Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I enabled the option to block bad reputation clients when I configured my WAF sites.
Then I was startled to discover that I had blocked my ability to connect from home because my IP address had a bad reputation on SORBS and Barracuda RBLs. Of course, I panicked that my home network was infected. After deciding that my network was really still clean, I contacted SORBS by email. Their reply said it was not just me, that I was part of a blocked network range, so I could not be de-listed. Next, I called my ISP. They forwarded the issue to a mysterious group that never responded despite multiple attempts. The silence did not endear me to my ISP.
Eventually, I determined that the bad reputation was because my home is on a dynamic IP address, just like most other home users. Since that type of address should not be used for email servers, the address range is blocked by some RBLs as a spam-prevention measure, not because of a known problem.
Sophos Support confirms that the email protection and the WAF bad client protection use the same RBLs. So if I choose different RBLs to permit WAF client filtering, I weaken my defenses for email filtering, and vice versa. However, change is not really an option because I would not know how to identify RBLs that never perform dynamic IP blocking.
So unless your WAF sites are only used by businesses with static IPs, you probably should not use this feature.
Doug, why not just make an Exception for bad reputation for your home IP or a DNAT?
Cheers - Bob
In reply to BAlfson:
I am not the only home user
In reply to DouglasFoster:
Should this thread be in the Web Server Security forum, Doug?
yes, please move it.
DouglasFosterSophos Support confirms that the email protection and the WAF bad client protection use the same RBLs. So if I choose different RBLs to permit WAF client filtering, I weaken my defenses for email filtering, and vice versa.
I think this is a misunderstanding. WAF and Email Protection might use the same RBLs (I take Support's word for it). But both components are configured independently from each other. If you disable "Block clients with bad reputation" for WAF it won't affect Email Protection. And if you disable RBLs in Email Protection it won't affect WAF.
Just out of curiosity: How would you configure a different RBL for WAF? It's just a checkbox in the Firewall Profile. The RBLs used by WAF are not configurable through the UI.
In reply to ewadie:
We are in agreement.
I was suggesting that one could theoretically fine-tune the email RBL list to only include RBLs that only blocks proven-malicious devices. If such RBLs can be identified, they would work for both Email and WAF. My point was that this may be difficult to do at all, and is probably undesireable, because it weakens defenses against home computers that get infected in the future.
just to make sure my understanding is correct. Because I’m in the same situation at the moment, with some smartphones.
You could activate the option ‘Skip remote lookups for clients with bad reputation’, so the RBL sources aren’t used. Only GeoIP is then used.
I know it’s not the same level of protection, but more than disabling ‘Block clients with bad reputation’.