I am very green when it comes to networking. I am running Sophos UTM 9 Home Edition on a VM as my firewall. I thought that I would go through my firewall rules and "harden" things up a bit by getting more granular with the rules.
The first hurdle that I ran into was my Xbox & Xbox Live. I gave the Xbox a static IP and created the following rule: Xbox -> Any -> Any. I also then created two DNAT rules so that the Xbox would report back with an open NAT to prevent any online gaming issues.
Next up....Ring Doorbell. I had to give this a static IP and created the following rule: Ring Doorbell -> Port Group for Ring (contains all the ports needed for the Ring doorbell) -> Any. The doorbell worked and I could access it from my phone outside the network.
The rub occurred when I tried to use my iPad on the network to access the Ring Doorbell. It wouldn't connect. Apparently, the App uses many of the same ports as the ring doorbell. This included a port range from 16500 to 65000.
So my thinking was that I had a few options. First, I could create create static IPs and network definitions for many of the devices on my home network that would be accessing the Ring doorbell....including phones iPads, tablets, Amazon Echo Shows, etc. and then create a firewall rule allowing these devices to run over these ports. However, this seems very cumbersome.
Two, I could create a firewall rule for Internal (Network) -> Port Group for Ring -> Any. This would then allow all devices on my internal network to utilize the necessary ports to access the Ring doorbell.
Third, I could simply create a rule that states: Internal (Network) -> Any -> Any. This would prevent me from having to create static IPs for many of the devices in my home and configuring firewall rules to allow those devices / applications to communicate over specific ports.
The third option seems the easiest by far, but what kind of security risks does it pose? My thoughts that were if I was going to use option #2 above, it is already opening allowing my internal network to communicate over a vast range of ports. So then why not all all internal devices to use all ports and be done with it?
Obviously the less ports you open to "any" the better it is for security. However especially in a home environment you will need to open up ports as you found for your XBOX and numerous other hardware…
Obviously the less ports you open to "any" the better it is for security. However especially in a home environment you will need to open up ports as you found for your XBOX and numerous other hardware devices and/or software/games, IoT-devices, etc.
At my home for a long time I just opened up as little ports as were really necessary and if possible also just to the server(s) they needed to be open to. That however is a constant and never-ending work-in-progresss, especially with kids around that find new games on a daily basis. And not just that, but every new port opened decreases overall security a bit. So I changed all this some time ago.
What I did was just to separate the "fun-stuf" part of my home network from the more serious part. I created a new network where the XBOX is in and where also the kids' computers are in. This part of the network has all ports 1024:65535 opened to the outside. The "well-known ports" 0-1023 are more specific and I still only open these when they are really necessary.
In my more secure part of the network where my NAS resides and from where I make VPN-connections to work I still have as little ports opened as possible and this doesn't take too much time. Once in a while I need to open up an additional port or 2 but not too often.
The kids-network cannot access my secured network and my printers are again in a separate subnet where both of the networks have access to.
That way I keep the important part of my network more secure, and it takes me a lot less time to manage it. As I see it the best of two worlds combined...
Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.