Sophos XG SFOS 16.01 - Anti-Portscan?

Greetings all,

I'm currently using the home version of Sophos XG and was wondering if there is a way to block port scans? I know that UTM has the ability for anti-portscans, but does XG have this capability as well?

 

Thanks.

 

Mike 

  • In reply to LuCar Toni:

    I believe that on the UTM 9.5 side it knows that if X amount of SYNC or ICMP packets are arriving in sequential order over X amount of time then that IP is blocked from further scan.  For example on UTM 9.5 when I ran the GRC Port scan it was only able to scan the first 30 ports before the rest were just stealthed for that specific IP doing the port scan.  So yeah if you have let say SSL port 443 open, then an Anti-Port scan will never see it, since it would be blocked before it gets there, thus the adversary won't even know that you are running such a protocol.  

  • In reply to Grammaton:

    Hi,

     

    i know couple of software with portscan - as mentioned before: They try the most used port before starting von 1 to X. 

    So you would not see anything in a AntiPort Scan Feature until they have scanned already all common ports and start the sequenziell scanning. 

    And it is not common to use sequenziell scanning - Instead you try known ports (like http/s etc.).

    Cheers

  • In reply to LuCar Toni:

    Thats true, but it is just another Software component wich could help to improve the protective impact of this product.

     

    And as you can see here https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/19243372-anti-portscant there is an big demand on this feature by customers.

     

     

    Regards

  • In reply to Dwayne Parker:

    Hi,

    i understand you. But also i dont see any real security benefit in having this feature. It wont protect you against any attack at all. And i think, most of the voters just vote for this, because UTM has it. 

    After all these years: What was the "use case" in knowing about a port scan in UTM?  

     

    Cheers

  • In reply to LuCar Toni:

    Hi,

     

    from my Point of view it's a Little Feature which helps you in several ways:

    1. You simply informed about when somebody tries to get informations about your Network config, so you can try to strengthen your policies, or blacklist the IP's wich executes the scan

    2. It gives you an sign that you are maybe under attack. So you can immediatly check logs to find out if someone got into your network

    3. It's a first (Little) wall against attacks because it complicates the reconaissence of the Network

    4.If you know there were an portscan, you take countermeasures, e.g. Change your public IP

     

    That are the benefits of Anti-Portscan from my opinion. Sure Anti-Portscan can't move mountains, but as I pointed out before, it's just another Little Feature, wich helps improving the infomations about security Status of Network and the security.

     

    Regards