Firewall Subnets on LAN

Hi,

the issue comes down to what are you trying to protect from what?

Device A needs to be protected from the internet 

Device A needs to be protected from LAN users

What applications will be accessing the devices?

Where is your DNS?

Ian

I am talking in general terms. I know what needs to be protected and where the devices are. I am trying to locked down security as much as possible and was just wanting to know if this would be best practice to add the additional firewall between the subnets.

I block everything until I find sites don't work regardless of internal external. I then performa detailed an anywise to determine which items causing the failure.  At the moment I have salesforce blocked and so far nothing has failed and the hit count is in the hundreds.

Ian

Thanks for the reply, but I want to make sure we are talking about the same thing. You mentioned sites, like salesforce. I am not talking in regard to internet traffic at all, or any traffic that is external either leaving for the outside or coming in. I am only speaking in regard to internal traffic from one LAN to another LAN, just different internal networks.

For example, desktops on subnet B will access servers on subnet A. Traffic routes to and from subnets A and B, both internal LAN networks. Both servers and desktops are firewalled at the computer level. Would it be best practice to also firewall the subnets at the Sophos?

An example would be, only the accounting computers in subnet B need access to the SQL server in subnet A, so only those computers are allowed to traverse the firewall at the Sophos to subnet A and only to the SQL server. Would this still best practice or overkill? Of course, there need to be a rule for everything a computer needs from subnet B to subnet A in the Sophos.

Hi,

I would suggest you investigate user groups and firewall rules. I use clientless groups to manage which devices have access to what function on the various networks because I don't have a user server. If you have an AD then you can use the AD groups to limit access/

Ian

We already leverage AD at the Sophos and the server is restricted via their AD Accounts as well. I am very versed in AD and Sophos user groups and firewall rules. I am just asking is it best practice to add the firewall in the Sophos as well, even when it is firewalled at the server. I am just trying to get an idea on what others may be doing.

In our environment we primarily use the hardware firewall to configure access between subnets. We do this so the firewall is the only place where we need to look when any traffic is blocked.

If you are really keen on using as many layers as possible, you could also use the client firewall to create the same rules but rules would always have to be made twice (both in hardware and client firewall)

You could also allow anything in hardware firewall and just use client firewall but it's harder to track what/where was blocked and why, especially if there are multiple servers in your server subnet. Besides that we like to block the traffic before it gets to the server subnet so another reason we are configuring rules in the hardware firewall.

For us we have a policy that all machines, server or desktop must be firewalled, have endpoints, and be fully patched. As for desktops no one can log in as admin and we use LUA for permissions. Our network is segmented between, desktops servers, printers, Wi-Fi, etc. all on different subnets. I know it is redundant and twice the rules as to why I asked. Right now, the subnets are not firewalled at the Sophos. My thinking is that firewalling at the Sophos makes traversing the LANS harder and adds another layer of protection. Also, with say a phishing attack, if a desktop is compromised then the LAN network is not wide open, and I would be narrowing down where the traffic is allowed to go. Right now, all is working well, so if I start having connectivity issues, I can probably say it is coming from my firewall rules in the Sophos I would be implementing. My gut is telling to do both.

Another reason for us to use Sophos firewall is that we can and do also use Sophos heartbeat from Sophos endpoint to (dis)allow traffic between subnets based on status (or lack thereof) of the endpoint software.

Bottomline, it doesn't really matter where you control access. If you use both you have an additional layer (or 2 if you also count heartbeat) of security (but it may require double the work in managing access). I think there is no good or wrong as long as it fits the security requirements of your environment.