This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security fault? - Servers can be surfed although RED subnet is not in "allowed networks" in "web filtering"

Hi,

i came across an interesting fault (i think).

I created a new RED connection and locked it down to several servers and services. I then monitored the firewall log for possible drops or allows.

But the servers i browsed where not shown i could even access some that were not on my packetfilter allowlist?!

I thought the web proxy may perform it's work. But the subnet was not in the allowed networks.
ALL servers that i could surf were on the skip transparent destination mode in a range definition list. As soon as i removed the servers from there my firewall allowed or rejected the packets. This cannot be normal behaviour, can it?

Can you please confirm?

Best regards

Stephan

This thread was automatically locked due to age.

Parents

0 Jaydeep over 5 years ago

Hi StephanG

Would you please specify if the Source Network was added in Allowed Network in any of the Web Filter Profile? If not added there, it should not allow you to access the Webserver in your Internal network unless specified by the Firewall rules.

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel
0 StephanG over 5 years ago in reply to Jaydeep

Hi Jaydeep,

exactly that was not the case. It was a new branch office i wanted to implement with "least privilege".

Best regards

Stephan
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 StephanG over 5 years ago in reply to Jaydeep

Hi Jaydeep,

exactly that was not the case. It was a new branch office i wanted to implement with "least privilege".

Best regards

Stephan
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 5 years ago in reply to StephanG

Hallo Stephan,

I'm a bit confused. If you have searched the Web Filtering log and don't see any of this traffic there, then it must be passing via a firewall rule. Do you have "Any" as a Source or Destination in any of your Firewall rules.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 StephanG over 5 years ago in reply to BAlfson

Hi Bob,

i searched the packet log for these entries as i do not have the network in the allowed "Web protection" network.

I do not have "any" rules in my firewall. All rules have turned on logging.

As soon as i add a web server to the "skip transparent mode destination hosts" i can surf the websites from this server although there is no rule allowing this and the remote RED network is not added to the allowed networks.

As soon as my RED50 is exchanged for a working one i will set up a lab and make a PoC.

Best regards

Stephan
Cancel
Vote Up 0 Vote Down

Cancel