Sophos Client Firewall: Administrator roll-out guidelines

The Sophos Client Firewall enables only named applications, or classes of applications, to access the company network or internet. It is available as part of Sophos Endpoint Security (subject to the terms of your license).

NOTE: This article applies to Sophos Client Firewall version 1.5

Sophos Client Firewall locks down computers, protecting networks against internet worms, hackers and the risk of virus infection from unprotected computers, especially those that connect directly to the internet.

• The default firewall settings permit only basic network communications. You must configure the firewall before deployment.
• These guidelines cover the phased deployment of Sophos Client Firewall across your network. This will avoid flooding your network with traffic in the initial stages.
• You are strongly encouraged to follow these guidelines.

These guidelines complement the following documentation. They are not a replacement for it.

• Sophos Enterprise Console manual
• Sophos network and Client Firewall startup guide
• Network upgrade guide.

Note: Sophos Client Firewall is not supported on server operating systems.

Contents

1. System requirements
2. The default Sophos Client Firewall policy
3. Planning deployment
4. Policy customization
5. Rollout
6. Maintenance
7. Troubleshooting
8. Glossary

1. System requirements

• Sophos Client Firewall is available only for Windows 2000 and later workstation operating systems, i.e. Windows 2000 Professional and Windows XP, including 32-bit Windows XP on 64-bit computers.
• Sophos Client Firewall version 1.0 is designed to run on workstations connected to an Ethernet-based LAN (local area network) or the internet.
• Sophos Client Firewall requires Sophos Anti-Virus version 6 or higher.

Sophos Client Firewall is not supported on

• server operating systems (e.g. Windows 2000 server, Windows 2003)
• 64-bit variants of Windows XP.

Note:

• Sophos Client Firewall 1.5 supports IPv6.
• Sophos Client Firewall 1.0 does not support IPv6; it lets IPv6 packets through.

The person performing the installation must be able to

• perform system backup and recovery operations
• install and configure software on the operating system(s) used on the networked computers
• configure the network on which Sophos Client Firewall is to be installed.

2. The default Sophos Client Firewall policy

You must tailor a Sophos Client Firewall policy for your network. The default policy will not be adequate.

• The default Sophos Client Firewall policy only allows access to basic networking functions and the Sophos Client Protection software.
• Anything more than basic networking, e.g. your email software, web browser and any network database access, will probably not function correctly with the default policy.
• Deploying an unmodified default policy to a group via Enterprise Console will cause problems with network communications.

A knowledgebase article lists the Sophos Client Firewall default settings.

3. Planning deployment

Note: Sophos Client Firewall cannot be removed from workstations by using Enterprise Console. However, it can be disabled from there.

When planning your firewall policies, you should take into account:

• which computers should have Sophos Client Firewall
• network wide systems and protocols
• remote shares
• remote connections.

Choosing and grouping computers

Decide how many firewall policies you will need to create. To do this, split your network up into logical groups. For example:

• Sales laptops
• Sales workstations
• Facilities workstations
• Accountancy workstations
• IT administrator workstations

Each of the above logical groups would require a different policy. The policies would cover different applications, and vary in restrictiveness.

• You should not use just one Sophos Client Firewall policy. You would be forced to add rules for only one or two computers (e.g. the administrator's workstation), but these rules would be present over the whole network. This is a security risk.
• Conversely, using large numbers of configurations will mean extra time spent on monitoring and maintenance.

Network-wide systems and protocols

Take into account the services that your network relies upon. For example:

• DHCP
• DNS
• RIP
• NTP
• GRE

Rules exist in the default firewall configuration to govern most of these services. However, be aware of those that you should allow, and those that you don't need.

Remote shares

It is usual to have multiple shares open across a network, but you may want to restrict access to some, or all, of these shares. The firewall can be configured to allow a connection only to specified network addresses (i.e. computers or network drives). This will allow you to restrict access to all shares on that computer. You can then set the policy for individual groups to specify which addresses they can access.

Remote access to computers

If you use remote access software to monitor and fix computers, you must build rules into your configuration to enable you to work this way.

Identify the technologies that you use to access the computers on your network. For example:

• RDC
• VPN client/server
• SSH/SCP
• Terminal services
• Citrix

Check what sort of access is needed, and create your rule(s)accordingly.

4. Policy customization

To edit your firewall policy

• open Enterprise Console
• in the Policies panel, click your firewall policy to highlight it (create one, if necessary)
• select 'View/Edit policy'.

The 'Firewall policy' dialog is displayed. All configuration is carried out from this panel.

To create a policy, right-click.

Structuring your configuration

Plan your policy, and what you want it to do, before editing and writing firewall rules (global, application, or other).

Custom global rules

To create a custom global rule, select the Global Rules tab, and click 'Add'.

See the 'Set global rules' section of the Sophos Client Firewall help file for details.

Application rules

You can either create your application rules manually, or configure a template computer in interactive mode and then import and edit the rules established by that process. See the 'Importing and exporting existing configurations' section of the Sophos Client Firewall help file for details. Once you have imported a rule for an application, you can select it when you click 'Add' in the Applications tab in the Firewall Policy dialog.

• Preset configurations
  When creating rules for applications, you can use ready-made rules 'presets' for several different types of application, e.g. browsers and email clients. This is a quick way to create a rule.
  To add rules from a preset:
  • click the dropdown list by the 'Custom' button
  • select 'Add rules from preset'
  • select your preset.
  You can use a preset as a base from which to build a rule further, and then create your own presets for future use.
  For more information, see the 'Importing and exporting existing configurations' section of the Sophos Client Firewall help file.
• Creating rules manually
  To create rules manually:
  • click the 'Custom' button
  • in 'Application rules', click 'Add'
  • name and edit your new rule.
• Checksums
  You can change the checksums for an application in the Checksums tab. Adding a checksum means that a process will need both a valid process name, and the correct checksum, to be allowed to run by a rule.

Settings

The following settings are available for both global and application rules:

• Outgoing or incoming
  It is important to define whether a rule is to apply to incoming or outgoing traffic. Locking down what comes into computers will help prevent the flow of viruses and other malicious software.
  When creating a rule in Sophos Client Firewall, you can choose whether this rule applies to inbound traffic, outbound traffic or both. In the Applications tab
  • select the application that you want to edit
  • click 'Custom'
  • click 'Add'
  • give the rule a name
  • select 'Where the direction is'
  • in the 'Rule description' window, click the 'Undefined' hyperlink
  • select the direction you want the rule to affect (you can select both)
  • click 'OK'.
    
• Stateful inspection
  Stateful inspection allows you to check the contents of a data packet, so you can find out if it is part of an existing communication. This helps to avoid IP spoofing threats.
  
  All rules must take some action when triggered. That action may be to allow or to block. Stateful inspection of packets provides the facility to distinguish threats from legitimate processes.

5. Rollout

You should run a phased rollout of the Sophos Client Firewall across your network. This will avoid flooding your network with traffic in the initial stages.

Testing

You should first roll out Sophos Client Firewall to a small group of computers which can be easily monitored. This group should be representative of the various roles in your network.

Use either interactive, or non-interactive mode when running the test installations. See the Sophos Client Firewall installation guide for details.

• Install on the test computers.
• Run all of your usual programs and procedures on those computers.
• Check for any weaknesses in the test configuration (e.g., giving too much access to some users).
• Note any applications and processes that will need access to the network.
• Add those programs to your configuration.
• Where needs differ, subdivide the group and create extra configurations as needed.

Do not deploy across your whole network until the configuration has been thoroughly checked and tested.

Deployment

Once you have completed the first stage of your rollout, you can plan the deployment of Sophos Client Firewall across your network.

It is important to avoid flooding flood the network with too much traffic at any one time. Do not deploy to the whole network at once.

• Split the rest of the network into manageable groups.
• Roll out to those groups in stages.

6. Maintenance

Updating an application

An application checksum may change when you update that application, or apply a hotfix or service patch to your computer's operating system. You will then need to update the checksums in Sophos Client Firewall.

When upgrading an application, do as follows:

• Install the upgrade on a test computer.
• Add the new checksum to its firewall configuration, but keep the old checksum as well.
• Test the configuration.
• Export the configuration from the test computer.

This is done so that you can roll out the new firewall configuration before you start your system upgrade. With both the old and new checksums in place, your computers and the firewall will continue to work during the upgrade.

• Merge the new configuration with your existing configuration(s) in Enterprise Console. For more on this process, see 'Importing and exporting existing configurations' in the Sophos Client Firewall help file.

7. Troubleshooting

Regardless of how much testing you did before deployment, problems during rollout may force you to disable the firewall, or switch back to a previous policy.

Disabling the firewall

You can allow all traffic across the network, or on a selected group of computers, by changing the configuration. To do this

• open the 'Sophos Client Firewall Configuration Editor' in Enterprise Console, or at the local computer
• select the General tab
• select 'Allow all traffic'.

Switching back to a previous policy

As with other applications, you should keep backups of important firewall configurations. To do this, export the configuration as a '.conf' file from a computer running Sophos Client Firewall, or from Enterprise Console. See 'Importing and exporting existing configurations' in the Sophos Client Firewall help file.

Make a backup of your current firewall configuration before you make any changes to it, e.g. when

• adding an application to your network
• upgrading an application on your network
• editing the configuration manually.

If you take backups, you can easily switch your computers back to their old working firewall configuration if the changes were unsuccessful.

Checksum

Each version of an application has a unique checksum. The firewall can use this checksum to decide whether an application is allowed or not.

Group

A group of managed computers defined in the Sophos Enterprise Console.

Interactive mode

The Sophos Client Firewall works in two modes. In interactive mode, the firewall asks you what it should do when an attempt is made by a program to access the network or internet with a pop-up dialog. Non-interactive mode suppresses these dialogs.

IP Spoofing

A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

Non-interactive mode

The Sophos Client Firewall works in two modes. In non-interactive mode the firewall deals with traffic automatically using your rules. You must set these rules manually, or in interactive mode, before using non-interactive mode.

Phased deployment

A process that minimizes the risk of deploying a change to a production network by releasing it as a series of small changes to sections of the network in a controlled manner.

Policy

A group of settings applied to a group or groups of computers defined in Sophos Enterprise Console.

Rollout

The deployment of a new or upgraded product or policy.

Sophos Client Protection

Sophos Client Protection (SCP) consists of Sophos Anti-Virus and Sophos Client Firewall.

Sophos Enterprise Console

The Sophos Enterprise Console lets you deploy and manage Sophos Client Protection on workstations from a central location.

Stateful inspection

Packet checking technology that allows the rule to query not just the source and destination of a packet, but whether the packet was part of an earlier communication. Stateful inspection can help to avoid threats from IP spoofing. It can also streamline the filtering process, as packets do not have to be re-checked by your rules.