This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall configuration and precedence

Hi,

Could someone explain me how to achieve this:

Allow all outbound connection to Microsoft servers but deny inbound connection to SMB, RPC, and all other vulnerable services.

ATM I tried to:

- Uncheck NetBIOS and trusted for all local LAN (LAN tab), Allow all TCP and UDP outbound connection ("Global Rules" tab)

Result: Cannot map server drive

- Check NetBios (Uncheck Trusted) for all local LAN (LAN tab), Block all inbound connection (with high priority checked) on concerned ports (TCP/445, UDP/445, TCP/139, TCP/135, etc..) ("Global Rules" tab)

Result: Can map server drive but other computers can also map the computer drive

Nmap result:
Scanning computer (x.x.x.x) [1000 ports]
Discovered open port 445/tcp on x.x.x.x
Discovered open port 3389/tcp on x.x.x.x
Discovered open port 139/tcp on x.x.x.x
Discovered open port 8193/tcp on x.x.x.x
Discovered open port 8194/tcp on x.x.x.x
Discovered open port 8192/tcp on x.x.x.x

NB. Applications tab have only outbound rules or generic one
Process tab is empty

I don't get it... what's the problem?

Thanks,

Hugues



This thread was automatically locked due to age.
Parents
  • Hello Hugues,

    off the top of my head, NetBIOS and other protocols of Windows networking are either open in both directions or not (that's also why there is only one box and not a separate In and Out). You have to open the ports at least to the server. Add an entry for the server with NetBIOS checked, leave it unchecked for all LAN.

    I'd recommend Wireshark, trace the traffic when you map a share or access the share via a UNC path.

    Christian

Reply
  • Hello Hugues,

    off the top of my head, NetBIOS and other protocols of Windows networking are either open in both directions or not (that's also why there is only one box and not a separate In and Out). You have to open the ports at least to the server. Add an entry for the server with NetBIOS checked, leave it unchecked for all LAN.

    I'd recommend Wireshark, trace the traffic when you map a share or access the share via a UNC path.

    Christian

Children
  • Hi Christian,

    Thanks for reply.

    Your suggestion to disable for LAN and enable per servers IP/32 might be an option but it's not convenient (we have several sites, managed by different teams).

    An other option would be to disable those services (remote registry, server, etc..) and disable file and printer sharing on interfaces, etc...

    But that's not our goal, the point is just to secure them using the client firewall (-> when we need it, we just lower the firewall).
    This is what we're doing actually with our current endpoint protection and it works fine.

    I will try this today:

    - removing all LAN definitions, and try to rely only on firewall definition (crossing fingers that local network detected automatically will not interfere)

    NB. No need for wireshark atm, all is clearly logged by the endpoint (even specifying rule names)

    What would be better is that "high priority" works as expected and has precedence on all other rules.

    If anyone thinks to another solution, it's welcome :-)

    Hugues

  • Hello Hugues,

    the SEC Help contains a section on the order in which rules are applied - LAN takes precedence over Global Rules.

    Christian

  • Hi again,

    Ok only way to go is then to remove all defined LAN and uncheck "Block file and printer sharing for other networks".
    This way we rely only global rules.

    According to how Sophos work, the cleanest solution would then have been to have a NetBIOS IN and OUT selection.

    Thanks,

    Hugues