Application Control and Port dependencies

Hello,

I do not understand how XG's Application Control work in detail (under the hood). Are any documentation somewhere?


I have to control and restrict some Traffic between LAN and Production due to written regulation of security.

e.g. for understanding

  • LAN->Production:
    • Allow Port 80 if it is HTTP 
    • Allow Port 25 if it is STMP
    • Block all Traffic in all other cases

In this example we have to Block HTTP on Port 25.


How can I solve this with Sophos XG?

sincerly

Guenter

Top Replies

  • 1 month ago in reply to Guenter +3 suggested

    Hi ,

    So what you want to do is L7 aware Policy, with protocol enforcement.

    You want to open port 80, but only if It's HTTP traffic, or port 25 if It's only SMTP? Or port 53 if It's only DNS?…

Parents
  • XG applies Rules based on the common criteria: Source IP, destination IP, service (Port). 

    Everything is a session, so every connection is a session and XG applies a filter rule on this "session". 

    So if you create a rule for service HTTP and HTTPs you can allow or deny certain Apps, which uses HTTP/s. 

    You could use a ANY Services rule, and deny certain applications. 

    You would have to figure out the application, which you do not want to have, and block this app on your Rule for Port 25. Or the simple way is, only to allow the application SMTP and deny all other apps. 

    To be honest, this is the old scenario, where you are allowing based on TCP/IP and are scared, bad people using the Port 25 for other traffic, like HTTP. There are multiple problems with this view. First of all, SMTP should not be open for everybody. Only for your designed Mail server (Nobody should be able to send spam with your IP). Second of all, HTTP is "dead". Bad people uses TLS over XX (They basically find a open port and use TLS to encrypt the traffic). So DPI engine comes handy to find this kind of traffic on every port. 

    Just some thoughts about this. 

    __________________________________________________________________________________________________________________

  • Hi,

    I had the same thoughts like you. 

    In my opinion, however, this is extremely unsatisfactory. 
    Why, let me explain.

    1st) We open outgoing all Ports.
    2nd) Then we look into a session and try to filter out some traffic.

    Why is this suboptimal? The session is established, and it is possible that the appfilter rule does not detect this traffic.
    In this case the traffic runs through the firewall.


    What we need is a strict combination with Appfilter and traditional L3 Session and a bypass rule in Sophos' Appfilter system.

    This give us back the control of the full traffic.

    This means:
    IP Source and IP Destination and destination Port and L7-Application -> Allow / Deny


    This would be great.

    Guenter

  • Why do you open all outgoing ports?

    a firewall rule for http and smtp will block your traffic and can be fine tuned with web and application policies as well as ips .

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I do not want to open any port. Only the neccessary one.

    And we have to restrict the Port with the Application.

    Examples

    • Rule 1: Only Allow Port 80 AND HTTP Protocol (GET/POST)
    • Rule 2: Only Allow Port 25 AND SMTP Protocol.
    • Role 3: Block all other cases.

    How can this configured in Sophos XG?

    Guenter

  • Hi,

    very simply, you create a rule that only has that port in it and you refine which networks can access that rule. You might need to consider using AD to control source devices. Further refinement would be to  use web and application policies eg you create your own.

    there are kbas at the top right of the forum home page that might help you understand what you are trying to achieve.

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hmm, i cannot confirm this.

    In above case I have to create one rule:

    IP Source mySubnet1
    IP Dest mySubnet2
    Port Dest 80, 25
    Action Allow
    Appfilter myFilter (below)

    Let us say, this Rule matches, now the Appfilter runs.

    Appfilter:

    Row1: Allow HTTP, SMTP

    Row 2 Deny.

    Now, what happens in this example if one system sends HTTP Traffic on Port 25 from mySubnet1 to mySubnet2?

    I think this traffic passes the Firewall. Right?

    Guenter

  • No, it will allow port 25 via the smtp and port 80 via the http. You could further enable the proxy and have seperate rules for http with proxy and another for smtp so that different policies are applied. Mixing ports 25 and 80 in the one rule is not a good idea while does work makes policy enforcement difficult. Then you can further enhance enforcement by enabling block non http traffic on http ports etc.

    silly question why are you trying to limit internal traffic between lans?

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • OK.

    it will allow port 25 via the smtp and port 80 via the http

    Where is this in Sophos XG defined? I did not find anything. The Application Object is a "blackbox".

    @Silly question: 

    This is a written policy we have to establish.

    BTW: Port 25,80 was only for this example and only for understanding what I mean.

    Other example, maybe better unterstanding:

    • Only allow Port 1433 for Citrix
    • Only allow Port 80,443 for Office365
    • Only allow Port 3389 for RDP

    Guenter

  • Further you can set you destinations as the server that accepts each of the ports so regardless of what the user sends will only go to the correct firewall rule and then server. If you enable smtp scanning then anything else will be blocked if not mail,

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • See my previous posting:

    This is a written policy we have to establish.

    Workarrounds are not allowed and will not accepted by our security officer.

