Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 1603 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Externet Pentest

MAIT_BuAy

Hallo zusammen,

Ich stehe vor einem (mir) etwas neuem Problem.

Einer meiner Kunden möchte einen externen Pentest durchführen, dieser Dienstleister fragt an ob wir seine IPs für den IPS Scan whitelisten können.

Mein Google-Fu hat mich soweit geleitet, dass ich eine Custom IPS-Richtlinie erstellt habe:

Soweit so gut, jedoch stelle ich mir die jetzt die Frage inwiefern ich diese sinnvoll einsetzen kann:

- Eine FW-Rule "WAN->LAN" mit einer Host-Gruppe und dieser IPS-Policy erscheint mir wenig hilfreich.

- Eine weitere Option die ich Online finden konnte, war ACLs für den Appliance Zugriff auf für die Host-Gruppe zu erstellen.

Beide Optionen machen Türen auf die ich jedoch m.E. bei einem externen Scan geprüft haben wollen würde.

Falls ich falsch liege gerne korrigieren, andernfalls freue ich mich auf erleuchtende Kommentare aus der Community Slight smile

VG



This thread was automatically locked due to age.
Parents
  • +1

    Hello  ,

    Thanks for reaching out to Sophos Community. 

    You may have to create a DNAT policy without any IPS, but turning on "Log Firewall Traffic"

    FW policy may look like this:

    *Source networks and devices: -Your allowed IP list where the traffic will be coming from.

    Specify Services* and enable Log Firewall traffic. > Then preferably, put this FW rule on top of your list.

    Hope this helps on your setup. Have a nice day and thank you for choosing Sophos. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hello Raphael,

    Thank you for the hint, I´'ll try it out.

    As I´ve been informed the test will be executed next monday. I´'ll keep this thread updated when I get a response.

    I wish you a relaxing weekend!

  • 0 in reply to MAIT_BuAy

    Thank you for your well wishes, yes please let us know of the outcome of your testing.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to MAIT_BuAy

    Hello,

    maybe you want to expand the list of "Services" to include more services than just HTTP and HTTPS.

    Otherwise this would be a rather poor pentest.

    OTOH, this is kind of a "passthrough" you would never allow during normal firewall operation.

    So why not scheduling two rounds for the test: One time you have your IPS in place and you can see how it works.

    Next round is with the "relaxed" setup like suggested from Raphael.

    I would like to know both results, if I were you.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to MAIT_BuAy

    Hello,

    maybe you want to expand the list of "Services" to include more services than just HTTP and HTTPS.

    Otherwise this would be a rather poor pentest.

    OTOH, this is kind of a "passthrough" you would never allow during normal firewall operation.

    So why not scheduling two rounds for the test: One time you have your IPS in place and you can see how it works.

    Next round is with the "relaxed" setup like suggested from Raphael.

    I would like to know both results, if I were you.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to PhilippRusch

    Hello,

    Thank you for the ideas, as suggested by @PhillipRusch I advised my customer to activate the rule only if the pentest wouldn't deliver any results. The IPs worked as intended, the external scan didn't seem to have any unexpected difficulties except the port-scan taking longer (I can live with that).

    Thank you for your support, let's see what the report suggests.

Unfiltered HTML