At Sophos, your security is our top priority. We have invested in making Sophos Firewall the most secure firewall on the market – and we continuously work to make it the most difficult target for hackers.
To enhance your security posture, we strongly encourage you to regularly review and implement these best practices across all your network infrastructure, whether from Sophos or any other vendor.
Read on for full instructions or download the Sophos Firewall hardening best practices.
Keep firmware up to date
Every Sophos Firewall OS update includes important security enhancements – including our latest release, Sophos Firewall v21.
Ensure you keep your firmware up to date under Backup & Firmware > Firmware. Check at least once a month for firmware updates in Sophos Central or the on-box console. You can easily schedule updates in Sophos Central to be applied during a period of minimal disruption.
Online guides:
Limit device service access
It’s critically important that you disable non-essential services on the WAN interface. In particular, HTTPS and SSH admin services.
To manage your firewall remotely, Sophos Central offers a much more secure solution than enabling WAN admin access. Alternatively, use ZTNA for remote management of your network devices.
Check your local services access control under Administration > Device Access and ensure no items are checked for the WAN Zone unless absolutely necessary:
Online guides:
Use strong passwords, multi-factor authentication, and role-based access
Enable multi-factor authentication or one-time password (OTP) and enforce strong passwords, which will protect your firewall from unauthorized access – either from stolen credentials or brute force hacking attempts.
Ensure your sign-in security settings are set to block repeated unsuccessful attempts and enforce strong passwords and CAPTCHA. Also use role-based access controls to limit exposure.
Online guides:
Minimize access to internal systems
Any device exposed to the WAN via a NAT rule is a potential risk. Ideally, no device should be exposed to the internet via NAT or inbound connections, including IoT devices.
Audit and review all your NAT and firewall rules regularly to ensure there are no WAN to LAN or remote access enabled. Use ZTNA (or even VPN) for remote administration and access to internal systems – DO NOT expose these systems, especially Remote Desktop access to the Internet.
For IoT devices, shut down any devices that do not offer a cloud proxy service and require direct access via NAT – these devices are ideal targets for attackers.
Online guides:
Enable appropriate protection
Protect your network from exploits by applying TLS and IPS inspection to incoming untrusted traffic via relevant firewall rules. Tune your TLS and IPS inspection and take advantage of trusted application FastPath offloading to get the best protection and performance for your particular environment. Ensure you don’t have any broad firewall rules that allow ANY to ANY connections.
Also protect your network from both DoS and DDoS attacks by setting and enabling protection under Intrusion Prevention > DoS & spoof protection. Enable spoof prevention and apply flags for all DoS attack types.
Block traffic from regions you don’t do business with by setting up a firewall rule to block traffic originating from unwanted countries or regions.
Ensure Sophos X-Ops threat feeds are enabled to log and drop under Active Threat Protection.
Online guides:
Enable alerts and notifications
Sophos Firewall can be configured to alert administrators of system-generated events. Administrators should review the list of events and check that system and security events are monitored to ensure that issues and events can be acted upon promptly.
Notifications are sent via either an email and/or to SNMP traps. To configure Notifications, navigate to Configure > System services and select the Notifications list tab.
Online guides:
More info
Be sure to check out how Sophos Firewall is Secure By Design and consult the extensive online documentation and how-to videos to make the most of your Sophos Firewall.
Source: Sophos