Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How / is the built-in 'Support Access' function protected to ensure no-one but Sophos can access?

ptho

Hi All,

I understand that turning Support Access on allows Sophos to connect in for support-related works etc., but is this functionality secured so that only Sophos can make use of this access by way of only accepting connections from known Sophos Support IP addresses, etc.?

Many Thanks



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Enabling 'Support Access' does not allow WebAdmin access publicly. Only Sophos Support team can access the WebAdmin console(GUI) and shell of the Sophos Firewall device.

    Click here to know more information on 'Support access'.

    • 0 in reply to FormerMember

      Thanks Yash. I'm aware that this function is a service available exclusively to Sophos, but I'm interested in understanding how the instance is secured, as there does not seem to be any information out there that explains the process.

      For instance, if a nefarious party knew the IP of the appliance, and was able to convince the XG's owner that they were Sophos and obtain the AccessID from the XG's owner, what stops them from connecting to the appliance - or how does the XG know that a genuine request is being made from Sophos?

      • 0 in reply to ptho

        And what about publishing the exact knowledge about how Support Access is secured? I would consider publishing this as a huge security risk.

         
        SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
        Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
        [If any of my posts are helpful to you please use the 'Verify Answer' link]
        • 0 in reply to Peter-Paul Gras

          Thanks Peter. Fully appreciate this. Not looking for any specifics, just an explanation what secures it - do the engineers use MFA etc., how do we know as users of the XG that only Sophos personnel have access to this functionality.

          For context, I've been asked to provide an explanation to a security partner of what services are externally accessible on the Firewall, and should we ever turn this on, it would qualify as being 'available' externally, i.e. via the ports referred to in the documentation linked to by Yash. Therefore, I need to justify it's use, and we have ensure it is secure.

      • 0

        When you enable support access the firewall will create a SSH tunnel over:

        Fullscreen
        1
        utm@54.228.158.66
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        On Port 22.

        Apparently It also creates some temporary files for known hosts, and keys, which are deleted after you disable the support access.

        Fullscreen
        1
        2
        -o UserKnownHostsFile=/tmp/uma_known_hosts
        -i /tmp/uma_host.priv
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        Meanwhile when It's creating the SSH Tunnel It will do a port forward of: 

        Fullscreen
        1
        -L localhost:22022:localhost:4223
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        If someone else can dig in to this, I would be grateful. (if you're allowed.)

        If a post solves your question use the 'Verify Answer' button.

        Ryzen 7900 + Mellanox ConnectX-3 (KVM) v21.5 GA @ Home