Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Firewall Subnets on LAN

I would like to get an opinion on firewalled subnets for security. This would be LAN subnets only. Subnet A is servers and subnet B is desktops. Subnets A and B have outbound internet access only. Subnet B (desktops) need to access Subnet A (Servers). All computers on both subnets are firewalled and only the ports needed are open on the computer. What would the advantage be to firewall the subnets at the Sophos as well? For Example, a rule that says Any on B could access SQL Server on 1433 on subnet A. Another that says Any on B could access the DNS server on 53 on subnet A.

The only advantage I see is you are restricting or steering just the specific access needed to the respective server for that role. Without adding the firewall rule, the server is still firewalled. What would be considered best practice? Would it be to add the additional layer at the firewall?



Added TAGs
[edited by: Raphael Alganes at 5:33 AM (GMT -8) on 12 Feb 2024]
Parents
  • Hi,

    the issue comes down to what are you trying to protect from what?

    Device A needs to be protected from the internet 

    Device A needs to be protected from LAN users

    What applications will be accessing the devices?

    Where is your DNS?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I am talking in general terms. I know what needs to be protected and where the devices are. I am trying to locked down security as much as possible and was just wanting to know if this would be best practice to add the additional firewall between the subnets.

  • I block everything until I find sites don't work regardless of internal external. I then performa detailed an anywise to determine which items causing the failure.  At the moment I have salesforce blocked and so far nothing has failed and the hit count is in the hundreds.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the reply, but I want to make sure we are talking about the same thing. You mentioned sites, like salesforce. I am not talking in regard to internet traffic at all, or any traffic that is external either leaving for the outside or coming in. I am only speaking in regard to internal traffic from one LAN to another LAN, just different internal networks.

    For example, desktops on subnet B will access servers on subnet A. Traffic routes to and from subnets A and B, both internal LAN networks. Both servers and desktops are firewalled at the computer level. Would it be best practice to also firewall the subnets at the Sophos?

    An example would be, only the accounting computers in subnet B need access to the SQL server in subnet A, so only those computers are allowed to traverse the firewall at the Sophos to subnet A and only to the SQL server. Would this still best practice or overkill? Of course, there need to be a rule for everything a computer needs from subnet B to subnet A in the Sophos.

Reply
  • Thanks for the reply, but I want to make sure we are talking about the same thing. You mentioned sites, like salesforce. I am not talking in regard to internet traffic at all, or any traffic that is external either leaving for the outside or coming in. I am only speaking in regard to internal traffic from one LAN to another LAN, just different internal networks.

    For example, desktops on subnet B will access servers on subnet A. Traffic routes to and from subnets A and B, both internal LAN networks. Both servers and desktops are firewalled at the computer level. Would it be best practice to also firewall the subnets at the Sophos?

    An example would be, only the accounting computers in subnet B need access to the SQL server in subnet A, so only those computers are allowed to traverse the firewall at the Sophos to subnet A and only to the SQL server. Would this still best practice or overkill? Of course, there need to be a rule for everything a computer needs from subnet B to subnet A in the Sophos.

Children