • If the packet is the first in the connection, the masquerading and SNAT policies are checked and applied to the packet For existing connections, the already matched NATing policy is used • The connection tracking module entries are updated • If HA load balancing is enabled, the packet is sent to the load balancer • Finally, Quality of Service is applied Advanced Firewall Rule Management on Sophos Firewall - Additional information in the notes Firewall Framework Incoming packets Outgoing packets PREROUTING RAW packet processing Conntrack Mangle DNAT ROUTING OUTPUT Conntrack NAT POSTROUTING 10 Mangle 11 Filter INPUT OUTPUT Mangle Filter Conntrack ROUTING 12 13 14 15 Mangle Filter Conntrack NAT SSLVPN IPsec AV Access Server NAT WAF Apache Packet Filter HTTP Proxy Local Processes Tables Mail Proxy ROUTING This scenario shows how the Sophos Firewall interacts with traffic that terminates on the device and new traffic generated by the device, either inbound or outbound For example, traffic for Web Server Protection terminates on the Sophos Firewall on a virtual server, and a new onward connection is made to the backend server that is being protected The subsystems in this example are: • Prerouting • INPUT [system-destined] • OUTPUT [system-generated] • Postrouting [Additional Information] PREROUTING • The prerouting module performs all the same functions as if the packet was being forwarded through the firewall as in the previous example INPUT • The INPUT module applies to all packets that are destined for the device • The packets pass through the packet filter based on the firewall rules defined • If the packet is accepted by the firewall it is directed to IPS & Application filter • The connection tracking module entries are updated • If the HA load balancer is configured it will process the packet, otherwise, it will be submitted to Local Processes OUTPUT Advanced Firewall Rule Management on Sophos Firewall - • OUTPUT module applies to the traffic that is generated by the device • Packets are submitted to the connection tracking module (Conntrack) If the packet doesn’t match an existing connection a new entry is created If the packet matches an existing connection the packet is associated with it If the connection is Related (e.g., FTP connection) then a child connection entry is added, which is then associated with its parent connection entry • DNAT rules are applied to the packet • The packets pass through the packet filter based on the firewall rules defined • The packet is submitted to the IPS if it is applied to the matching firewall rule, or it will go straight to POSTROUTING POSTROUTING • The postrouting module performs all the same functions as if the packet was being forwarded through the firewall as in the previous example Advanced Firewall Rule Management on Sophos Firewall - Xstream Architecture SSL Inspection DPI Engine Network Flow FastPath High-performance, highconnection capacity across all ports, protocols and applications Comprehensive threat protection in a single high-performance streaming DPI engine Intelligent offloading of traffic processing to transfer trusted traffic at wire speeds Enterprise-grade controls to optimize security, privacy and performance Proxy-less scanning of traffic for AV, IPS, web threats, application control and SSL inspection Support for TLS 1.3 and all modern cipher suites Decrypting traffic provides more effective protection from pattern changing applications Offloading can be controlled through policy or intelligently by the DPI engine based on traffic characteristics to accelerate important cloud application traffic The Sophos Firewall Xstream architecture is a streaming packet processing architecture that provides extreme levels of protection and performance The architecture includes: Xstream SSL Inspection: high-performance, high connection- capacity support for TLS 1.3 and all modern cipher suites providing extreme SSL inspection performance across all ports, protocols, and applications It also comes equipped with enterprise-grade controls to optimize security, privacy, and performance Xstream DPI Engine: deep packet threat protection in a single high-performance streaming engine with proxy-less scanning of all traffic for antivirus, IPS, and web threats as well as providing application control and SSL inspection Xstream Network Flow FastPath: provides automatic and policy-based intelligent offloading of trusted traffic processing at wire speed Advanced Firewall Rule Management on Sophos Firewall - Initial Connection Firewall Stack DPI Engine • Connection management • Allow, block, secure decisions • DoS and QoS • • • • Streaming DPI processing Intelligent offloading Proxy-less web filtering SSL policy and inspection FastPath • Virtual or hardware accelerated FastPath • Forwarding packets – offloading L2& L3 • Direct delivery to DPI engine Let’s look at how traffic flows through the Xstream architecture When a connection is initialized, it is processed by the firewall stack that will make decisions on whether it should be allowed, provide protection against denial-of-service attacks, and apply quality of service rules to it Advanced Firewall Rule Management on Sophos Firewall - Full FastPath Offload Firewall Stack DPI Engine • Connection management • Allow, block, secure decisions • DoS and QoS • • • • Streaming DPI processing Intelligent offloading Proxy-less web filtering SSL policy and inspection FastPath • Virtual or hardware accelerated FastPath • Forwarding packets – offloading L2& L3 • Direct delivery to DPI engine Once the connection is allowed it can be offloaded to the FastPath, speeding up the flow to wire speeds How does it know to this? If we look at the packets that pass through the firewall as part of a connection, we will notice that the data looked at by packet filtering always remain the same for a connection Things like the source and destination IP’s as well as the ports in use When this is matched to a firewall rule, we know that any additional packets in that connection will have the same information and will match the same rule every time Because of this, we can mark this information for the connection and skip this processing Advanced Firewall Rule Management on Sophos Firewall - Initial Packet Delivery to DPI Engine Firewall Stack DPI Engine • Connection management • Allow, block, secure decisions • DoS and QoS • • • • Streaming DPI processing Intelligent offloading Proxy-less web filtering SSL policy and inspection FastPath • Virtual or hardware accelerated FastPath • Forwarding packets – offloading L2& L3 • Direct delivery to DPI engine Where traffic needs to be scanned using the DPI engine, the initial packets will flow through the firewall stack and then on to the DPI engine before returning to the firewall stack for delivery Advanced Firewall Rule Management on Sophos Firewall - Firewall Rules Additional information in the notes By creating more specific firewall rules that are tied to specific zones and even subnets and users, firewall rules can be a first line of defense Additionally, the processing of firewall rules uses minimal resources so being able to remove any packets at this stage will help boost the Sophos Firewall performance by not passing packets to other more resource intensive modules for scanning When building firewall rules, create rules that are specific to zones and networks and only allow the protocols necessary for the users or applications to their work Some zones may need more open rules, while others can be locked down more strictly While doing the initial configuration, you can leave the catch-all allow rule at the bottom and use the firewall log to see what is still hitting that rule This way, you can build up the rules slowly and be confident that you will not prevent users from being able to work When configuring firewall rules the broad approach is: • The more specific the rule, the closer to the top the rule should be • Rules that are processed more often should be above other rules so that the system gets to them sooner • Unless it is a catch-all, deny rules should be at the top for security Advanced Firewall Rule Management on Sophos Firewall - 33 Scenario - Introduction Guest Wi-Fi LAN WAN Let’s look at some examples In our first example, we will consider a small business They have a single subnet and started with the default firewall rules put in place by the initial setup wizard They need to add to and update the rules in order to increase the security and functionality of the firewall To support their requirements, the following rules will need to be created: • A rule to apply web protection for the employees • A rule to allow guests to browse the Internet via the guest wireless network (Sophos wireless separate zone) • A rule for servers and other hardware that cannot authenticate as a standard user The default rule will remain as a catch-all for any traffic that is not covered by the above rules Advanced Firewall Rule Management on Sophos Firewall - 34 Scenario - Rules The setup wizard will create a default rule which allows all traffic out The issue with this is that we cannot treat various types of traffic differently for the purpose of scanning and access control Additionally, any guest users would be allowed out unchecked To increase our security and control, we will create some additional rules We will look at these in the order they should be listed in the firewall (they can be created in any order) First, we will create a rule that will allow employees to access the Internet We want this one higher in the list as it will most likely be used a lot by the users By having it higher up, it will save the firewall from having to evaluate other rules before reaching it We want to make sure to enable user identity to ensure that non-employees and devices not use the rule This will give us a rule that we can add a custom IPS and web policy to as well as other policies in the future Advanced Firewall Rule Management on Sophos Firewall - 35 Scenario - Rules Next, we will create a rule to target the servers and other devices that cannot authenticate against the firewall As our example is a small business, they not have a lot of these types of devices so we can create the rule using IP-lists or Hosts to target these devices This rule will be placed below the web rule as it will most likely not be as popular as the user web rule Again, we will be able to apply custom security policies to this rule to protect the servers and devices Advanced Firewall Rule Management on Sophos Firewall - 36 Scenario - Rules Now we will create a rule to allow guests that connect to our guest wireless access to the Internet Because we are using a separate zone deployment from the firewall, the connections are placed into their own subnet in the firewall We want to ensure that these guests cannot access the internal network and only the Internet Additionally, by separating these non-employees, we can assign more stringent security policies as they will not affect our user's ability to perform their dayto-day tasks Advanced Firewall Rule Management on Sophos Firewall - 37 Scenario - Rules Finally, we will update the default rule with the option to match user identity By doing this, we will limit who will end up using this rule and it will ensure that random people that connect to the network will not be able to access the Internet easily This rule will still give open access to the Internet for employees so we will need to ensure that we have good security policies in place, and we monitor the access Advanced Firewall Rule Management on Sophos Firewall - 38 Scenario - Introduction Users VLAN DMZ Guest VLAN WAN Employee Wi-Fi Server VLAN VoIP VLAN In our second example, we will consider a larger business This business has multiple VLANs and must meet certain compliance regulations Because of this, they are more concerned with security Additionally, they want to better manage their bandwidth and the rules should allow for traffic shaping policies to be applied To support their requirements, the following rules will need to be created: • A rule to allow guests to access the Internet over the guest VLAN • A rule to allow FTP so that a QoS policy can be applied to it • A block rule for P2P traffic • A rule for employee web browsing • A rule for their VOIP phones • A rule to allow servers in the server VLAN to access the Internet for updates • A rule to allow WAN to DMZ access for shared resources • A rule to allow LAN to DMZ access so employees can use the shared resources For our purposes, we will limit the number of rules to the above for this example although a large enterprise may have many more firewall rules in order to meet their security needs Advanced Firewall Rule Management on Sophos Firewall - 39 Scenario - Rules Catch All rule To get started, we have a block rule that needs to be created As a general practice, block rules should be placed as high up in the list as possible This way they are processed first before any other rule has a chance to allow the traffic Additionally, we will create a catch all rule with some strict rules for any traffic that does not match a firewall rule By doing this, we can enforce strong policies and control what traffic is allowed in or out As we proceed through the examples, pay attention to the icons to the right of the rules as well as the other information Advanced Firewall Rule Management on Sophos Firewall - 40 Scenario - Rules A block rule for P2P traffic Catch All rule In larger networks, it is common to see the network divided into various subnets for management and efficiency Often, these subnets take the form of VLANs and make it very easy for administrators to manage the members For businesses running voice over IP, the VoIP phones and equipment often have their own VLAN that they reside in We will want to create a rule for this VLAN as high up as possible We want to ensure speedy processing of this traffic to avoid any delays on calls and this will allow us to apply proper security and QoS to these devices Advanced Firewall Rule Management on Sophos Firewall - 41 Scenario - Rules A block rule for P2P traffic A rule for their VOIP phones A rule for employee web browsing Catch All rule Just like in our previous example, we will create a rule for web traffic since it is very popular in businesses It is something that often needs controlled and secured Again, because of the rules high use, we want it near the top for processing Advanced Firewall Rule Management on Sophos Firewall - 42 Scenario - Rules A block rule for P2P traffic A rule for their VOIP phones A rule for employee web browsing A rule to allow servers in the server VLAN to access the Internet for updates A rule to allow guests to access the Internet over the guest VLAN Catch All rule We have already mentioned that VLANs exist in this network, and we will want to create some additional rules for any other VLANs that will need access through the firewall In our example, we have a servers VLAN and a guest VLAN that need access These rules will not be targeted as often as web or VoIP rules so they will be placed further down And of course, we will add security policies to the guest access rule to secure not only their access out but also to ensure they not access the internal networks Advanced Firewall Rule Management on Sophos Firewall - 43 Scenario - Rules A block rule for P2P traffic A rule for their VOIP phones A rule for employee web browsing A rule to allow LAN to DMZ access so employees can use the shared resources A rule to allow servers in the server VLAN to access the Internet for updates A rule to allow guests to access the Internet over the guest VLAN A rule to allow WAN to DMZ access for shared resources We also have a DMZ in the environment that is hosting some servers We will need to create a rule that allows employees to access these servers This rule will be higher up as these servers hold a necessary business application and are used quite often by the employees Another rule will need to be made to allow users from the WAN to access the DMZ This is not as common in our example so the rule for this is placed further down If the servers were hosting a popular public service, we could move the rule up in the list or even create a web server protection rule if the server were hosting a web site Advanced Firewall Rule Management on Sophos Firewall - 44 Scenario - Rules Finally, we will finish this with a rule to allow FTP traffic The purpose of this rule is so that we can apply policies to control this traffic As it is not commonly used and no other rule will catch the traffic, it ends up at the bottom of our list As mentioned earlier, there may be many more rules that are needed to ensure that employees can access everything and as the list grows, we would also consider adding the rules to groups to better organize them Advanced Firewall Rule Management on Sophos Firewall - 45 Chapter Review FastPath can offload traffic to increase the speed of connections, but not all traffic will be offloaded Firewall rules can be created to maximize the amount of traffic offloaded to the FastPath Firewall rules can be ordered for performance and protection Firewall rule groups can help to organize devices that have many rules The general rules are; the more specific the rule, the closer to the top the rule should be, rules that are processed more often should be above other rules, and unless it is a catchall, deny rules should be at the top for security Here are the three main things you learned in this chapter FastPath can offload traffic to increase the speed of connections, but not all traffic will be offloaded Firewall rules can be created to maximize the amount of traffic offloaded to the FastPath Firewall rules can be ordered for performance and protection Firewall rule groups can help to organize devices that have many rules The general rules are; the more specific the rule, the closer to the top the rule should be, rules that are processed more often should be above other rules, and unless it is a catch-all, deny rules should be at the top for security Advanced Firewall Rule Management on Sophos Firewall - 50 Advanced Firewall Rule Management on Sophos Firewall - 51 ... other rules, and unless it is a catch-all, deny rules should be at the top for security Advanced Firewall Rule Management on Sophos Firewall - 50 Advanced Firewall Rule Management on Sophos Firewall. .. attention to the icons to the right of the rules as well as the other information Advanced Firewall Rule Management on Sophos Firewall - 40 Scenario - Rules A block rule for P2P traffic Catch All rule. .. connection is Related (e.g., FTP connection) then a child connection entry is added, which is then associated with its parent connection entry Advanced Firewall Rule Management on Sophos Firewall