Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Subnets on LAN

I would like to get an opinion on firewalled subnets for security. This would be LAN subnets only. Subnet A is servers and subnet B is desktops. Subnets A and B have outbound internet access only. Subnet B (desktops) need to access Subnet A (Servers). All computers on both subnets are firewalled and only the ports needed are open on the computer. What would the advantage be to firewall the subnets at the Sophos as well? For Example, a rule that says Any on B could access SQL Server on 1433 on subnet A. Another that says Any on B could access the DNS server on 53 on subnet A.

The only advantage I see is you are restricting or steering just the specific access needed to the respective server for that role. Without adding the firewall rule, the server is still firewalled. What would be considered best practice? Would it be to add the additional layer at the firewall?



This thread was automatically locked due to age.
Parents
  • Hi,

    the issue comes down to what are you trying to protect from what?

    Device A needs to be protected from the internet 

    Device A needs to be protected from LAN users

    What applications will be accessing the devices?

    Where is your DNS?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I am talking in general terms. I know what needs to be protected and where the devices are. I am trying to locked down security as much as possible and was just wanting to know if this would be best practice to add the additional firewall between the subnets.

  • I block everything until I find sites don't work regardless of internal external. I then performa detailed an anywise to determine which items causing the failure.  At the moment I have salesforce blocked and so far nothing has failed and the hit count is in the hundreds.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the reply, but I want to make sure we are talking about the same thing. You mentioned sites, like salesforce. I am not talking in regard to internet traffic at all, or any traffic that is external either leaving for the outside or coming in. I am only speaking in regard to internal traffic from one LAN to another LAN, just different internal networks.

    For example, desktops on subnet B will access servers on subnet A. Traffic routes to and from subnets A and B, both internal LAN networks. Both servers and desktops are firewalled at the computer level. Would it be best practice to also firewall the subnets at the Sophos?

    An example would be, only the accounting computers in subnet B need access to the SQL server in subnet A, so only those computers are allowed to traverse the firewall at the Sophos to subnet A and only to the SQL server. Would this still best practice or overkill? Of course, there need to be a rule for everything a computer needs from subnet B to subnet A in the Sophos.

  • Hi,

    I would suggest you investigate user groups and firewall rules. I use clientless groups to manage which devices have access to what function on the various networks because I don't have a user server. If you have an AD then you can use the AD groups to limit access/

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • We already leverage AD at the Sophos and the server is restricted via their AD Accounts as well. I am very versed in AD and Sophos user groups and firewall rules. I am just asking is it best practice to add the firewall in the Sophos as well, even when it is firewalled at the server. I am just trying to get an idea on what others may be doing.

Reply
  • We already leverage AD at the Sophos and the server is restricted via their AD Accounts as well. I am very versed in AD and Sophos user groups and firewall rules. I am just asking is it best practice to add the firewall in the Sophos as well, even when it is firewalled at the server. I am just trying to get an idea on what others may be doing.

Children
No Data