{"id":2933,"date":"2018-08-16T11:05:55","date_gmt":"2018-08-16T10:05:55","guid":{"rendered":"https:\/\/dn-www.azurewebsites.net\/2018\/08\/16\/sophos-utm-firewall-hardening\/"},"modified":"2024-01-30T16:42:44","modified_gmt":"2024-01-30T16:42:44","slug":"sophos-utm-firewall-hardening","status":"publish","type":"post","link":"https:\/\/dionach.com\/nl\/sophos-utm-firewall-hardening\/","title":{"rendered":"Sophos UTM Firewall Hardening"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

INTRODUCTION<\/h2>

Firewalls are used as the main defence for an organisation\u2019s network infrastructure, and are used to prevent unauthorised access to or from the private network. The aim of this article is to provide guidance for network administrators on how to harden Sophos UTM firewalls. Sophos is just one of the vendors that provides such solutions to many organisations, alongside Check Point, FortiNet, Juniper, and Cisco.<\/p>

There is a command line interface for Sophos UTM, however Sophos are understood to prefer supporting the GUI and provide documentation for this approach, as such it will be used for this guide. Please note that the following recommendations were verified against a Sophos UTM 9 appliance. As such, the menus might differ for other versions.<\/p>

ACCESS CONTROL<\/a><\/h2>

Configure CENTRAL Authentication<\/a><\/h3>

The use of a central authentication service allows organisations to easily and centrally manage user accounts. This simplifies account management processes, such as by ensuring that users’ accounts can easily be disabled across all network devices once they leave the organisation.<\/p>

We will discuss three common methods for configuring central authentication in Sophos: TACACS+, RADIUS, and LDAP.<\/p>

TACACS+<\/a><\/h5>

1) Create a new authentication server<\/p>

To configure Sophos UTM to use TACACS+, you can use the following steps in WebAdmin:<\/p>

Go to\u00a0Definition & Users -> Authentication Services -> Servers. <\/em>Click\u00a0“New Authentication Server<\/strong>“, and choose the TACACS+ protocol in the dropdown menu in Backend.<\/p>

<\/p>

2) Configure the TACACS+ server:<\/p>

Click the green plus <\/strong>button to enter the IPv4 address of the TACACS+ server and specify a name in the \u201cName<\/strong>\u201d field.<\/p>

To enter the host name instead of the IPv4 address, choose \u201cDNS Host\u201d from the drop down list \u201cType<\/strong>\u201d.<\/p>

Choose the interface you wish users to be authenticated from in the \u201cAdvanced<\/strong>\u201d tab, then add the TACACS+ server name and IP Address and the TACACS+ parameters, for instance the port number and symmetric server secret key, which would be supplied by the TACACS+ server administrator.<\/p>

<\/p>

Please refer to section 5.7.2.5 TACAS+ in the following documentation for more information on how to configure TACACS+:<\/p>

https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/documentation\/utm9501_manual_eng.pdf<\/a><\/p>

RADIUS<\/a><\/h5>

The way to configure RADIUS authentication in Sophos UTM is similar to TACACS+. In the drop down list for \u201cBackend\u201d, select RADIUS and configure the rest of the parameters using the same steps that were used for TACACS+. Please refer to the following URL for more information:<\/p>

https:\/\/community.sophos.com\/kb\/en-us\/116144#Configure%20Radius%20Server%20(UTM)<\/a><\/p>

LDAP<\/a><\/h5>

To configure LDAP for Sophos UTM, please refer to Section 5.7.2.3 LDAP in the following article:<\/p>

https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/documentation\/utm9501_manual_eng.pdf<\/a><\/p>

Please note that by default, plain text communication is used to communicate with the LDAP Server which would cause administrative credentials and sensitive configuration to be sent across the network unencrypted and so be vulnerable to interception. To address this, enabling SSL for LDAP requests can be done by checking the box marked \u201cSSL\u201d as highlighted.<\/p>

<\/p>

ASSIGNING INDIVIDUAL LOCAL ADMINISTRATOR ACCOUNTS<\/a><\/h4>

Assigning individual administrator accounts ensures that every action can be traced back to the user who is responsible for making that action. Additionally, different privilege levels can be assigned to individual users to only grant the access needed for their role. In combination with user authorisation, this allows fine-grained control over the operations that are accessible to each user, ensuring that the principle of minimal privilege can be enforced.<\/p>

To create an administrative account using WebAdmin, perform the following steps. Note that privilege levels can range from Read-only, Help Desk, Admin and Super Admin, with Super Admin being the highest level of access possible:<\/p>

1) Go to Definition & Users -> Users & Groups<\/em><\/p>

2) Click “New User<\/strong>” to create a new user.<\/p>

3) Within the identity window you can fill in the username and password.<\/p>

<\/p>

4) Save the newly created user, and click on the \u201cGroups\u201d tab at the top. The group \u201cSuperAdmins<\/strong>\u201d will appear in the list.<\/p>

<\/p>

5) Click on \u201cEdit<\/strong>\u201d to edit the user group and click on the browse button. The list of users available will appear on the left, drag the new user in the \u201cEdit Group<\/strong>\u201d window<\/p>

6) The new user will be added to the list, click \u201cSave<\/strong>“.<\/p>

For more information on how to configure administrator accounts within Sophos UTM, please refer to the following URL:<\/p>

https:\/\/community.sophos.com\/kb\/en-us\/131888<\/a><\/p>

ENFORCE PASSWORD COMPLEXITY<\/a><\/h4>

Enforcing password complexity rules that comply with the organisation\u2019s password policy ensures that the accounts are protected using complex passwords, that are difficult to guess or brute force. Password complexity is often in place on Windows Active Directory, but overlooked on networking devices.<\/p>

Password complexity can be configured using the following steps in WebAdmin:<\/p>

Go to\u00a0Definitions & Users -> Authentication Services -> Advanced.<\/em>\u00a0Within the GUI you can set a number of options, which are listed below:<\/p>