Reply Children
  • Hi ,

    So what you want to do is L7 aware Policy, with protocol enforcement.

    You want to open port 80, but only if It's HTTP traffic, or port 25 if It's only SMTP? Or port 53 if It's only DNS?

    If It is, Sophos XG doesn't support this since there's no way to "Block All, allow only X."; This is a feature that has asked multiple times, and pretty much most of the NGFW in the market supports it, but XG still falls behind.

    Thanks!

  • Hi,

    Yes this is exactly what we need:

    L7 aware Policy, with protocol enforcement


    We had the hope that XG would become a real L7 firewall, and not an L3 with L7 filters like the UTM.

    On the other hand I find it also precarious, in the today's Ransomware time, still to sell such systems with good conscience. "Zero Trust, Inspect all" is the only solution to protect yourself from such threats.

    I'm shocked.
    Guenter

  • These are not work around they arecsecurity you can enforce.

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Adding to this, even SonicWall supports L7 Policy and protocol enforcement now. So pretty much any Sophos competitors does this now.

    I've already asked to a Sophos Dev about L7 Policies, but this has the answer:

    "Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

    The application filter is better suited to denying applications rather allowing them (and denying everything else)."

    (If you want I can send you the link of the post about this, but It has been archived.)

    Thanks!

  • Crazy.

    Please send me this Link.

    Guenter

  • I've sent you a message with more information. (I'm trying to find all posts about this.)

  • Thank you, I've read that Postings. 

    BTW: I worked the last years with PaloAlto...

    Unbelivable what Sophos ignores in 2020 ....

  • There are many things to talk about. I guess, we cannot cover everything in this post. But there is a difference between Application Control and Application protection. The problem nowadays with "Attacks" is, those guys like to use normal applications and use TLS encryption to communicate. Therefore you can start to block the application Chrome, but they will simply use your browser to build a channel back. (Its more complicated than that - always recommend https://nakedsecurity.sophos.com/ )

    You can build many real L7 scenarios with XG, as the firewall backend allows such processes. But there are certain limitation like groups etc. 

    For example, you could simple build LAN to WAN, allow and Deny apps, you want / do not want. That will work perfectly fine on all Ports and all apps. 

    Another example is group support. You could build a firewall rule User A LAN to WAN, allow all apps. User B Lan to WAN, only Browser allowed. 

    It gets complicated, if you want to allow per user different Apps and deny other. 

    From my understanding, a control product is to "allow" unwanted things. A "protect" product is to deny attacks etc. You can allow or deny pornographic content. Is it harmful? Likely not, but not wanted in most businesses. Do you want to stop the ransomware to lateral movement? Yes i want to. But thats likely a IPS and DPI topic rather than a application control. 

    Attacks are complex and uses different mechanism to spread. Look at tools to white hack for example. They can literally inject into notepad and "be notepad". Do you want to block notepad to communicate by your firewall? Where does it stop? 

    Protection should be used on certain level. You need for example a good endpoint protection to stop the injection in the first place. 

    __________________________________________________________________________________________________________________

  • Hi , Thanks for giving your insight.

    I understand your point of view, Nowadays there's even malware using DNS over HTTPS to communicate with C&C over Port 443, making it looks exactly as HTTPS Traffic for the firewall; At the same time making protocol enforcement useless, but in this case most discussions in the community about this is not entirely about security, but management.

    You can build many real L7 scenarios with XG, as the firewall backend allows such processes. But there are certain limitation like groups etc. 

    Let's talk about L7 Policies;

    The problem here is not being able to create rules directly based on the application, It makes management a hell, you will always ended up with dozens or hundreds of "Application Filters", and every time you need to make a simple change, such as deny Google Drive, you will always see yourself editing a bunch of those filters because there's multiple of those different filters being applied on different users and groups - that needs to be blocked.

    In the scenario above, if you could create a L7 aware Rule, all you would have to do is create a new rule on top that block this application, and select the users/groups.

    And, well... Protocol Enforcement doesn't work that well anymore since pretty much >80% of the traffic is TLS encrypted; Also, since on v18 the new DPI Engine is capable to identify the known apps on any port, then I don't see It as a issue anymore.

    Thanks again!

  • It highly depends on the size of your setup / network and your goal. If you start to create multiple filters for multiple reasons, you will end up by editing through all of those rules (which you could shortcut by using API or XML). But i understand the issue at hand. I am simply here to tell you, what is possible "as of today". I know, there are other vendors, using different approaches. 

    There are certain few point of this story. You can split up this topic into multiple domain, like Security, management, control and enforcement. Also scaling is a huge point of it. With simple setups, it is quite easy to build up a secure application filter. If you go into the more complex scenarios, as you want to deny multiple apps because of different reasons, it can get more complicated. 

    There will come up other issue in the future. Lets call them "in-Apps". Something like Outlook in Chrome, Teams in Chrome etc. As such applications use the browser, you will see on application control products only "Chrome" as a user agent or application filter. There is more stuff on the to do list, to interact with the future. 

    __________________________________________________________________________________________________________________