In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos Client Firewall: security implications of the configuration settings

Security implications of using the Sophos Client Firewall.

This article is designed for use with the following information:

• Sophos Client Firewall administrator roll-out guidelines
• Sophos Client Firewall default configuration
• Sophos Client Firewall documentation.

Sophos Client Firewall and servers

The Sophos Client Firewall is designed for workstation use, and can only be used on Windows 2000 Professional and Windows XP workstations. It cannot be used on Windows 2000 Server or Windows Server 2003.

If you are using a workstation as a server, e.g. if you are running EM Library on a Windows XP workstation, you should not install the Sophos Client Firewall. You should use a hardware firewall (e.g. a router) with that computer.

Changing the settings on the Sophos Client Firewall

You can change the settings on the Sophos Client Firewall via the Firewall Policy editor in Enterprise Console, or in the Sophos Client Firewall Configuration Editor on the local computer.

The default settings on the Sophos Client Firewall are designed with optimum security in mind. Do not change them if you are unaware of the implications of doing so. If the settings have been substantially changed by accident, or by malicious software, change them back to the default.

Editing your settings is a balance between usability and security.

• On small and unspecialized networks, you should usually only need to access the General, Applications, Checksums and Log tabbed pages in the Sophos Client Firewall configuration editor.
• More advanced facilities are available via the ICMP, LAN, Processes, and Global Rules tabbed pages in the Sophos Client Firewall configuration editor.

If you have a number of computers with a particular need to run an out-of-date version of a program (e.g. Internet Explorer), consider creating a group for those computers, and formulating a firewall policy especially for that group. See the Sophos Client Firewall administrator roll-out guidelines for more information.

Make backup copies of your configuration policies. If the policies on one computer become corrupt, they can be restored from the console. If you need to restore the policies for the whole of your network, use the backed up configuration file. See 'Importing and exporting existing configurations' in the Sophos Client Firewall help file.

The tabbed pages are (in order):

• General
• ICMP
• LAN
• Global Rules
• Applications
• Processes
• Checksums
• Log

General tabbed page

Working mode

Interactive

When first setting up the Sophos Client Firewall on a sample or standalone computer, it is easiest to use interactive mode to establish policies for your commonly used applications and processes. You can then refine your policies in non-interactive mode.

In general, once all approved applications have been allowed access through the firewall, computers should be set to non-interactive mode, as this allows more control.

Non-interactive

Use non-interactive mode to fine tune your firewall policy, and once all approved applications have been allowed access through the firewall.

Selecting 'Display an alert in the management console...' permits you to see if the firewall settings on your workstations have been changed either by the user, or by malware. In most circumstances, this option should remain selected.

Blocking

The available options are:

• Block processes if memory is modified by another application
  This option can prevent threats from infecting your computer. This option should usually remain selected.
• Drop packets sent to blocked ports
  This option prevents an outsider from being aware that a port on your computer exists, and so helps defend against attack. This option should usually remain selected.
• Use checksums to authenticate applications
  This option helps the firewall to distinguish legitimate applications from malicious programs with the same name. This option should usually remain selected.

Reporting

The available options are:

• Report new and modified applications to the management console
  This option enables the administrator to use Enterprise Console to be made aware of any changes made to firewall access for programs on workstations. This option should usually remain selected.
• Report errors to the management console
  This option enables the administrator to view firewall error messages on workstations via Enterprise Console. This option should usually remain selected.
• Hide the notification area icon
  This option suppresses the display of the notification area icon (the brick wall icon) on the user's computer. It is there for the convenience of the network administrator, and has no security implications.

Restoring the defaults

If the settings have been changed by accident or malicious software, and you have no backup, change them back to the default.

This can be done in one of two ways

• restore your defaults manually with reference to the default settings knowledgebase article
• click 'Default' in the General tab.

Note: Clicking 'Default' will remove all information on your trusted applications, as well as any other customizations you may have made.

To backup your existing configuration, click 'Export'. To import a backed up configuration, click 'Import' and browse to the saved file.

LAN tabbed page

The Sophos Client Firewall LAN option should only be used for the local area network (LAN) and trusted subnets.

• The 'Detect' button enables you to detect your LAN.
• The 'Add' button enables you to enter your IP address or domain details manually.

No changes are made to your configuration until you select 'NetBIOS' or 'Trusted'.

NetBIOS

NetBIOS allows file and printer sharing with other computers on the LAN or trusted subnet. This option should be sufficient for most normal office work.

Trusted

Trusted allows all traffic between computers on the LAN. Only use this option where completely necessary.

Checksums tabbed page

The firewall can use checksums to recognize applications. It can block applications if their checksum changes (provided this option is enabled in the General tabbed page). The use of this option is strongly recommended.

The use of a checksum enables the firewall to distinguish between two programs with the same name, so a malicious program cannot masquerade as a legitimate program. If you use more than one version of a program, you can checksum those versions individually. Keep this option enabled in normal use.

The only circumstances in which you might need to disable this option would be if you were using an executable with a size that changes constantly, e.g. a self-editing script.

Log tabbed page

This page enables you to set the size of your log file, and delete old records. The log file settings have no security implications.

• If a Trojan has been removed from the computer, check that the log is retaining sufficient records.
• If you keep all records, you may eventually find that the size of the file slows your system.

Other Sophos Client Firewall pages

Further knowledgebase articles describe the security implications of changing other options:

• ICMP
• Global Rules
• Applications
• Processes

If you need more information or guidance, then please contact technical support.

• Article ID: 14201
• Created: 16 Dec 2005
• Last updated: 6 Oct 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement