Sophos Client Firewall: security implications of editing Global Rules

Global rules apply to all network connections. They take lower priority than the rules you set on the LAN tabbed page. They also take lower priority than rules set on the Applications tabbed page, unless you select 'High priority' when you set up the global rule.

A knowledgebase article describes the default settings for the Global Rules and other tabbed pages.

Global Rules tabbed page

The uppermost rule in the list has the highest priority. You can move rules up and down the list with the 'Move Up' and 'Move Down' buttons.

Default rule set

• Allow Loopback TCP Connection
  A loopback connection allows applications to check that a network connection exists. Web browsers often check for a connection this way.
• Allow GRE Protocol
  This will allow GRE in IP tunnels to run to or from the client computer, i.e. virtual private network (VPN) connections.
• Allow PPTP Control Connection
  This will allow PPTP in IP tunnels to run to or from the client computer, i.e. virtual private network (VPN) connections.
• Block RPC Call (TCP)
  This setting prevents Remote Procedure Call (RPC) calls using TCP from being made on the client computer. This stops an intruder from running legitimate code on the local computer in an unwanted manner.
  Note: The port used by the RPC port mapper (135) is associated with several high profile vulnerabilities used by network worms for replication and propagation.
• Block RPC Call (UDP)
  This setting prevents Remote Procedure Call (RPC) calls using UDP from being made on the client computer. This stops an intruder from running legitimate code on the local computer in an unwanted manner.
• $?????? ???$ Allow outgoing TCP
  Where '?????? ???' is a number. This is a default rule that exists before any policy is downloaded to the client computer from Enterprise Console. This rule enables the client computer to continue working on the network until a policy configured at the console has been downloaded.
• $?????? ???$ Allow outgoing UDP
  Where '?????? ???' is a number. This is a default rule that exists before any policy is downloaded to the client computer from Enterprise Console. This rule enables the client computer to continue working on the network until a policy configured at the console has been downloaded.

Default rules for Enterprise Console

• Allow ICMP From The Management Console
  This allows the computer running Enterprise Console to be used for troubleshooting the network.
• Allow DCOM Communication From The Management Console
  This allows the computer running Enterprise Console to be used for deployment and redeployment from the console to the client computers.

Adding rules

When adding new rules, remember that the more information you include in your rule, the more secure it will be.

If you are adding a new application, rather than trusting everything that it might do, you can limit its use. For example you can:

• Add detail about the direction in which the traffic can flow.
• Add detail about which protocols can be used.
• Specify the ports that can be used.

This will limit how the user can use the application, and will be more secure.

Alone, the components of a rule mean little in security terms, but when used in conjunction with each other, they can allow an application to be used freely, but securely.

Other Sophos Client Firewall pages

Further knowledgebase articles describe the security implications of changing other options:

• ICMP
• General, LAN, Checksums and Log
• Applications
• Processes