Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Firewall Subnets on LAN

I would like to get an opinion on firewalled subnets for security. This would be LAN subnets only. Subnet A is servers and subnet B is desktops. Subnets A and B have outbound internet access only. Subnet B (desktops) need to access Subnet A (Servers). All computers on both subnets are firewalled and only the ports needed are open on the computer. What would the advantage be to firewall the subnets at the Sophos as well? For Example, a rule that says Any on B could access SQL Server on 1433 on subnet A. Another that says Any on B could access the DNS server on 53 on subnet A.

The only advantage I see is you are restricting or steering just the specific access needed to the respective server for that role. Without adding the firewall rule, the server is still firewalled. What would be considered best practice? Would it be to add the additional layer at the firewall?



Added TAGs
[edited by: Raphael Alganes at 5:33 AM (GMT -8) on 12 Feb 2024]
  • Hi,

    the issue comes down to what are you trying to protect from what?

    Device A needs to be protected from the internet 

    Device A needs to be protected from LAN users

    What applications will be accessing the devices?

    Where is your DNS?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I am talking in general terms. I know what needs to be protected and where the devices are. I am trying to locked down security as much as possible and was just wanting to know if this would be best practice to add the additional firewall between the subnets.

  • I block everything until I find sites don't work regardless of internal external. I then performa detailed an anywise to determine which items causing the failure.  At the moment I have salesforce blocked and so far nothing has failed and the hit count is in the hundreds.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the reply, but I want to make sure we are talking about the same thing. You mentioned sites, like salesforce. I am not talking in regard to internet traffic at all, or any traffic that is external either leaving for the outside or coming in. I am only speaking in regard to internal traffic from one LAN to another LAN, just different internal networks.

    For example, desktops on subnet B will access servers on subnet A. Traffic routes to and from subnets A and B, both internal LAN networks. Both servers and desktops are firewalled at the computer level. Would it be best practice to also firewall the subnets at the Sophos?

    An example would be, only the accounting computers in subnet B need access to the SQL server in subnet A, so only those computers are allowed to traverse the firewall at the Sophos to subnet A and only to the SQL server. Would this still best practice or overkill? Of course, there need to be a rule for everything a computer needs from subnet B to subnet A in the Sophos.

  • Hi,

    I would suggest you investigate user groups and firewall rules. I use clientless groups to manage which devices have access to what function on the various networks because I don't have a user server. If you have an AD then you can use the AD groups to limit access/

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • We already leverage AD at the Sophos and the server is restricted via their AD Accounts as well. I am very versed in AD and Sophos user groups and firewall rules. I am just asking is it best practice to add the firewall in the Sophos as well, even when it is firewalled at the server. I am just trying to get an idea on what others may be doing.

  • In our environment we primarily use the hardware firewall to configure access between subnets. We do this so the firewall is the only place where we need to look when any traffic is blocked.

    If you are really keen on using as many layers as possible, you could also use the client firewall to create the same rules but rules would always have to be made twice (both in hardware and client firewall)

    You could also allow anything in hardware firewall and just use client firewall but it's harder to track what/where was blocked and why, especially if there are multiple servers in your server subnet. Besides that we like to block the traffic before it gets to the server subnet so another reason we are configuring rules in the hardware firewall.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • For us we have a policy that all machines, server or desktop must be firewalled, have endpoints, and be fully patched. As for desktops no one can log in as admin and we use LUA for permissions. Our network is segmented between, desktops servers, printers, Wi-Fi, etc. all on different subnets. I know it is redundant and twice the rules as to why I asked. Right now, the subnets are not firewalled at the Sophos. My thinking is that firewalling at the Sophos makes traversing the LANS harder and adds another layer of protection. Also, with say a phishing attack, if a desktop is compromised then the LAN network is not wide open, and I would be narrowing down where the traffic is allowed to go. Right now, all is working well, so if I start having connectivity issues, I can probably say it is coming from my firewall rules in the Sophos I would be implementing. My gut is telling to do both.

  • Another reason for us to use Sophos firewall is that we can and do also use Sophos heartbeat from Sophos endpoint to (dis)allow traffic between subnets based on status (or lack thereof) of the endpoint software.

    Bottomline, it doesn't really matter where you control access. If you use both you have an additional layer (or 2 if you also count heartbeat) of security (but it may require double the work in managing access). I think there is no good or wrong as long as it fits the security requirements of your environment.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.