My primary concern lately as my internet presence has grown has been in the general realm of security.

How do I know that no one is accessing my port-forwarded server?

How do I know that no one is logging into my router?

[…]

An easy answer to this has always been limiting inbound connections to trusted hosts; But that’s not always an easy solution. Most consumer routers don’t even support this (correct me if i’m wrong) and in most firewall applications it can be cumbersome to append and manage trusted hosts to new or existing rules.

Group your trusted hosts and networks together, to restrict inbound traffic to only those you choose.

Sophos Network Definitions is a network admin’s best friend. I’m constantly making changes to my environment; changing IP addresses, adding new servers, enabling new remote protocols or firewall rules, branching out to cloud endpoints and remote locations.

At the end of the day, I rely on Sophos Network Definitions to make managing my complex networks easier.

  • For an overview of the Network Definitions feature, see: the unwritten article on network definitions.

Getting started:

For this scenario we will be creating a group of trusted hosts to allow through our firewall. This is easier than creating a firewall/NAT rule for each remote IP to allow their inbound traffic (if your consumer router  even lets you do that)  and also easier than managing many lists of remote hosts to allow per-policy or per-rule like in some firewall appliances.

We’re going to assume you already have a Sophos UTM appliance and want to allow logging  into the WebAdmin only from your house, your office, and your friend’s house. At this point  you should have a network definition for each of these places, which will define their name and public IP address.

  • You will be including these definitions in the group of trusted hosts.

Eventually you can create firewall rules with the source of “trusted hosts” (the group we are creating) instead of other less secure or cumbersome approaches. You won’t have to open your  services to all of the internet nor do you have to establish a VPN tunnel to multiple locations.

Create a “Trusted Remote Hosts” Network Group

In the Definitions and Users section of the WebAdmin, we’re going to add a new Network Definition.

  • For this example, we will be calling this Network Definition “Trusted Remote Hosts”
    • From the drop down, change the type to “Network Group”
      • and we will start adding our hosts into the group (previously created network definition for your trusted remote hosts)

Save this network group definition.

Now use “Trusted Remote Hosts” in place of individual hosts or networks.

From now, any firewall rules you create or access you want to restrict, you can easily allow access to “Trusted remote hosts” for flexibility instead of repeatedly creating rules or managing multiple lists.

You can further define the scopes of trust by creating multiple groups — for networks that are yours and you trust, and then also networks that are your friends or colleagues and you may want to leave them out of some rules.


Practical Application:

  • WebAdmin Allowed Networks
    • Allow only trusted locations to remotely log in to the WebAdmin
  • NAT policy security
    • Only allow trusted locations to access services on your internal network without a VPN.
  • Intrusion Prevention exclusion
    • Many times, intrusion prevention systems can be sensitive. That’s a good thing, but when it starts blocking traffic from your own remote networks, hosts, or trusted networks, it can become a problem. Excluding them all from the IPS rules is a great way to ensure that your intra-branch services remain un-interrupted.
  • Centralized management.
    • Update all of your policies, allowed networks, etc. in one place.

Leave a Reply