The Sophos firewall enables only named applications, or classes of applications, to access the company network or internet. It is available as part of Sophos Endpoint Security and Control.
These guidelines cover the phased deployment of Sophos Client Firewall across your network. This will avoid flooding your network with traffic in the initial stages. You are strongly encouraged to follow these guidelines.
These guidelines complement the user documentation, which can be downloaded from the Sophos website. They are not a replacement for it.
Note: Sophos firewall is not supported on server operating systems.
The default Sophos Client Firewall policy
You must tailor a Sophos Client Firewall policy for your network before deployment.
- The default firewall settings permit only basic network communications and are not adequate for normal use.
- Anything more than basic networking, e.g. your email software, web browser and any network database access, will probably not function correctly with the default policy which blocks all non-essential connections
- Deploying an unmodified default policy to a group via Enterprise Console will cause problems with network communications.
The purpose of this article is to help you plan and roll-out the Sophos firewall, version 2. across your network in the most effective and economical way.
Two roll-out scenarios are described below, these are designed to help you assess, with minimal disruption, what traffic you should allow and what you should block on your network. Read through the scenarios described and decide which best suits your organisation.
Summary of roll-out methods
Method 1 you work on a single client computer where you run as many different sorts of software as you can which are likely to be to used on your network. This will allow you to create a basic set of rules which should cover all the main software that is used on your network. You can use these to create a fairly robust policy.
This means that when you roll this out, either to a test group or across the whole network, the policy you have created will already deal with the bulk of the network traffic, therefore the amount of traffic falling outside of these rules should not be great, so you can modify the policy as you go along.
Method 2 you roll out a policy which allows you to monitor all traffic that is passing throughout your network, and you will receive reports in the event viewer on all these items. Because you have not previously created rules for frequently occurring events, you will receive a very large volume of traffic, much of it will of course be related to the same type of traffic. For this reason, Method 1 is the preferred method in most cases, due to lower traffic volumes.
Roll-out method 1
This is the preferred method, as it produces the lowest volume of alerts and traffic during the roll-out. It allows you to set up a basic policy, you then let the system run and the basic and main applications used by your network are identified. From this identification you can create a 'foundation policy'. You then create rules and from these build upon your 'foundation policy' and refine it as necessary to create the policies that will best serve your organization. Of all the scenarios described this produces the least traffic, and for many this will be the preferred method.
- Configuring the firewall
- Install the Sophos firewall on to a client computer. Do this either by deploying to that computer from the Enterprise Console or by performing a standalone installation of the firewall on to that computer.
- Log on to the computer as an administrator.
- Double-click the blue Sophos shield to open the 'Sophos Endpoint Security and Control' window, and select 'Configure firewall'.
- On the General tab, opposite 'Primary location' click 'Configure...'
- In the Primary location dialog box, in the Working mode panel, select 'Allow by default'. Click OK.
- Creating rules
- Run as many applications as possible, that you know are used on computers on your network including web browsers. Details of these applications are recorded in the firewall logs.
- Create a set of rules to allow these applications and then create a policy based on these rules.
- Export this policy to Enterprise Console. This will provide the foundation upon which you can build other policies.
- Rolling out the policy
- Set the policy to 'Monitor mode' and roll it out to one or more groups on the network. This will now send reports back to the firewall log. Based on what is reported in the firewall logs, you can then update your policy to block or allow specified traffic.
- Once you have run this for a while and are satisfied that you have designed policies to suit your network, reset the firewall to Block by default. Once you have done this it will block all traffic that is not specified in your policies.
Roll-out method 2
Note that this method will produce a very high volume of traffic reports, which will be listed in the 'Firewall event viewer'. Use the information gained to set up a basic policy,
- On the Enterprise Console, in the Policies panel on the left hand side, right-click 'Firewall' and select 'Create Policy'.
- Give this new policy a name, then double-click it.
- The Firewall policy wizard opens. From here, choose either to use the Wizard, by clicking 'Next' or manually by clicking on the 'Advanced firewall policy...' button.
- Using the Wizard:
- Click 'Next'
- Select Single location and click 'Next'.
- Select 'Monitor', click 'Next'|'Next'|'Finish'.
- Using the 'Advanced firewall policy...' button:
- Opposite 'Primary location', click 'Configure...'
- On the General tab, set 'Working Mode' to 'Allow by default'. Click 'OK'|'OK'.
- From the Enterprise console, roll-out this new policy out to everyone.
- Reports on traffic will be sent to 'Firewall - Event viewer'. To view this, in Enterprise Console, click 'View'|'Firewall Events'
- From here, you can right-click on an event and create a rule for it.
- Once you are satisfied that you have covered everything, create policies from your rules and assign them as required.
- Reset the firewall to 'Block by default'. It will then block all traffic that is not specified in your policies.