This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security fault? - Servers can be surfed although RED subnet is not in "allowed networks" in "web filtering"

Hi,

i came across an interesting fault (i think).

I created a new RED connection and locked it down to several servers and services. I then monitored the firewall log for possible drops or allows.

But the servers i browsed where not shown i could even access some that were not on my packetfilter allowlist?!

I thought the web proxy may perform it's work. But the subnet was not in the allowed networks.
ALL servers that i could surf were on the skip transparent destination mode in a range definition list. As soon as i removed the servers from there my firewall allowed or rejected the packets. This cannot be normal behaviour, can it?

Can you please confirm?

Best regards

Stephan



This thread was automatically locked due to age.
Parents
  • Hi  

    Would you please specify if the Source Network was added in Allowed Network in any of the Web Filter Profile? If not added there, it should not allow you to access the Webserver in your Internal network unless specified by the Firewall rules.

    Regards

    Jaydeep

  • Hi Jaydeep,

    exactly that was not the case. It was a new branch office i wanted to implement with "least privilege".

    Best regards

    Stephan

  • Hallo Stephan,

    I'm a bit confused.  If you have searched the Web Filtering log and don't see any of this traffic there, then it must be passing via a firewall rule.  Do you have "Any" as a Source or Destination in any of your Firewall rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    i searched the packet log for these entries as i do not have the network in the allowed "Web protection" network.

    I do not have "any" rules in my firewall. All rules have turned on logging. 

    As soon as i add a web server to the "skip transparent mode destination hosts" i can surf the websites from this server although there is no rule allowing this and the remote RED network is not added to the allowed networks.

    As soon as my RED50 is exchanged for a working one i will set up a lab and make a PoC.

    Best regards

    Stephan

Reply
  • Hi Bob,

    i searched the packet log for these entries as i do not have the network in the allowed "Web protection" network.

    I do not have "any" rules in my firewall. All rules have turned on logging. 

    As soon as i add a web server to the "skip transparent mode destination hosts" i can surf the websites from this server although there is no rule allowing this and the remote RED network is not added to the allowed networks.

    As soon as my RED50 is exchanged for a working one i will set up a lab and make a PoC.

    Best regards

    Stephan

Children
No Data