Best Practice: Firewall settings guide

  • Article ID: 57757
  • Rating:
  • 16 customers rated this article 4.1 out of 6
  • Updated: 04 Jul 2013

When you configure a firewall policy, you may want more information about some of the settings and why you should (or shouldn't) enable them.

This article contains the 'factory default' rules and configuration settings for the Sophos firewall when configured using the Advanced Settings button in the Firewall Policy. Whenever possible, we have described the security implications of the setting or explained why the default was chosen.

We recommend that you use the firewall rollout guide before deploying to your endpoint computers.

Disabling the firewall: To disable the firewall, refer to the section 'Temporarily disable the firewall', in the relevant Endpoint or Console Help. Note: disabling the firewall by disabling the firewall services is not supported.

For other Best Practice articles, please see our Best Practice Index

In this article

Advanced configuration:
General settings | Location detection settings | Checksum settings | Log settings

Primary or secondary location configuration:
General settings | ICMP settings | LAN settings | Global rules | Application rules | Process-control settings

Advanced configuration

General Settings tab

Setting name Default Comments
Primary location: Allow all traffic Disabled

This setting is in place for special circumstances only. This will disable the firewall whilst at the primary location. Generally, it shouldn't be used.

If you need to allow an application or connection, set up an Application rule, an ICMP rule or a Global rule instead.

Add configuration for a secondary location Disabled This setting should only be used for laptops and other computers that are regularly connected to an additional network, such as home or public wireless network.
Applied location Apply the configuration for the detected location

Disabled until you select the option to 'Add configuration for a secondary location'. Allows you to set which policy is applied when a new location is detected.

The default 'Apply the configuration for the detected location' will ensure that the firewall automatically detects the current network and selects the associated configuration.

If your end users belong to the SophosPowerUsers or SophosAdministrators group, they could also manually choose to use the primary or secondary when they are at a third location. You should inform these laptop users that they can do this when connecting to a new network and explain which configuration they should choose.

Location detection tab

 

Setting name Default Comments

Detection method

DNS, none configured We recommend that you use Gateway MAC Address detection, if possible. The firewall will easily detect the gateway's settings and use its primary or secondary location as a result.

Checksum tab

Setting name Default Comments
Application/
Version/
Checksum
None configured Before you roll out the firewall, you should enter the MD5 checksums of the commonly used applications on your network in this screen. This will save you time and duplication of effort when responding to firewall requests during roll out.

Log tab

Setting name Default
Keep all records/Delete old records Delete old records
Delete records after x days 1 day
disabled
Keep no more than y records 200 records
disabled
Keep size under z MB 50 MB
enabled

Primary or secondary location configuration

Note: no secondary location is preconfigured. If one is added its default settings are identical to the primary location.

General tab

Setting name Default Comments
Working mode Block by default

This article defines best practice. Note that if you are setting up Sophos Client Firewall for the first time, you should refer to the Administrator Rollout Guide for setup details.

In general, once all approved applications have been allowed access through the firewall, computers should be set to 'Block by default' mode, as this will stop all unauthorized traffic from accessing the network.

Please note: if you have both primary and secondary locations enabled, if the primary mode is interactive, then the secondary mode will be automatically set to 'block by default. Interactive mode is not available on Windows 8.

Block processes if memory is modified Enabled This option can prevent threats from infecting your computer. This option should usually remain selected.

Unavailable on Windows 8. Functionality is provided by HIPS.
Block hidden processes Enabled This option should always be enabled in order to block malicious programs from executing on your endpoints.

Unavailable on Windows 8. Functionality is provided by HIPS.
Drop packets sent to blocked ports Enabled This option prevents an outsider from being aware that a port on your computer exists, and so helps defend against attack. This option should usually remain selected.

Unavailable on Windows 8. Currently always enabled.
Use checksums to authenticate applications Enabled This option helps the firewall to distinguish legitimate applications from malicious programs with the same name. This option should usually remain selected.

In Windows 8, this option is found on the Applications tab
Block IPv6 packets Enabled At the moment, IPv6 is still only used by a handful of applications and ISPs, so this setting will allow you to block IPv6 traffic to your endpoints if, for instance, they are using a P2P application. To block all use of P2P applications on your network, configure an Application Control policy instead.

In Windows 8, this option is found on the Global rules tab. It has been renamed to "Block all IPv6 traffic".
Display an alert in the management console if local changes are made to the global rules, applications, processes, or checksums Enabled Selecting 'Display an alert in the management console...' permits you to see if the firewall settings on your workstations have been changed either by the user, or by malware. In most circumstances, this option should remain selected.

Unavailable on Windows 8
Report unknown applications and traffic to the management console Enabled We recommend always keeping this option selected in order to monitor your end users' actions.
Report errors to the management console Enabled This option enables the administrator to view firewall error messages on workstations via the console. This option should usually remain selected.
(Desktop messaging)
Show warnings and errors

Enabled

We recommend that you keep this option enabled in order to inform your users when there is a problem.
(Desktop messaging)
Show unknown applications and traffic
Disabled This setting will only show unknown applications and traffic if interactive mode has been selected.

 

ICMP tab

Setting name Default Comments
Echo Reply (0) Allowed IN Used to reply to echo requests (pings). Enabling Echo Reply could make your computer vulnerable to smurf attacks.
Destination Unreachable (3) Allowed IN and OUT Enabling this option could make your computer vulnerable to a destination unreachable attack.
Source Quench (4) Blocked To manage overload, source quench messages request that the amount of information sent to the message originator is reduced. Enabling Source Quench could make your computer vulnerable to man in the middle attacks and Denial of Service (DoS) attacks.
Redirect Message (5)

Blocked

If you do not need redirection on your network, we recommend keeping this unset, as redirection can be used to change the routing tables on routers and computers in order to facilitate a DoS attack
Echo Request (8) Allowed OUT Used to ascertain if a networked computer is active (e.g. ping). Enabling Echo Request could make your computer vulnerable to smurf attacks.
Router Advertisement (9) Allowed IN

For Windows 8, default is 'Blocked'
Router advertisement messages are sent in response to router solicitation messages, or to broadcast the presence of the router. Spoofed router advertisement messages can be used to change routing tables within routers so as to facilitate man in the middle and DoS attacks, which is why we have blocked inbound advertisements by default.
Router Solicitation (10) Allowed OUT

For Windows 8, default is 'Blocked'
Router solicitation messages are sent to locate routers within a network as a form of network scanning. Malicious users can use router solicitation to search for computers to attack, which is why we block this by default.
Time Exceeded (11) Allowed IN
Parameter Problem (12) Blocked
Timestamp Request (13) Blocked
Timestamp Reply (14) Blocked
Information Request (15) Blocked
Information Reply (16) Blocked
Address Mask Request (17) Blocked
Address Mask Reply (18) Blocked

LAN tab

Setting name Default Comments
LAN (IP Address and subnet) Nothing set NetBIOS allows file and printer sharing with other computers on the LAN or trusted subnet. This option should be sufficient for most normal office work.

Trusted allows all traffic between computers on the LAN. Only use this option where completely necessary.


Global rules tab

Setting name Default Comments
Allow loopback TCP connection

Where the protocol is TCP and the remote address is 127.0.0.0 (255.0.0.0)
Allow it

A loopback connection allows applications to check that a network connection exists. Web browsers often check for a connection this way.
Allow GRE protocol

Where the protocol is IP and the type is GRE
Allow it

This will allow GRE in IP tunnels to run to or from the client computer, i.e. virtual private network (VPN) connections.
Allow PPTP Control Connection Where the protocol is TCP
and the direction is Outbound
and the remote port is 1723
and the local port is 1024-65535
Allow it
This will allow PPTP in IP tunnels to run to or from the client computer, i.e. virtual private network (VPN) connections.
Allow loopback UDP connection

Where the protocol is UDP
and the remote address is 127.0.0.0 (255.0.0.0)
and the local port is equal to remote port
Allow it

Note: for Windows 8, The "and the local port is equal to remote port" option is unavailable. i.e. the rule is:
Where the protocol is UDP and the remote address is 127.0.0.0 (255.0.0.0) Allow It
Block RPC Call (TCP) Where the protocol is TCP
and the direction is Inbound
and the local port is 135
Block it
This setting prevents Remote Procedure Call (RPC) calls using TCP from being made on the client computer. This stops an intruder from running legitimate code on the local computer in an unwanted manner.
Note: The port used by the RPC port mapper (135) is associated with several high profile vulnerabilities used by network worms for replication and propagation.
Block RPC Call (UDP) Where the protocol is UDP
and the local port is 135
Block it
This setting prevents Remote Procedure Call (RPC) calls using UDP from being made on the client computer. This stops an intruder from running legitimate code on the local computer in an unwanted manner.

Applications tab

The most common and important Windows services are listed here. You will likely need to add more applications while you are rolling out the firewall in interactive mode. 

Application name Default

alg.exe
(Windows Firewall component)

Allow ALG Redirect
Where the protocol is TCP
and the direction is Inbound
Allow it
and stateful inspection 
Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

Microsoft Application Layer Gateway Service connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 21
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

lsass.exe
(Local Security Authority Subsystem Service)

Local Security Authority Service Kerberos UDP connection
Where the protocol is UDP
and the remote port is 88
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

Local Security Authority Service Kerberos TCP connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 88
Allow it

LSASS LDAP connection to Global Catalog Server
Where the protocol is TCP
and the direction is Outbound
and the remote port is 3268-3269
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

Local Security Authority Service LDAP UDP connection
Where the protocol is UDP
and the remote port is 389
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

Local Security Authority Service LDAP TCP connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 389
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

Local Security Authority Service DCOM dynamic port allocation
Where the protocol is TCP
and the direction is Outbound
and the remote port is 1025-1040
Allow it

Local Security Authority Service DCOM connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 135
Allow it

Allow DNS Resolving (TCP)
Where the protocol is TCP
and the direction is Outbound
and the remote port is 53
Allow it

Allow DNS Resolving (UDP)
Where the protocol is UDP
and the direction is Outbound
and the remote port is 53
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

services.exe
(Windows Service Controller)

Services DCOM connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 135
Allow it
Services DCOM dynamic port allocation
Where the protocol is TCP
and the direction is Outbound
and the remote port is 1090-1110
Allow it
Services LDAP connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 389, 3268
Allow it
Allow DNS Resolving (TCP)
Where the protocol is TCP
and the direction is Outbound
and the remote port is 53
Allow it

Allow DNS Resolving (UDP)
Where the protocol is UDP
and the direction is Outbound
and the remote port is 53
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

Allow DHCP
Where the protocol is UDP
and the remote port is 67
and the local port is 68
Allow it
Allow DHCP (v6)
Where the protocol is UDP
and the remote port is 547
and the local port is 546
Allow it

svchost.exe
(Service Host)

Allow DNS Resolving (TCP)
Where the protocol is TCP
and the direction is Outbound
and the remote port is 53
Allow it

Allow DNS Resolving (UDP)
Where the protocol is UDP
and the direction is Outbound
and the remote port is 53
Allow it
and stateful inspection

Note: the "and stateful inspection" option at the end of the rule isn't available on Windows 8 as all rules are stateful by default.

Allow DHCP
Where the protocol is UDP
and the remote port is 67
and the local port is 68
Allow it

Allow DHCP (v6)
Where the protocol is UDP
and the remote port is 547
and the local port is 546
Allow it

userinit.exe
(User Initialization)

Microsoft Userinit LDAP connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 389, 3268
Allow it

Microsoft Userinit DCOM Connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 135
Allow it

winlogon.exe
(Windows Logon)

Microsoft Winlogon LDAP connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 389, 3268
Allow it

Microsoft Winlogon DCOM Connection
Where the protocol is TCP
and the direction is Outbound
and the remote port is 135
Allow it


Processes tab

This tab is unavailable on Windows 8. Hidden process support has been removed and rawsockets are treated the same as normal sockets.

Setting name Default Comments
Warn about new launchers. Enabled This option is only available if you are using Interactive mode.
Warn about the use of rawsockets. Enabled This option is only available if you are using Interactive mode.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments