Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 7816 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guest Wifi has access to all other internal networks after upgrade to 9.500-9

HelmutZengerling

After Upgrade of my SG125 with AP-15s to 9.500-9 the WIFI Guest network has full transparent access to the internal networks that should absolutely be seperated.

That was working fine . This is a major security issue for our company since we need a guest wifi for our clients and we must protect ourselves.

Any Idea? In my opinion it's somehow urgent !

Best

Helmut



This thread was automatically locked due to age.

  • What do you mean full transparent access? Can guest access webservers in corporate or can they access much more?

    If only webservices, than you may have transparent web filtering switched on and due to that if you don't configure more than just that, each network is able to access web services in each other network communicating to the same proxy. If this is the case however, than it's more than likely that this access was already there before the upgrade.

    Can you confirm whether or not you have transparent web filtering enabled for these networks?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • in reply to apijnappels

    I have transperent mode proxy on but excluded the 10.0.0.0/16 ( internal nets ) net as destination hosts.
    And youre right, i was a bit unprecise, it only ports affected by the transparent proxy.
    Probably i should set an exception to each of my subnets ....
    probably i'm just missing the point ...

    I'm pretty sure it was working before the update since i do portscans on a regular base .

    Yours 

    Helmut

     

  • in reply to HelmutZengerling

    In that case it's indeed strange that you now do have access where you didn't in the past. I'm not on 9.5 yet (and probably will wait a little before I dare to upgrade myself), so I can't check for myself yet. Especially if you're pretty sure it was right in the past (which sounds obvious given your exclusion) you might call this in with your reseller or directly to Sophos if you're support contract allows direct contact to Sophos.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • in reply to HelmutZengerling

    Helmut, please show a picture of your Web Filtering configuration as well as the Transparent mode skiplist.  Also, include a line from the Web Filtering log file where someone in the Guest network accessed something in your Internal network.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML