At Sophos, your safety is our prime precedence. We’ve got invested in making Sophos Firewall probably the most safe firewall in the marketplace – and we repeatedly work to make it probably the most troublesome goal for hackers.
To boost your safety posture, we strongly encourage you to often assessment and implement these finest practices throughout all of your community infrastructure, whether or not from Sophos or some other vendor.
Learn on for full directions or obtain the Sophos Firewall hardening finest practices.
Preserve firmware updated
Each Sophos Firewall OS replace consists of essential safety enhancements – together with our newest launch, Sophos Firewall v21.
Make sure you preserve your firmware updated beneath Backup & Firmware > Firmware. Test a minimum of as soon as a month for firmware updates in Sophos Central or the on-box console. You may simply schedule updates in Sophos Central to be utilized throughout a interval of minimal disruption.
On-line guides:
Restrict machine service entry
It’s critically essential that you just disable non-essential providers on the WAN interface. Particularly, HTTPS and SSH admin providers.
To handle your firewall remotely, Sophos Central gives a way more safe resolution than enabling WAN admin entry. Alternatively, use ZTNA for distant administration of your community gadgets.
Test your native providers entry management beneath Administration > Gadget Entry and guarantee no gadgets are checked for the WAN Zone until completely mandatory:
On-line guides:
Use robust passwords, multi-factor authentication, and role-based entry
Allow multi-factor authentication or one-time password (OTP) and implement robust passwords, which can shield your firewall from unauthorized entry – both from stolen credentials or brute drive hacking makes an attempt.
Guarantee your sign-in safety settings are set to dam repeated unsuccessful makes an attempt and implement robust passwords and CAPTCHA. Additionally use role-based entry controls to restrict publicity.
On-line guides:
Decrease entry to inside techniques
Any machine uncovered to the WAN by way of a NAT rule is a possible danger. Ideally, no machine ought to be uncovered to the web by way of NAT or inbound connections, together with IoT gadgets.
Audit and assessment all of your NAT and firewall guidelines often to make sure there aren’t any WAN to LAN or distant entry enabled. Use ZTNA (and even VPN) for distant administration and entry to inside techniques – DO NOT expose these techniques, particularly Distant Desktop entry to the Web.
For IoT gadgets, shut down any gadgets that don’t supply a cloud proxy service and require direct entry by way of NAT – these gadgets are superb targets for attackers.
On-line guides:
Allow acceptable safety
Shield your community from exploits by making use of TLS and IPS inspection to incoming untrusted site visitors by way of related firewall guidelines. Tune your TLS and IPS inspection and make the most of trusted utility FastPath offloading to get the very best safety and efficiency in your explicit atmosphere. Make sure you don’t have any broad firewall guidelines that enable ANY to ANY connections.
Additionally shield your community from each DoS and DDoS assaults by setting and enabling safety beneath Intrusion Prevention > DoS & spoof safety. Allow spoof prevention and apply flags for all DoS assault varieties.
Block site visitors from areas you don’t do enterprise with by organising a firewall rule to dam site visitors originating from undesirable nations or areas.
Guarantee Sophos X-Ops menace feeds are enabled to log and drop beneath Lively Menace Safety.
On-line guides:
Allow alerts and notifications
Sophos Firewall might be configured to alert directors of system-generated occasions. Directors ought to assessment the listing of occasions and verify that system and safety occasions are monitored to make sure that points and occasions might be acted upon promptly.
Notifications are despatched by way of both an e-mail and/or to SNMP traps. To configure Notifications, navigate to Configure > System providers and choose the Notifications listing tab.
On-line guides:
Extra data
Be sure you try how Sophos Firewall is Safe By Design and seek the advice of the in depth on-line documentation and how-to movies to benefit from your Sophos Firewall.