Our Tips for Hardening Your Sophos Firewall
Here are some recommendations to harden the overall security of your Sophos Firewall.
Keep Your Firmware Updated and Hotfixes Enabled – Every update to Sophos Firewall OS includes important security enhancements and, in some cases, important Hotfixes are released between updates. Ensure you keep your firmware up to date and have Hotfixes enabled under Backup & Firmware > Firmware.
Limit Firewall Device Access – It’s critically important that you disable non-essential services on the WAN interface. In particular, HTTPS and SSH admin services. To manage your Firewall remotely, Sophos Central offers a much more secure solution than enabling WAN admin access. If the User Portal is not being used, we also recommend deactivating this service on the WAN as well.
Check your local services access control under Administration > Device Access and ensure no items are checked for the WAN Zone unless absolutely necessary:
Lock Down Remote Access to Other Network Systems – Do NOT expose any systems directly to the internet using NAT or Firewall Rules that allow inbound connections. This includes IoT devices. Review all your NAT and Firewall Rules and ensure there are no WAN to LAN rules. Use VPN or ZTNA only for remote administration and access for internal systems. For IoT devices, shut down any devices that require direct access via NAT and do not offer a cloud proxy service.
Use Multi-Factor Authentication and Strong Passwords – Enable Multi-Factor Authentication or One Time Password (OTP) and enforce strong passwords which will protect your Firewall from unauthorized access either from stolen credentials or brute force hacking attempts.
Use Role-Based Administration – Take advantage of Sophos Firewall’s granular role-based administration profiles to limit access for administrators of the firewall. Provide read-only access to administrators that don’t absolutely need control over various firewall functions.
Enable TLS Inspection and Intrusion Prevention – IPS can help protect against intrusions and Denial of Service attacks, but only if encrypted traffic is inspected. Enable TLS inspection and IPS and ensure it’s configured to automatically update, and DoS protection is applied.
Enable Firewall System Notifications – Sophos Firewall can be configured to alert administrators of system-generated events. Administrators should review the list of events and ensure that key events are monitored to ensure that issues and events can be acted upon promptly. Sophos recommends that you adopt a regular triage and investigation routine to make sure that no events are missed or left to linger too long. Notifications are sent via either email and/or to SNMP traps. To configure Notifications, navigate to Configure > System services and select the Notifications list tab.
Configure Country Blocking – As a security best practice you can further narrow your attack surface area by limiting exposure to regions you don’t do business with using country blocking