Professional Documents
Culture Documents
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
SF2505: Getting Started with Intrusion Prevention on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
10 minutes
In this chapter you will learn how to enable and configure basic intrusion prevention settings on
Sophos Firewall.
Spoof protection
ATTACKER
SERVERS
Detect and block malicious
and malformed traffic coming
from computers on the
network
COMPROMISED COMPUTER
IPS policies are a collection of rules to detect malicious and malformed data that can exploit
computers and servers. IPS policies are selected in firewall rules, so they can be used to protect
against attacks on traffic coming into the network, and traffic coming from compromised
computers on the network.
Before you can configure and use intrusion prevention you need to enable IPS protection. This will
download the IPS signatures to the Sophos Firewall. Once the signatures have been downloaded,
they will be kept up-to-date.
If IPS is disabled via the switch, the IPS signatures will be removed after 30-day unless it is enabled
again.
Sophos Firewall comes with several predefined IPS policies, which can be found in PROTECT >
Intrusion prevention > IPS policies.
These policies cover most of the everyday scenarios that you would encounter on an average
network. You can edit the included policies or create new ones to meet your security needs.
Maximum 15 characters
When you create a new IPS policy you give it a name, limited to fifteen characters, and a
description. You can then optionally select to clone the rules from an existing policy. This can save
a lot of time when building new policies. You have to save the policy at this point so that if you
have selected to clone rules they can be added. You can then edit the policy.
The policy is made up of an ordered list of rules. Each rule contains one or more signatures and has
an action. You can change the order of the rules within the policy by dragging and dropping them.
Free-text filter
When you add or edit a rule you can quickly and easily select the desired IPS patterns by category,
severity, platform, and target type, with support for persistent smart filter lists that will
automatically update as new patterns are added that match the selected criteria.
For example, you can use the smart filter to select all signatures that relate to a specific
application.
You can choose to include all the signatures returned by the filters or only selected signatures.
Please note that if you choose only selected signatures the rule cannot update the included
signatures automatically.
Sophos Firewall includes the Talos commercial IPS signature library from Cisco. We augment the
Talos library with additional signatures as required to ensure optimal intrusion protection.
Talos is a highly respected network security analysis group working around the clock to respond to
the latest trends in hacking, intrusions, and malware… just like our own SophosLabs. So, this is a
great partnership that bolsters our IPS protection and provides more granular IPS policy controls.
At the bottom of the rule, you can select the action you want to take. One of these actions is
‘Recommended’. You will notice that each signature has a recommended action associated with it
that can be used, or you can override this with the action applied to the rule.
Once you have created an IPS policy it needs to be selected in a firewall rule to be active. The
firewall rule you select will determine what traffic is checked, and the IPS policy will determine the
checks that are carried out.
https://training.sophos.com/fw/simulation/IpsPolicy/1/start.html
In this simulation you will create an IPS policy and apply it to a firewall rule.
[Additional Information]
https://training.sophos.com/fw/simulation/IpsPolicy/1/start.html
In addition to the protection that can be configured in IPS policies, there are denial of service (DoS)
and spoof protection services that can be enabled.
We will start with the spoof protection, which has three modes of protection that can be enabled
per-zone.
• IP spoofing – packets will be dropped if the source IP address does not match an entry on the
firewalls routing table
• MAC filter – packets will be dropped if the source MAC address is not configured as a trusted
MAC
• IP-MAC pair filter – packets will be dropped if the IP and MAC do not match with any entry in
the IP-MAC trusted list
The MAC filter cannot be enabled until at least one entry is added to the trusted MAC list.
In addition to these three modes, there is the option to restrict unknown IP on Trusted MAC. With
this option enabled, any traffic from an unknown IP address on a trusted MAC address is dropped.
Please note, if spoof protection is misconfigured you can lock yourself out of the Sophos Firewall!
In the spoof protection trusted MAC section, you can add MAC addresses that can be used with
the MAC filter. MAC addresses can be associated to IP addresses; this can either be set to none,
DHCP, or static. For static IP addresses you can enter multiple values.
A denial of service (DoS) attack is a method that hackers use to prevent or deny legitimate users’
access to a service. DoS attacks are typically executed by sending many request packets to a
targeted server, which floods the server’s resources making the system unusable. Their goal is not
to steal the information, but to disable or deprive a device or network so that users no longer have
access to the network services/resources.
All servers can handle traffic volume up to a maximum, beyond which they become disabled.
Attackers send a very high volume of redundant traffic to a system so it cannot keep up with the
bad traffic and allow permitted network traffic. The best way to protect against a DoS attack is to
identify and block such redundant traffic.
Here we can see the configuration for a SYN flood attack. You can set the allowed packet rate per
minute for each source and destination, as well as a burst rate for each source and destination in
packets per second.
When the burst rate is crossed, Sophos Firewall considers it as an attack and provides DoS attack
protection by dropping all the excess packets from the source or destination. The firewall will
continue to drop the packets until the attack subsides. Because the device applies threshold values
per IP address, only traffic from the source or destination will be dropped. The rest of the network
traffic will continue to be processed as normal.
You can view the counters for dropped packets on the DoS attacks tab.
Please note that DoS protection is applied globally to all traffic passing through the Sophos
Firewall.
Intrusion prevention on Sophos Firewall comprises IPS policies, spoof protection, and
denial-of-service (DoS) protection
IPS policies are an ordered list of rules. Each rule contains one or more signatures, and
signatures can be automatically selected for the rule using filters. Each rule also has an
action
To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to
a firewall rule
Here are the three main things you learned in this chapter.
Intrusion prevention on Sophos Firewall comprises IPS policies, spoof protection, and denial-of-
service protection.
IPS policies are an ordered list of rules. Each rule contains one or more signatures, and signatures
can be automatically selected for the rule using filters. Each rule also has an action.
To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to a firewall
rule.