Baixe o app para aproveitar ainda mais
Prévia do material em texto
Hi there, this is the XG Firewall Overview module for XG Firewall v18.0. Sophos Certified Engineer XG Firewall 18.0 ET801 – XG Firewall Overview July 2020 Version: 18.0v2 © 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Certified Engineer XG Firewall 18.0 Module 1: XG Firewall Overview Version: 18.0v2 Module 1: XG Firewall Overview - 1 This course is designed for technical professionals who will be demonstrating XG Firewall. It provides an overview of the protection XG Firewall provides including major capabilities and core configuration concepts. This course will take around 3 days to complete. About This Course This course is designed for technical professionals who will be demonstrating XG Firewall. It provides an overview of the protection XG Firewall provides including major capabilities and core configuration concepts. • This course will take around 3 days to completeCourse Duration Module 1: XG Firewall Overview - 4 Prerequisites There are no prerequisites for this course, however it is recommended that students should have the following knowledge and experience: ✓Practical knowledge of networking, including subnets, routing, VLANs, and VPNs ✓Experience configuring network security devices ✓Knowledge of fundamental encryption and hashing algorithms and certificates There are no prerequisites for this course, however, it is recommended that students should have the following knowledge and experience: • Practical knowledge of networking, including subnets, routing, VLANs, and VPNs • Experience configuring network security devices • Knowledge of fundamental encryption and hashing algorithms and certificates Module 1: XG Firewall Overview - 5 To complete the Sophos Central Engineer certified course, you must complete and pass the online assessment that is available in the training portal. You will have two and a half hours to complete the assessment, and can take four attempts to pass the assessment. The assessment may include questions on both theory and simulations. You must complete and pass the online assessment if you wish to register for the XG Firewall Architect course. Certification To complete the Sophos Central Engineer certified course: Complete and pass the assessment in the training portal You have 2.5 hours to complete the assessment You have 4 attempts to pass the assessment The assessment may include questions on the theory or simulations Module 1: XG Firewall Overview - 6 When you see this icon you can find additional information in the notes of the student handout. Additional Information When you see this icon you can find additional information in the notes of the student handout Additional information in the notes Module 1: XG Firewall Overview - 7 A glossary of technical terms used throughout the course can be found in knowledge base article 118500. https://sophos.com/kb/118500 Glossary of Technical Terms A glossary of technical terms used throughout the course can be found in knowledgebase article 118500 https://sophos.com/kb/118500 Module 1: XG Firewall Overview - 8 This course is split into 12 modules, with simulations interspersed throughout the course to allow for practice of the content discussed in the previous modules. Course Agenda XG Firewall Overview1 Getting Started with XG Firewall2 Network Protection3 Site-to-Site Connections4 Authentication5 Web Protection6 Application Control7 Email Protection8 Remote Access9 Wireless Protection10 Logging and Reporting11 Central Management12 Module 1: XG Firewall Overview - 9 Reference Environment LON-GW1.SOPHOS.WWW WAN IP: 10.1.1.100 (/24) NY-GW.SOPHOS.WWW WAN IP: 10.2.2.200 (/24) Head Office: London LAN LON-SRV2.SOPHOS.LOCAL IP: 172.17.17.20 (/24) Branch Office: New York LAN LON-CLIENT2.SOPHOS.LOCAL IP: 172.17.17.22 (/24) STORE.SOPHOS.DMZ IP: 172.30.30.50 (/24) LON-INTRANET.SOPHOS.LOCAL IP: 172.25.25.41 (/24) LON-DC.SOPHOS.LOCAL IP: 172.16.16.10 (/24) LON-INTRANET.SOPHOS.LOCAL IP: 172.25.25.40 (/24) NY-SRV.SOPHOS.LOCAL IP: 192.168.16.30 (/24) 10.1.1.250 (/24) 10.2.2.250 (/24) M P LS 10.100.100.65 (/29) 10.100.100.70 (/29) DMZ INTRANET XG Firewalls have the x.x.x.16 address on internal networks This network diagram shows the environment that is used during the course and the simulations, you may find it useful for reference to provide additional context. This diagram can also be found in the simulation workbook. Module 1: XG Firewall Overview - 11 Course Objectives Once you complete this course, you will be able to: Explain how XG Firewall protects against security threats Configure firewall rules, policies and user authentication Demonstrate threat protection and commonly used features Perform the initial setup of an XG Firewall and configure the required network settings Once you have completed this course, you will be able to: • Explain how XG Firewall protects against security threats • Configure firewall rules, policies and user authentication • Demonstrate threat protection and commonly used features • Perform the initial setup of an XG Firewall and configure the required network settings Module 1: XG Firewall Overview - 12 Feedback on our courses is always welcome. Please email us at globaltraining@sophos.com with your comments. TRAINING FEEDBACK Feedback is always welcome Please email globaltraining@sophos.com Module 1: XG Firewall Overview - 13 XG Firewall Overview Anatomy of Attack What is XG Firewall? Zero Trust Deployment Options This first module introduces the Sophos XG Firewall including coverage on the deployment options available to you. We’ll then guide you through the anatomy of an attack to introduce key security technologies in XG Firewall and how they protect against common threats. Lastly, we’ll cover Zero Trust, explaining how this mindset helps prevent successful data breaches. Module 1: XG Firewall Overview - 14 What is XG Firewall? W h at is X G F ir ew al l? Module 1: XG Firewall Overview - 16 What is XG Firewall? W h at is X G F ir ew al l? Next-Gen Firewall Visibility, Protection, and Response All-in-One Protection Consolidate, Simplify, & Save School Protection Affordable, Simple Compliance & Control SD-WAN & Branch Retail, Branch Office, ICS & SD-WAN Endpoint Integration Synchronized Security & Automated Response Public Cloud Protection for Azure and Hybrid Networks Sophos XG Firewall is a comprehensive network security device, with a zone-based firewall, and identity-based policies at its core. XG Firewall does not only protect wired networks, but as a wireless controller for Sophos access points, can provide secure wireless networking functionality. Protection is provided through a single cloud-based platform, making day-to-day management of all your Sophos products (including XG firewall) easy and scalable. There are features purpose built to help universities, higher education, K-12, and primary or secondary educational institutions overcome key challenges. For example, powerful web filtering policies, built-in policies for child safety and compliance. With XG Firewall and SD-RED you are able to connect sites across yourgeographically-distributed network. XG Firewall works together with Sophos Central and Intercept X in real time. So when either XG Firewall or Intercept X identifies a threat, they work together to provide health and threat monitoring, lateral movement protection as well as synchronized application control and synchronized user ID. XG Firewall can be deployed using preconfigured virtual machines in the cloud where cloud servers can be secured, protecting them against hacking attempts. Module 1: XG Firewall Overview - 17 What is XG Firewall? W h at is X G F ir ew al l? See it Stop it Secure it Expose Hidden Risks Superior visibility into risky activity, suspicious traffic, and advanced threats helps you regain control of your network. Stop Unknown Threats Powerful next-gen protection technologies like deep learning and intrusion prevention keep your organization secure. Isolate Infected Systems Automatic threat response instantly identifies and isolates compromised systems on your network and stops threats from spreading. XG Firewall includes a comprehensive built-in reporting engine, which allows you to easily drill down into reports to find the information you need. It also provides comprehensive next-generation firewall protection that exposes hidden risks, blocks unknown threats, and automatically responds to incidents. Superior visibility into risky activity, suspicious traffic, and advanced threats helps you regain control of your network. Powerful next-gen protection technologies like deep learning and intrusion prevention keep your organization secure. Automatic threat response instantly identifies and isolates compromised systems on your network and stops threats from spreading. Module 1: XG Firewall Overview - 18 See it W h at is X G F ir ew al l? See it The control center appears as soon as you sign in. It provides a single screen snapshot of the state and health of the security system with its traffic-light style indicators which immediately draw attention to what matters most. At a glance, you can see your top risks related to heartbeat, apps, payloads, users, threats, websites and attacks. Module 1: XG Firewall Overview - 19 Stop it W h at is X G F ir ew al l? Stop it Intrusion Prevention System Web Protection & SSL Inspection Sandboxing Advanced Threat Protection Synchronized SecurityApplication Visibility and Control Email, DLP, Encryption Web Application Firewall Wireless Protection RED and VPN Deep learning Next-Gen Firewall XG Firewall analyzes incoming and outgoing network traffic (for example, DNS requests, HTTP requests, and IP packets) for sophisticated attacks by using a full suite of protection technologies. These include: • Powerful Sandstorm sandboxing • Deep learning with artificial intelligence • Top performing IPS • Advanced threat and botnet protection • Web protection with dual AV, JavaScript emulation and SSL inspection All benefiting from over 30 years of threat intelligence data from Sophos Labs. Module 1: XG Firewall Overview - 20 Secure it W h at is X G F ir ew al l? Secure it Security Heartbeat™ XG Firewall Sophos Central Phishing Email Internet XG Firewall Malware Server Servers Ransomware Attack Infected Host Devices Recent threats like Emotet and targeted ransomware, such as Matrix and SamSam, demonstrate the ways cybercriminals are constantly changing their tactics to stay effective and profitable. The next-gen advancements of XG Firewall and Intercept X, combined with the intelligence of Synchronized Security (which we’ll come onto later in the course) and easy management of all products within Sophos Central, are essential for maintaining protection and responding quickly to any attack. Module 1: XG Firewall Overview - 21 Deployment Options D ep lo ym en t O p ti o n s Module 1: XG Firewall Overview - 22 Deployment Options D ep lo ym en t O p ti o n s Virtual Retail, Branch Office, ICS & SD-WAN Hardware Visibility, Protection, and Response Cloud Synchronized Security & Automated Response Software Consolidate, Simplify, & Save The Sophos XG Firewall can be deployed in four ways: • As a hardware device. Sophos XG devices come pre-loaded and ready to go • As software installed onto Intel compatible hardware • As a virtual device running on the most common hypervisors, including VMware, Citrix, Microsoft Hyper-V and KVM • And finally, XG Firewall can be deployed into the cloud on Azure and soon Amazon Web Services However you choose to deploy XG Firewall it uses the same software and provides the same functionality regardless of form-factor. Module 1: XG Firewall Overview - 23 Supported Virtualization Platforms https://sophos.com/kb/132088 VMware • ESXi 6.5.0 Hyper-V • Windows Server 2016 • Windows Server 2012 R2 • Windows Server 2008 R2 Xen • Xenserver 7.3 KVM • CentOS 7.4.1708 D ep lo ym en t O p ti o n s Before installing, turn off guest additions and services, and stop automated backups and snapshots It is important to install XG Firewall on one of the supported virtualization platforms and their tested versions shown in article 132088. These platforms have been tested and are known to work with the Sophos Firewall Operating System (SFOS). Sophos XG Firewall: Supported virtualization platforms: https://sophos.com/kb/132088 Module 1: XG Firewall Overview - 24 XG Firewall is available as a preconfigured virtual machine within the Azure Marketplace. You can use Azure Resource Manager templates to speed up deployment, or customize the configuration to meet the specific needs of your environment. Sophos offers two pricing options for XG Firewall on Azure. You can choose between pay-as-you-go (PAYG) or bring-your-own-license (BYOL). PAYG allows you to pay only for what you use, so you do not have to guess about capacity. There is no minimum commitment and you can stop at any time. BYOL allows you to use your existing investment in XG Firewall. When you purchase a 1-, 2-, or 3- year XG Firewall license, you can use that license in conjunction with Azure. The Azure cloud let’s you scale as you need. There’s no guessing about capacity, and you can use Azure Resource management templates to scale up and down based on user demand for applications. With Azure’s shared responsibility model, Azure secures the cloud and you are responsible for securing your applications and data. XG Firewall can help you with this, and in Azure, you still get the full XG Firewall that is the same product you can run on-premises. Module 1: XG Firewall Overview - 25 Azure D ep lo ym en t O p ti o n s • Deploy in minutes from Azure Marketplace • Flexible Pricing – PAYG or BYOL • Scalable • Shared responsibility model • Full XG Firewall Anatomy of Attack A n at o m y o f A tt ac k Module 1: XG Firewall Overview - 26 We will now look at the protection features offered by Sophos XG firewall. To do this, we will show adversary tactics and techniques and how Sophos XG Firewall is able to stop complex attacks at each phase of an attack. By reviewing these techniques, you will get a better and more reliable understanding of Sophos’ ability to stop the attackers techniques at each of the phases. Module 1: XG Firewall Overview - 27 Reconnaissance Weaponization Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivery Exploitation Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine PRE-BREACH Installation Command and Control Behaviour With ‘hands on keyboard’ access, intruders accomplish their goal Command channel for remote manipulation of victim Installing malware on the asset POST-BREACH Attack Kill Chain A n at o m y o f A tt ac k The first part of the anatomy of acyber attack is reconnaissance and weaponization. Hackers usually start by passively researching and gathering information about the target organization, for example, email addresses of key players in the organization such as CEOs and company directors. During passive reconnaissance the attacker is not touching your network or systems so there is nothing to detect. They may actively look for network ranges, IP addresses, and domain names, using port scanners or finding information about the company being sold on the dark web. Weaponization is done on the attackers device so there is nothing to detect. This stage of an attack is defined by the attacker being able to access your estate through an attack vector, for example an email, and deliver malware to a specific target. This is sometimes referred to as delivering a weaponized bundle to a target. Module 1: XG Firewall Overview - 28 Weaponization Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivery Exploitation Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine PRE-BREACH Installation Command and Control Behaviour With ‘hands on keyboard’ access, intruders accomplish their goal Command channel for remote manipulation of victim Installing malware on the asset POST-BREACH Reconnaissance A n at o m y o f A tt ac k Protecting Against The Delivery of Malware Attackers will send emails to users asking them to click on a link, or go to a website that is compromised. This is referred to as Phishing. Typically in a phishing scam, you and many of your colleagues will receive an email that appears to come from a reputable organization and will sometimes include attachments which, if opened, can infect a device. Attackers will use social engineering tactics over social networks, emails, applications, phone calls, text messages and in person to get people to reveal sensitive information. Typically the attack is designed for some of the following purposes; • Phishing credit-card account numbers and passwords • Hacking private e-mails and chat histories • Hacking websites of companies or organizations and destroying their reputation • Computer virus hoaxes • Convincing users to run malicious code Many malware infections begin with a user visiting a specifically designed website that exploits one or more software vulnerabilities. This can be triggered by a user clicking on a link within an email or browsing the Internet. This type of infection will happen silently. Genuine websites can be compromised by attackers who place malicious advertisements on the site. In other cases traffic to the website may be redirected to the attackers server. The re-directed site is designed to look authentic and usually requests a username and password to login. You can find out more about social engineering and how it can be prevented by watching the video on Sophos’s Naked Security page: https://nakedsecurity.sophos.com/tag/social-engineering/ Module 1: XG Firewall Overview - 29 Email Attacks Your Network Infiltrate Cyber Criminal Attacker sends an email to the victim Phishing Website Attacker collects victims credentials Data Theft Attacker users victims credentials to access the legitimate website Victim Victim clicks on the email and goes to the phishing website Exploit Kit • Scans for vulnerabilities on the victims computer • Exploit the vulnerabilities to download the exploits malicious code onto the system A n at o m y o f A tt ac k Delivery nakedsecurity.sophos.com/tag/social-engineering XG Firewall protects you by scanning HTTP and HTTPS traffic for unwanted content or malware. • Web Filtering provides pre-defined filters that automatically block access to categorized websites, such as gambling or pornography • Live Protection provides real-time lookups to SophosLabs to check for any threats and prevent them from infecting the device/network • Pharming Protection prevents users from being re-directed to fake or compromised websites • Certificate validation validates websites certificates to ensure legitimacy • File type filtering is based on MIME type, extension and active content types. This can be used to block macro enabled documents for example • SafeSearch enforcement. SafeSearch is a feature of Google Search that acts as an automated filter of pornography and potentially offensive content The Web Protection feature is customizable, for example, restricting users surfing quota and access time allows control over what users can have access to and when. If you wanted to restrict your users from being able to access websites that are not business essential you can place a restriction in the web policy that blocks access to non-business sites, for example social networking sites. Module 1: XG Firewall Overview - 30 Web Protection Policies allow you to configure filters to automatically block categorized websites If a user visits a blocked website they will not be able to get to the site A n at o m y o f A tt ac k Delivery To protect against email attacks to your network, Email Encryption and Control can be used. The email scanning engine will scan all inbound emails for malicious content. You control what emails can be received into your network; • IP Reputation is enabled allowing you to determine whether you accept, reject or drop emails that are sent from known spam senders • File-Type detection is configured to scan and block specific file types. For example, you can block or quarantine any macro enabled files from being received by any senders The email scanning engine will also detect phishing URLs within e-mails and block those emails accordingly. As well as scanning inbound and outbound emails for malicious content, the email protection allows you to encrypt emails so that you can send sensitive data securely out of your network. It uses SPX encryption for one way message encryption and recipient self-registration SPX password management. This encryption is simple and secure and does not require certificates or keys. It also allows users to add attachments to SPX secure replies to allow your users to securely send files. Email protection also uses our Data Loss Protection (DLP) engine, which automatically scans emails and attachments for sensitive data. This is also a key benefit at the last stage of the attack which we’ll talk about later in the module. Module 1: XG Firewall Overview - 31 Email Encryption and Control Quarantine A n at o m y o f A tt ac k Delivery Cyber Criminal Email Servers XF Firewall Sophos Sandstorm uses next-gen sandbox technology with integrated deep learning, giving your organization an extra layer of security against ransomware and targeted attacks. It integrates with your XG Firewall and is cloud-delivered, so there’s no additional hardware required. It’s the best defense against the latest payload based malware lurking in phishing attacks, spam, and file downloads. Let’s take a look at how Sophos Sandstorm tests for and identifies possible malware. The Sophos XG Firewall accurately pre-filters traffic using all of the conventional security checks, including anti-malware signatures, known bad URLs and so forth, so only previously unseen suspicious files are submitted to Sandstorm ensuring minimal latency and end user impact. If the file is executable or has executable content, the file is treated as suspicious. The XG Firewall sends the file hash to Sophos Sandstorm, to determine if it has been previously analyzed. If the file has been previously analyzed, Sophos Sandstorm passes the threat intelligence to the XG Firewall. Here, the file will be delivered to the user’s device or blocked, depending on the information provided by Sophos Sandstorm. The XG Firewall keeps a local cacheof file hashes and the results in a local database to prevent unnecessary lookups. Finally, the XG Firewall uses the detailed intelligence supplied by Sophos Sandstorm to create deep, forensic reports on each threat incident. Module 1: XG Firewall Overview - 32 Sandstorm Suspect Control Report Determine Behavior Sophos Sandstorm HASH XG Firewall A n at o m y o f A tt ac k Delivery If the hash has not been seen before, a copy of the suspicious file is sent to Sophos Sandstorm. Here, the file is executed and its behavior is monitored. Once fully analyzed, Sophos Sandstorm passes the threat intelligence to the XG Firewall which will determine if the file is allowed or blocked. As with previous threats, a report is created for the threat incident. Module 1: XG Firewall Overview - 33 Sandstorm Suspect Control Report Determine Behavior Sophos Sandstorm XG Firewall A n at o m y o f A tt ac k Delivery Deep Learning Millions of Samples Learned Model (Deep Learning) Model trained to determine features of a file PE File Deep Learning Engine Malicious Legitimate OR Features of the Files Defined Vendor Size Printable Settings Windows EXE Documents with macros PDFs with scripts Features of the Files Labelled Metadata Import Contextual Byte A n at o m y o f A tt ac k Delivery Amongst the layers of protection within our sandbox is something called deep learning, which protects against the latest unseen advanced threats like ransomware, cryptomining, bots, worms, hacks, breaches, and APTs without using signatures. Deep Learning uses a set of algorithms that try to replicate the way a human brain would solve a problem. By looking at the features of an object, it makes a decision as to what that object is. Let’s relate this to securing your network. The deep learning model is trained on millions of samples of known good and bad files, some examples shown here. It is taught the features (the size, compression setting, printable strings, vendor and so forth) of these files which are then labelled. The model is then trained to determine the features of a file to create a learned model. When a file is then tested with this model, deep learning evaluates portable executable (PE) files on a machine at the time of execution within the sandbox. The engine predicts if the file is malicious or legitimate based on the file characteristics, which have been learnt from the samples the model has been trained on. The prediction is returned and the file is categorized as malicious or legitimate. Module 1: XG Firewall Overview - 34 Application Control works on several levels to help protect your network, the most obvious of these is reducing the attack surface by controlling what applications are allowed. For example, users cannot download infected files through peer-to-peer applications if you are blocking them. Application Control can be used to block: • Unwanted applications • Some applications are non-malicious and possibly useful in the right context, but are not suitable for company networks. Examples are adware, tools for administering PCs remotely, and scanners that identify vulnerabilities in computer systems • Peer-to-peer networking applications • P2P applications can contain vulnerabilities. Peer-to-peer applications act as servers as well as clients, meaning that they can be more vulnerable to remote exploits • High risk applications • Sophos categorizes all applications, this means that you can apply the high risk application control policy and it will block all (and any new) application categorized as high risk • For example, proxy and web storage applications are often high risk • Very high risk applications • In the same way as for high risk category, the very high rick category allows you block all applications classified as very high risk • An example of these applications would be TOR proxy, SuperVPN and AppVPN Module 1: XG Firewall Overview - 35 Application Control Configure Application Rules to restrict access to specific applications A n at o m y o f A tt ac k Delivery On average, 60% of application traffic is going unidentified. Static application signatures don’t work for custom, obscure, evasive, or any apps using generic HTTP or HTTPS. Synchronized App Control on XG Firewall automatically identifies all unknown applications enabling you to easily block the apps you don't want and prioritize the ones you do. What this means is that you can now identify – and deal with – the unknown threats and unwanted apps that are running on their network, putting organization at risk and impacting user productivity. Module 1: XG Firewall Overview - 36 Synchronized App Control A n at o m y o f A tt ac k XG Firewall sees app traffic that does not match a signature Automatically categorize and control where possible or admin can manually set category or policy to apply Sophos Endpoint shares app name, path and even category to XG Firewall for classification Delivery Users continue to be the easiest target for attackers but an army of trained, phishing-aware employees can provide you with a human firewall against these threats. Let’s look at the next stage, Exploitation, which is defined by leveraging a vulnerability to execute code on a victim’s machine. An exploit is basically a method or a tool used for abusing software bugs for nefarious purposes. Module 1: XG Firewall Overview - 37 Reconnaissance Weaponization Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivery Exploitation Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine PRE-BREACH Installation Command and Control Behaviour With ‘hands on keyboard’ access, intruders accomplish their goal Command channel for remote manipulation of victim Installing malware on the asset POST-BREACH Protecting Against Exploits A n at o m y o f A tt ac k By their very nature, web servers need to be accessible from the Internet, but this makes them targets for attackers who may be trying to extract data or install malware to compromise other users visiting the website. Attacks can take many forms, including cross site scripting (XSS) attacks, using protocol violations and anomalies, cookie signing, SQL injection, or other generic attacks. Module 1: XG Firewall Overview - 38 Web Server Protection Attacker XSS Protocol Violations SQL Injection Generic Attacks A n at o m y o f A tt ac k Exploitation Firewall Web Servers Internet 10101010101010 0101010101010101010101 0101010101010101011010 1010101010101010101010 Sophos XG Firewall includes comprehensive Web Server Protection, which is bundled with preconfigured templates to make protecting commonly used web-facing servers like Microsoft Exchange as easy as possible. Web Server Protection acts as a reverse proxy protecting web servers on the internal network or DMZ from inbound traffic. Web Server Protection uses a web application firewall to filter traffic, harden forms, sign cookies, and scan for malware. Web Server Protection can also authenticate incoming connections with a username and password before they even reach the web server. Module 1: XG Firewall Overview - 39 Web Server Protection A n at o m y o f A tt ac k Exploitation XG Firewall Web Servers Internet 10101010101010 0101010101010101010101 0101010101010101011010 1010101010101010101010 XSS Protocol Violations SQL Injection Generic Attacks Attacker Vulnerabilities and Exploit Kits can be protected against using Intrusion Prevention Systems (IPS). IPS monitors network traffic as it passes through the XG Firewall for malicious activity. It logs the activity and attempts to block and prevent the infection and then reports the activity. Note that Intrusion Preventionis not designed to replace applying software patches to fix bugs and security vulnerabilities. Module 1: XG Firewall Overview - 40 Intrusion Prevention System (IPS) Endpoint XG Firewall Internet Monitors network traffic for malicious activity Blocks and reports activities to prevent network infections A n at o m y o f A tt ac k Exploitation This attack phase is where the installed malware makes a connection to a Command and Control server or a C2C server. In a typical APT lifecycle, the communication with the Command and Control host is a repeated process. This allows malware to adapt as more knowledge is gained by the attacker. Some of the more complex malware like Emotet includes communication to remote servers for further instructions/updates or to upload/download further files. Module 1: XG Firewall Overview - 41 Reconnaissance Weaponization Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivery Exploitation Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine PRE-BREACH Installation Command and Control Behaviour With ‘hands on keyboard’ access, intruders accomplish their goal Command channel for remote manipulation of victim Installing malware on the asset POST-BREACHA n at o m y o f A tt ac k Exploitation and Command and Control Connections Advanced Threat Protection (ATP) monitors global outgoing traffic. It blocks outgoing network traffic attempting to contact command and control servers. This prevents remote access Trojans from reporting back to their malicious servers. If ATP detects a threat an alert will be recorded and the number of detections shown in the control center. The administrator can then check the alert for additional information about the threat such as: • The affected devices IP address • The affected devices hostname • The threat and number of times the rule was triggered • The user and offending process This process allows the administrator to clean up the threat while the device is isolated, protecting the rest of the network from becoming infected. Module 1: XG Firewall Overview - 42 Advanced Threat Protection (ATP) Computers XG Firewall Internet Detects and blocks malicious outgoing traffic Globally monitors all outgoing traffic Records an alert in the Control Centre of the XG Firewall A n at o m y o f A tt ac k Allows isolation of the device and threat clean up Command and Control This stage of the attack anatomy varies depending upon the type of malware, for example a ransomware attack will look to encrypt data and demand ransom. Whereas spyware tends to log the keystrokes of victims and gain access to passwords or intellectual property. Next, we’ll review some of the protection components which form part of XG Firewall to detect malicious threats. Module 1: XG Firewall Overview - 43 Reconnaissance Weaponization Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivery Exploitation Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine PRE-BREACH Installation Command and Control Behaviour With ‘hands on keyboard’ access, intruders accomplish their goal Command channel for remote manipulation of victim Installing malware on the asset POST-BREACH Protecting Against Malicious Behavior A n at o m y o f A tt ac k Server Protection and Intercept X can be used to assign every device a health status. In the event a device is compromised, they can be automatically isolated from other parts of the network at the firewall, as well as blocking network connections between other healthy devices. This limits the fallout of a breach or the spread of malware or lateral movement of an attacker. Even on the same broadcast domain or network segment where the firewall has no opportunity to block the traffic. We’re effectively pushing isolation enforcement out to endpoints so they can help the firewall isolate any threats and keep the network secure. This will stop any threat or attacker attempting to move laterally. Automatic Device Isolation Servers Endpoint Internet A n at o m y o f A tt ac k XG instantly informs all healthy endpoints to ignore any traffic from a compromised device. Security Heartbeat™ Infected Host Behaviour XG Firewall Module 1: XG Firewall Overview - 44 Email Protection A n at o m y o f A tt ac k Email protection stops data from being leaked outside of the organization by email. You can create data control lists from the content control list (CCL). CCLs are based on common financial and personally identifiable data types, for example, credit card or social security numbers, postal or email addresses. When XG Firewall finds a match for the specified information, it applies the action specified in the policy. Module 1: XG Firewall Overview - 45 Digital security and physical security have many parallels. Think of a building and how it could be protected. If you were to build nothing but a giant wall, it may prove difficult to climb over but eventually someone will find a way to get over it (or under it). Now consider a fortress. Armed guards, attack dogs, CCTV, tripwires, barbed wire, motion sensors. It may be possible to hop the wall, but you still have many additional hurdles ahead of you. Single layers are simple to build but are also simple to bypass. Our goal has always been to build fortresses so that multiple security elements are present to detect movement across assets and for attacks to be detected and stopped. Module 1: XG Firewall Overview - 46 Summary A n at o m y o f A tt ac k NETWORK PROTECTION Stop unknown and sophisticated Threats Advanced networking protection Automatically responds to incidents Reconnaissance Weaponization Delivery Exploitation PRE-BREACH Installation Command and Control Behaviour POST-BREACH ADVANCED THREAT PROTECTION Detect and block C&C traffic APPLICATION CONTROL Block undesired applications Proxies, hacking tools, sniffers Out of date browsers, office apps MALWARE SCANNING On-board antivirus engines Sophos Sandstorm DATA LOSS PREVENTION Email WEB PROTECTION Prohibited website blocking INTRUSION PREVENTION Local Security Authority (LSASS) Security Account Manager (SAM) EMAIL PROTECTION Inbound antivirus and anti-spam scanning (with SPF and DKIM) SPX Email Encryption SANDSTORM WITH DEEP LEARNING Time of click URL Protection WEB SERVER PROTECTION Blocks known attack techniques Active Adversary Mitigations Reverse proxy authentication. SYNCHRONIZED SECURITY Heartbeat™ links your Sophos endpoints with XG Firewall Automatic device isolation Synchronized App Control Identify Infected Systems Monitor Network Health Zero Trust Ze ro T ru st Module 1: XG Firewall Overview - 47 Traditionally cybersecurity has involved creating a security perimeter and trusting that everything inside that perimeter is secure. This is a vulnerable design as once an attacker or unauthorized user gains access to a network, that individual has easy access to everything inside the network where they can progressively search for the key data and assets that are ultimately the target of their attack. The corporate network perimeter defensive line no longer exists. With increased attack sophistication and insider threats, organizations can’t guarantee that everything on the inside of their network can be trusted. Zero Trust is a relatively new and evolving approach to network design but it's also part of a wider mind-set based on the principle of trusting nothing and checking everything. With zero trust, no user is trusted, whether inside or outside of the network. Zero Trust Overview TrustedZero Trust is a cybersecurity mindset based on the principle of trust nothing, check everything. Ze ro T ru st Module 1: XG Firewall Overview - 48 The rise of remote users who wish to work remotely, and use their own personal devices to access corporate data and resources on untrusted networks like coffee shops is increasing. The use of SaaS apps, cloud platforms and services, leaves some data outside of the corporate perimeter. The use of public cloud platforms mean many of the devices or services that once ran within the corporate perimeter are now run outside of it. Basically secure every device you have as if was connected to the Internet. Zero Trust Overview Trusted SaaS Remote Users Ze ro T ru st Module 1: XG Firewall Overview - 49 Network Segmentation XG Firewall Internet Devices Sw it ch Applications Sw it ch Users Cloud Optix Managed Threat Response Server Phish Threat Email Wireless Intercept X Encryption Mobile Ze ro T ru st On the firewall side, network segmentation or even micro-segmentation around your users, devices, apps, networks, and so on provides one of the key benefits of the Zero Trust strategy. Dynamic policies are at the center of XG, with multiple sources of data available to leverage as part of a policy. Identity, time of day, network location, device health, network packet analysis – and more – all of these different sources of data can be used in different combinations depending on the scenario. By segmenting your network into smaller and more granular subnets, and securing them together through your firewall helps to limit exposure in the event that one segment becomes compromised. In practice, it works great, but in some cases it can add unwanted expense, infrastructure, management overhead, and impact performance. It takes a lot of technologies to secure all the resources and assets you’ll have on a network. There is no one single vendor, product, or technology that will solve all your problems. But Sophos certainly has a huge range of technologies to help you secure multiple resources and assets at the same time. Server Protection and Intercept X can be used to assign every device a health status. In the event one is compromised, the devices can be automatically isolated, as well as blocking network connections between devices to limit the fallout of a breach or the spread of malware or lateral movement of an attacker. Our Managed Threat Response (MTR) service can monitor all user activity across the estate and identify potentially compromised user credentials. Module 1: XG Firewall Overview - 50 Sophos Mobile, our UEM solution, can be used to support BYOD or managing all kinds of mobiles, laptops, and desktops. Compliance policies can be put in place to ensure a strong baseline configuration and any drift will cause that device to have its access to resources revoked automatically. Sophos Central has you covered for all of these. Our cloud-native cybersecurity platform orchestrates all of our technologies in a single console, providing you with oversight of all technologies in a single place and APIs to wire together any other third-party technologies you are using Module 1: XG Firewall Overview - 50 Lateral Movement Protection XG Firewall Internet Infected Host Endpoint Local Area Network Ze ro T ru st Application Server Sw it ch As shown in our Anatomy of Attack topic, Lateral Movement Protection, effectively provides an adaptive micro-segmentation solution. With Lateral Movement Protection, each individual endpoint is effectively on its own segment – able to be isolated in response to an attack or threat – regardless of the network topology. XG Firewall uniquely integrates the health of connected hosts into your firewall rules, enabling you to automatically limit access to sensitive network resources from any compromised system until it’s cleaned up. This is made possible by Synchronized Security which is our cross-portfolio approach to analyze system and network activity, adapt to scenarios through dynamic policy, and automate complex tasks like isolating machines and more. Module 1: XG Firewall Overview - 51 Summary There is no ‘inside’ the network Trust nothing, verify everything Security should adapt in real-time Pretend you’re running your business from a coffee shop and all your devices are connected directly to the Internet. Assume attackers are on both the inside and the outside and persist at all times. No user or device should be automatically trusted. Identify. Control. Analyze. Secure. Security policies should be dynamic and automatically change based on insight from as many sources of data as possible. Ze ro T ru st At it’s essence, there’s a few major concepts for Zero Trust that you should keep in mind along your journey. There is no “inside” the network. Pretend that you’re running your entire business from an untrusted location like a coffee shop and that all your devices are connected directly to the most dangerous of all networks - the public internet. By imagining this as the reality, we are forced to apply security in ways where we can’t rely on being behind a traditional corporate perimeter. There will always be corporate “trusted” networks for administration and in-house systems but the goal is to keep ordinary users off of these networks, using app proxies and other technologies, drastically reducing the attack surface. Next, trust nothing, verify everything. Assume that there are attackers both on the inside of your networks and on the outside and they are there all the time, constantly trying to attack. No user or device should be automatically trusted. By imagining we’re under constant attack from every direction, we are pushed to build rock-solid authentication and authorization to the resources, layer the defenses, and constantly monitor and analyze everything happening across the estates. Lastly, security should adapt in real-time. The security policies we put in place to achieve Zero Trust should be dynamic and automatically change based on insight from as many sources of data, from as many different technologies as possible. A static policy like THIS USER on THIS DEVICE can access THIS THING won’t protect you if that device has been compromised while that user is on it. If your policy also took into account device health, such as the identification of malicious behaviors, your policy could use this to dynamically adapt to the situation with zero effort from an admin. Our Synchronized Security products can share the unique insights they each have with one another, which enables us to have adaptive, dynamic policies, taking advantage of all these insights Module 1: XG Firewall Overview - 52 so that a policy is never static and easily circumnavigated. Much of this is just good security policy and best practices which you may already be doing. Additionally, if you’ve prepared for GDPR, you’ve done a lot of this work already. Module 1: XG Firewall Overview - 52 On completion of this module, you should now be able to perform the actions shown here. Please take a moment to review these. If you are not confident that you have met these objectives, please review the material covered in this module. List the deployment options available for the XG Firewall Identify the features of the XG Firewall and how the protect against common threats Module Review Now that you have completed this module, you should be able to: Module 1: XG Firewall Overview - 53 Hi there, this is the Getting Started with XG Firewall module for XG Firewall v18.0. Sophos Certified Engineer XG Firewall v18.0 ET801 – Getting Started with XG Firewall July 2020 Version: 18.0v3 © 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks ofSophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Certified Engineer XG Firewall v18.0 Module 2: Getting Started with XG Firewall Version: 18.0v3 Module 2: Getting Started with XG Firewall - 61 Getting Started with XG Firewall Navigation and Management • Navigating the WebAdmin • Managing Objects • Profiles Interfaces and Routing • Zones • Interfaces • Routing DNS and DHCP • Configuring DNS • DHCP servers • DHCP relay Deployment and Setup • Deployment options • Console and WebAdmin • Initial setup wizard Device Access and Administration • Device access • Certificates Common Deployment Scenarios • Gateway, bridge and mixed mode • Web server protection In this module you will learn how to connect and configure an XG Firewall with the basic settings necessary to get up and running. You will begin to manage the XG Firewall with the WebAdmin and learn about the core concepts and objects ready to configure rules and policies in later modules. Module 2: Getting Started with XG Firewall - 62 Common Deployment Scenarios C o m m o n D ep lo ym en t Sc en ar io s Module 2: Getting Started with XG Firewall - 64 Gateway Mode C o m m o n D ep lo ym en t Sc en ar io s LAN zone DMZ zone WAN zone Internet Port B Port A Port C Let’s take a minute to look at some of the most common ways it is deployed. The most common scenario is where you are looking to replace an aging firewall and need to protect your internal network. The XG Firewall is deployed to handle both the core routing and as the first-line of defense against network threats. This is shown here with the XG Firewall in gateway mode. Port A is configured for the LAN zone, Port B for the WAN, and Port C for the DMZ. Any network threats trying to go to either the LAN or the DMZ zone will be stopped by the XG Firewall. This is the type of deployment we will be focusing on in this course. Module 2: Getting Started with XG Firewall - 65 Port CPort A WAN zone Internet Bridge Mode C o m m o n D ep lo ym en t Sc en ar io s Existing Firewall + Synchronized Security + Intrusion Prevention + Advanced Threat Protection + Bridging LAN and DMZ zones LAN zone DMZ zone Port B Another common type of deployment is where there is an existing firewall that handles the WAN connectivity that is not going to be replaced. This is often done to add additional protection capabilities not offered by the existing firewall. So that you do not need to change the IP address schema of the network the XG Firewall can be deployed in bridge mode, which is also known as transparent mode or inline mode. In this mode the clients on the network are unware of the XG Firewall and traffic passes through without the IP address being changed, but still allowing XG Firewall to scan for and protect against threats. Module 2: Getting Started with XG Firewall - 66 Port CPort A WAN zone Internet Web Application Firewall C o m m o n D ep lo ym en t Sc en ar io s Existing Firewall LAN zone DMZ zone Port B Web Server App ServerFile Server Database Buffer Overflows Privilege escalation SQL injection + Web Application Firewall XG Firewall may also be added to a network to protect web applications. There are often many components that make up a web application, including web servers, databases, file servers and so forth, but this means that there are also a wide range attacks that can be launched at them. In the example here, the XG Firewall can protect the web application from common attacks including buffer overflows and SQL injection. Module 2: Getting Started with XG Firewall - 67 Port C Port B WAN zone Internet Discover Mode C o m m o n D ep lo ym en t Sc en ar io s Existing Firewall LAN zone DMZ zone Port A Port D Discover mode enabled port Port A Management port + Port Mirroring + Security Audit Report Switch The last type of deployment we will look at is generally used for evaluating the capabilities of XG Firewall without the need to make any changes to the network. In this example, the XG Firewall is connected to a port on the switch that has port mirroring enabled, so that a copy of all the traffic is sent to the XG Firewall. While the XG Firewall cannot influence the live traffic on the network, it can log and report on what is sees, and from this you can see the additional protection it can add to the network. This is called discover mode. Module 2: Getting Started with XG Firewall - 68 Deployment and Setup D ep lo ym en t an d S et u p Module 2: Getting Started with XG Firewall - 69 Connecting the XG Firewall to the Network D ep lo ym en t an d S et u p SOPHOS Protection 1/LAN The default LAN port to connect to for initial configuration 2/WAN The default WAN port A different port can be selected in the initial setup wizard To setup the XG Firewall you need to start by connecting to power and then connecting the LAN port and WAN ports. On hardware XG Firewalls the default LAN and WAN ports will be marked. On software and virtual XG Firewalls these will be the first and second network cards. You will have the option to modify these ports either during the initial setup or once the setup is complete. Module 2: Getting Started with XG Firewall - 70 Command Line Interface (CLI) Additional information in the notes D ep lo ym en t an d S et u p SSH Console Default credentials: • Username: admin • Password: admin These credentials are changed as part of the initial setup wizard Although the XG Firewall is managed through a web interface, it also has a command line interface (CLI) that is accessible through SSH, a console connection, or you could use a monitor and keyboard to physically connect to the terminal. You may want to use the CLI to change the IP address of the management port to be in your LAN IP range so that you can connect to the WebAdmin to complete the initial setup wizard. To login to the CLI use the password of the built-in ‘admin’ user. The default admin password is ‘admin’; you change this as part of the initial setup wizard. In the slide notes you can find the parameters for a console connection. Console connection parameters: • baud rate or speed: 38,400 • Data bits: 8 • Stop Bits: 1 • Parity and Flow Control: None or 0 Module 2: Getting Started with XG Firewall - 71 WebAdmin D ep lo ym en t an d S et u p Default IP address: 172.16.16.16 (/24) Port: 4444 WebAdmin URL: https://DeviceIP:4444 Sophos XG Firewall is configured and managed through a web interface. By default, the device’s IP address will be 172.16.16.16 and the WebAdmin on a Sophos XG firewall runs on port 4444. So to connect to the WebAdmin interface you would need to connect to HTTPS://172.16.16.16:4444 on a brand new device. Note: you will receive a certificate error when connecting to the XG Firewall as it is using an untrusted self-signed certificate. Module 2: Getting Started with XG Firewall - 72 Initial Setup Wizard D ep lo ym en t an d S et u p Set a new admin password Update the firmware Agree to the licence Optionally: • Restore a backup configuration • Connect as high- availability spare We will now walk through the initial setup of an XG Firewall. On the first page you set a new admin password and accept the terms and conditions. Note that if you are configuring this on behalf of someone else, they mustaccept the terms and conditions. By default the XG Firewall will download and install the latest firmware as part of the initial setup, however you can deselect this to postpone it until later. You also have the option to restore a configuration backup or connect the XG Firewall as an auxiliary device to a high-availability pair. Both of these options will provide a different initial setup to the full one we are going to show here. Module 2: Getting Started with XG Firewall - 73 Initial Setup Wizard D ep lo ym en t an d S et u p Configure the Internet connection This step is skipped if the WAN port is configured by DHCP The XG Firewall requires an Internet connection for registration and, if selected, downloading the latest firmware. You can choose which port to configure the WAN connection on, then you need to specify the IP address, subnet, DNS server and gateway. When you save these settings the XG Firewall will test the connectivity then allow you to continue with the initial setup. Note that if the WAN port is connected to a network that provides DHCP this step will be skipped. Module 2: Getting Started with XG Firewall - 74 Initial Setup Wizard D ep lo ym en t an d S et u p Enter a hostname Set the time zone You can enter a hostname for your XG Firewall and optionally modify the automatically selected time zone. Module 2: Getting Started with XG Firewall - 75 Initial Setup Wizard D ep lo ym en t an d S et u p Register the XG Firewall Enter the serial number, this is prefilled on hardware devices Optionally: • Start a trial • Migrate a UTM license • Defer registration The next step is to register the XG Firewall. If you have a serial number you can enter it to register your firewall. On hardware XG Firewalls this will be prefilled. You also have the option to migrate an exiting UTM license, start a trial or defer the registration for 30 days. Deferring the registration can be useful if you are preparing an XG Firewall prior to taking it onsite. Note that when registration is deferred there are a number of features that you are unable to use. To complete the registration you need to login with your Sophos ID, and then the XG Firewall will synchronize the license. Module 2: Getting Started with XG Firewall - 76 Initial Setup Wizard D ep lo ym en t an d S et u p Configure the LAN network Select which ports to bridge together to create the LAN Select the gateway Configure the IP address Optionally enable DHCP You have the option to configure the local network configuration, which is different depending on whether you are deploying a hardware or virtual or software XG Firewall. We will start by looking at hardware devices. Here you can select which ports to use for the LAN, and all ports selected will be used to create a single bridged LAN interface. You can select the gateway for the LAN network to either be the XG Firewall, or an existing gateway, in which case the LAN will be bridged to the WAN. You can configure the IP address for the XG Firewall, and optionally enable DHCP. Note that DHCP cannot be enabled if the XG Firewall is bridging the LAN and WAN. Module 2: Getting Started with XG Firewall - 77 Initial Setup Wizard D ep lo ym en t an d S et u p Configure the LAN network Select the LAN port Select the gateway mode Configure the IP address Optionally enable DHCP For virtual and software devices the configuration is very similar, except instead of selecting ports to create a LAN bridge interface you select a single LAN port. Module 2: Getting Started with XG Firewall - 78 Initial Setup Wizard D ep lo ym en t an d S et u p Enable protection in the default outbound firewall rule As part of the initial setup wizard the XG Firewall will create a default firewall rule for outbound traffic. Here you have the option of enabling various security options for that firewall rule. • Protect users from network threats will enable an IPS policy • Protect users from the suspicious and malicious websites will enable a web policy • Scan files that were downloaded from the web for malware will enable malware scanning • And Send suspicious files to Sophos Sandstorm will enable Sandstorm scanning. This requires ‘Protect users from the suspicious and malicious websites’ to be enabled Module 2: Getting Started with XG Firewall - 79 Initial Setup Wizard D ep lo ym en t an d S et u p Enter an email address and sender for notifications Optionally specify an internal mail server for notifications Optionally enable automatic backups and enter an encryption password The last piece of configuration is for notifications and backups. Here you configure recipient and sender email addresses for notifications. You can optionally choose to configure an internal email server to use for sending these. You can also enable automatic backups, and to use this you need to set an encryption password for the backup files. Module 2: Getting Started with XG Firewall - 80 Navigation and Management N av ig at io n a n d M an ag em en t Module 2: Getting Started with XG Firewall - 81 WebAdmin: Control Center N av ig at io n a n d M an ag em en t When you first login to the WebAdmin you are presented with the Control Center, which provides a live view of what is happening on the XG Firewall allowing you to quickly identify anything that requires your attention. The Control Center is broken down into six main areas: • System • Traffic insight • User and device insight • Active firewall rules • Reports • And Messages System Status icons for the XG Firewall’s health and services. Each item can be clicked to get more detailed information. Traffic insight Provides an at a glance overview of what is happening on the network and the traffic being processed. User and device insight Shows the status of users and devices being protected by XG Firewall. This section includes the User Threat quotient, which is a risk assessment of users based on their behaviour. Active firewall rules Displays the usage of firewall rules by type. Below the graph you can see the state of firewall rules Module 2: Getting Started with XG Firewall - 82 over the last 24 hours. Clicking these will take you to the firewall rules filtering for the selected type of rule. Reports Access to commonly used reports. These can either be opened by clicking on the name of the report or downloaded using the icon to the right of each. It shows when the report was last updated and the size of the file. Messages Alerts or information for the administrator including security warnings and new firmware updates. Messages are clickable to access the relevant configuration. Module 1: XG Firewall Overview - 82 WebAdmin: Main Menu N av ig at io n a n d M an ag em en t Information on current activity, reports and diagnostic tools Down the left-hand side is the main menu for navigating the XG Firewall. This is divided into four sections: MONITOR & ANALYZE, provides access to information, including the current activity on the XG Firewall, reports and diagnostic tools. Module 2: Getting Started with XG Firewall - 83 WebAdmin: Main Menu N av ig at io n a n d M an ag em en t Configure rules policies and settings related to protection features PROTECT, for configuring the rules, policies and settings related to protection features. Module 2: Getting Started with XG Firewall - 84 WebAdmin: Main Menu N av ig at io n a n d M an ag em en t Setup connectivity, routing, authentication and global settings CONFIGURE, where you setup connectivity, routing, authentication and global settings. Module 2: Getting Started with XG Firewall - 85 WebAdmin: Main Menu N av ig at io n a n d M an ag em en t Device access settings, objects and profiles that are used in rules and policies SYSTEM, which houses the device access settings, aswell as objects and profiles that are used within rules and policies. Module 2: Getting Started with XG Firewall - 86 WebAdmin: Tabbed Navigation N av ig at io n a n d M an ag em en t Each section that is accessible from the main menu is further broken down into tabs for accessing each area of configuration. On some screens additional less frequently used tabs can be accessed using the ellipses on the right-hand side of the tabs. Module 2: Getting Started with XG Firewall - 87 WebAdmin: Advanced Settings N av ig at io n a n d M an ag em en t Display additional settings for reports and VPNs In the Reports and VPN sections there are additional Show Report Settings and Show VPN Settings options that allow you to access some of the less often used options related to reports and VPNs. When the settings are accessed, the screen will flip to the additional options. You can identify when you are on this screen by the yellow title bar at the top of the page. Module 2: Getting Started with XG Firewall - 88 WebAdmin: Admin Drop-Down Menu N av ig at io n a n d M an ag em en t Found in the top-right is the admin menu. Here you can reboot, shutdown, lock and logout of the XG Firewall. This menu also provides links to the support website, the XG licensing page and web- based access to the console. Module 2: Getting Started with XG Firewall - 89 WebAdmin: Help N av ig at io n a n d M an ag em en t Found on every screen on the XG firewall is a context sensitive link to the online help file. When clicked, it opens a separate window. This online version of the XG help is fully interactive and can be browsed by selecting the various menu items in the left side menu. It can also be searched for by keywords and when a search result is selected it will load the appropriate section within the help file. http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/index.html Module 2: Getting Started with XG Firewall - 90 WebAdmin: Log Viewer N av ig at io n a n d M an ag em en t Next to the help link is the Log viewer, which opens in a new window to provide access to all of the log files. In the ‘Log viewer’ you can filter the logs and perform context sensitive actions. We will explore this in more detail throughout the course. Module 2: Getting Started with XG Firewall - 91 How-to Guides N av ig at io n a n d M an ag em en t The last item in the top-right is the how-to guides. This links you to a library of videos on our website that demonstrate how to perform common tasks on the XG Firewall. Module 2: Getting Started with XG Firewall - 92 Objects N av ig at io n a n d M an ag em en t Objects are the building blocks for rules and policies Define hosts, networks, services, groups and profiles Can be created inline when configuring rules and policies The XG Firewall uses objects as the building blocks for the configuration of rules and policies. By defining reusable objects once for things such as hosts, services and networks, it can speed up configuration, and simplify future changes by having a single place to make a change. Objects can be created and edited ahead of time, but they can also be created inline when configuring protection features. This means that you do not have to navigate away from what you are configuring to create an object, you will have the option to create it where you need it. There are two types of object – hosts and services, and profiles. These can be found in the SYSTEM section on the XG Firewall. Module 2: Getting Started with XG Firewall - 93 Hosts N av ig at io n a n d M an ag em en t IP version and host type cannot be changed after it has been created IP host groups can be used to group IP host objects for IP addresses, networks and IP ranges, but not IP lists IP MAC FQDN IP host objects can represent a single IP address, a subject, a range of IP addresses or a list of IP address, for either IPv4 or IPv6. The object has a name and then must be configured by IP version (IPv4 or IPv6) and a type. Note that the IP version and type cannot be modified after the object has been created. You then provide the data for the type of object you selected. Note that IP address lists are comma separated. IP host groups can be used to group IP host objects for IP addresses, networks and IP ranges, but not IP lists. Module 2: Getting Started with XG Firewall - 95 Hosts N av ig at io n a n d M an ag em en t Type cannot be changed after it has been created Lists are comma separated IP MAC FQDN MAC host objects can be created for individual MAC addresses or MAC address lists. The MAC host object has a name and then must be configured for a specific type, MAC address or MAC list, this cannot be changed once the object has been saved. MAC address lists are comma separated. Module 2: Getting Started with XG Firewall - 96 Hosts N av ig at io n a n d M an ag em en t Supports wildcard prefix to resolve sub- domains Can be grouped with FQDN host groups IP MAC FQDN FQDN hosts are used to define fully qualified domain names. FQDN host objects can include a wildcard prefix to resolve sub-domains, for example, *.sophos.com. FQDN host groups allow you create a collection of FQDN host objects to further simplify using objects in rules and policies. Module 2: Getting Started with XG Firewall - 97 Services N av ig at io n a n d M an ag em en t Service based on TCP and UDP ports Service based on IP protocol numbers Service based on ICMP types and codes Service objects can be created for: • TCP and UDP based on protocol, source and destination port • IP based on protocol number • ICMP and ICMPv6 based on the ICMP type and code Each service object is for a single type, and can contain one or more definitions. You can also create groups of service objects. Module 2: Getting Started with XG Firewall - 98 Country Groups N av ig at io n a n d M an ag em en t The XG Firewall maintains a geo IP database that maps IP addresses to countries, and this is automatically updated with the pattern definitions. There are a number of predefined country groups that ship with the XG Firewall, which can be edited. You can also create custom groups of countries. Module 2: Getting Started with XG Firewall - 99 Schedule • Defines a period of time • Recurring or one-off Access time • Allow or deny action for a schedule Profiles N av ig at io n a n d M an ag em en t Surfing quota • Browsing time restrictions • Recurring or one-off Decryption • Settings for TLS decryption Device access • Roles for administrators Network traffic quota • Bandwidth restrictions • Separate upload/download or combined Profiles are a collection of settings that can be defined and used when configuring protection features. There are profiles for: • Schedule, which defines a period of time, either recurring or one-off • Access time, that defines an allow or deny action for a schedule • Surfing quota, which defines either recurring or one-off restrictions for browsing time • Network traffic quota, for upload and download bandwidth quota restrictions • Decryption, for controlling the decryption of TLS traffic • And Device access, which defines access roles for admins logging into the WebAdmin Module 2: Getting Started with XG Firewall - 100 Interfaces and Routing In te rf ac es a n d R o u ti n g Module 2: Getting Started with XG Firewall - 101 DMZ Zones In te rf ac es a n d R o u ti n g XG Firewall LAN 1 LAN 2 LAN Zone Hosted Servers Zone Internet WAN Zone The XG Firewall is a zone-based firewall, and it is important to understand what a zone is before we proceed to look at interfaces and routing. When we talk about zones on the XG Firewall, we mean a logical group of networks where traffic originates or is destined to. Each interface is associated with asingle zone, which means that traffic can be managed between zones rather than by interface or network simplifying the configuration. Note that interfaces and zones are not equivalent; multiple interfaces can be associated with a zone and each zone can be made up of multiple networks. Module 2: Getting Started with XG Firewall - 102 Zones In te rf ac es a n d R o u ti n g Zones are created and managed in: CONFIGURE > Network > Zones The XG Firewall comes with five default zones, these are: • LAN – this is the most secure zone by default and is for your internal networks • WAN – this zone is used for external interfaces that provide Internet access • DMZ – this zone is for hosting publicly accessible servers • VPN – this is the only zone that does not have a physical port or interface assigned to it. When a VPN is established, either site-to-site or remote access, the connection is dynamically added to the zone and removed when disconnected • WiFi – this zone is for providing security for wireless networks With the exception of the VPN zone, the default zones can be customized. Zones are managed and created in CONFIGURE > Network > Zones. Module 2: Getting Started with XG Firewall - 103 Creating Zones In te rf ac es a n d R o u ti n g Choose whether this is a LAN or DMZ zone Access for managing the XG Firewall Client authentication services Network services Other services provided by the XG Firewall Let’s take a look at how you can create your own zones. When you create a custom zone you can choose between two types of zone, LAN or DMZ, which is used to indicate the level of trust for the zone. You cannot create additional VPN or WAN type zones as there can only be one of each of these. You then customize the zone to define which services the XG Firewall provides and will be accessible, this is broken down into four categories: • Admin services, for accessing and managing the XG Firewall • Authentication services, for user authentication • Network services, for PING and DNS • And Other services, which controls access to things like the web proxy, wireless access point management, user portal and so forth Module 2: Getting Started with XG Firewall - 104 Configuring Interfaces In te rf ac es a n d R o u ti n g Interfaces are configured in: CONFIGURE > Network > Interfaces Interfaces have to be assigned to a zone Interfaces can be given a friendly name Interfaces can be configured for IPv4 or IPv6 or both Now that you know how to create zones we will look at configuring interfaces. By default interfaces are named after their hardware device ID, however you can give them a friendly name to make identifying them easier. To begin configuring the network settings you have to assign the interface to a zone, this will determine what IP configuration can be set, as only interfaces in the WAN zone are configured with a gateway. You can configure interfaces with IPv4 or IPv6 or both, either statically or by DHCP. IPv4 configuration also supports configuration via PPPoE. Module 2: Getting Started with XG Firewall - 107 Interfaces Types In te rf ac es a n d R o u ti n g BRIDGE: Allows two or more interfaces to be used to create a transparent layer 2 or 3 bridged interface for seamless communication between interfaces ALIAS: An additional IP address added to an interface VLAN: A virtual LAN interface created on an existing XG interface, used when the XG Firewall needs to perform inter-VLAN routing or tagging LAG: A groups of interfaces acting as a single connection which can provide redundancy and increased speed between two devices RED: Used to connect Sophos’ Remote Ethernet Devices back to the XG Firewall As well as being able to configure the network adapters in the XG Firewall, there are a number of other interface types that can be created. These are: • Bridge • Alias • VLAN • LAG • RED Module 2: Getting Started with XG Firewall - 108 TUNNEL: Tunnel interfaces are created using a type of IPsec VPN, that allows standard routing to be used to send traffic over the VPN Interfaces Types In te rf ac es a n d R o u ti n g WIFI: A wireless network where traffic is routed back to the XG Firewall from the access point instead of directly onto the network the access point is connected to Additionally, you can create wireless interfaces and IPsec interfaces. These two interface types are created as part of configuring other functionality on the XG Firewall, IPsec VPNs and wireless networks using separate zone configuration. Tunnel interfaces are created using a type of IPsec VPN, that allows standard routing to be used to send traffic over the VPN. WIFI interfaces are created when a wireless network routes traffic back to the XG Firewall using separate zone configuration instead of to either the physical LAN the access point is connected to or a VLAN. These will be covered in more detail later in this course. Module 2: Getting Started with XG Firewall - 109 WAN Link Manager In te rf ac es a n d R o u ti n g WAN link manager configured in: CONFIGURE > Network > WAN link manager Gateway type: Active or Backup Failover and failback behaviour Rules for detecting failed active gateways The WAN Link Manager provides an at a glance view of the status of your WAN gateways. If you have multiple gateways you can configure them to be either active or backup, and for backup gateways configure the failover rules and behaviour. Module 2: Getting Started with XG Firewall - 110 Routing In te rf ac es a n d R o u ti n g Additional information in the notes Configurable route precedence SD-WAN Policy Routes Static Routes VPN Routes Default Route (WAN Link Manager) Directly Connected Networks Dynamic Routing Protocols Unicast Routes P re ce d e n ce One of the primary functions of a firewall is routing packets from one network to another. The XG Firewall supports multiple methods for building and dynamically controlling the routing, which fall into three main types of route; SD-WAN policy routes, VPN routes, and static routes, and these are processed in order. Policy routes make decisions based on the properties of the traffic, such as source, destination and service. VPN routes are created automatically when VPN connections are established with the XG Firewall. Static routes define the gateway to use based on the destination network. This includes directly connected networks and routes added by dynamic routing protocols. When no other routing rule has been matched the XG Firewall will send the packets on the default route, which is the gateway derived from load balancing configuration across active gateways. Note that the precedence of policy routes, VPN routes and static routes can be modified on the command line. [Additional Information] The command for modifying the route precedence is: system route_precedence The precedence within static routes is dependent on the specificity of the route and the distance metric. The more specific the route the higher the precedence, and the lower the distance the higher the precedence. Module 2: Getting Started with XG Firewall - 111 Static Routes In te rf ac es a n d R o u ti n g Network that is not directly connected to the XG Firewall Gateway and interface to use to route the traffic Static routes are configured in: CONFIGURE > Routing > Static routes Let’s take a look at an example of a static route. If you have a network that is not directly connected to the XG Firewall, the XG Firewall would send traffic destined for it to the default gateway. If the traffic needs to take a different route, you can use a static route. Here you define the network where the traffic is destined, and you define what IP address the traffic should be sent to and via which interface. Module 2: Getting Started with XG Firewall - 112 SD-WAN Policy Routes In te rf ac es a n d
Compartilhar