Sophos Web Protection

| 02-05-2021
[RAND-1-100] Comments



With WAF rules, you can protect web applications from attacks and data leakage by filtering HTTP traffic.

NoteDownload reputation is calculated based on the data in the SophosLabs' in-the-cloud database and requires Sophos Live Protection to be enabled in order to perform lookups and obtain the data. (By default, Sophos Live Protection is. Steps on how to authorize websites can be found in the following: For a Sophos Enterprise Console managed computer, go to the Enterprise Console page then click the file Enterprise Console Help HTML. Click Configuring policies followed by Authorizing items for use then next is Authorize websites. For Sophos Central, visit this link. Sophos Home Premium Security Delivers Advanced, Real-Time Antivirus Protection from the Latest Ransomware, Hacking Attempts and More. Get Sophos Home Today. Sophos UTM is an excellent secure web gateway capable of filtering and cleaning web traffic, but it also has a special trick when it comes to protecting endpoint computers both on and off premises. Sophos started out as an anti-virus company, providing endpoint protection for Windows systems. Sophos Home will block bad websites known to contain malware. On some occasions, customers may need to turn off this feature for troubleshooting purposes. Note: This feature is on by default and should only be disabled temporarily for testing or configuration. Access your Sophos Home dashboard -If you do not have an account, use SSO instead.

You configure a WAF rule for an IP address assigned to a network interface, a port, and one or more domain names. XG Firewall matches traffic based on the IP address assigned to the interface.

For HTTPS traffic, it uses Server Name Indication (SNI) to determine the server that corresponds to the hostname in the client request.

  1. Go to Rules and policies > Firewall. Select IPv4 and select Add firewall rule.
  2. Rules are turned on by default. You can turn off a rule if you don’t want to apply its matching criteria.
  3. Enter the general details.

    Name

    Description

    Rule name

    		Enter a name.

    Rule position

    Specify the position of the rule.

    Rule group

    Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.

    If you select Automatic, the firewall rule is added to an existing group based on first match with rule type and source-destination zones.

    ActionSelect Protect with web server protection.

    Preconfigured template

    Select a template to apply:

    None: Specify the web server protection details.

    Exchange Autodiscover

    Exchange Outlook Anywhere

    Exchange General

    Microsoft Lync

    Microsoft Remote Desktop Gateway 2008 and R2

    Microsoft Remote Desktop Web 2008 and R2

    Microsoft Sharepoint 2010 and 2013

  4. Enter the Hosted server details.

    Name

    Description

    Hosted address

    Select the public IP address assigned to an interface through which users access the internal server or host. The WAF rule is bound to the IP address assigned to the interface.

    You can use the public IP address assigned to the interface or use an alias to bind the required public IP address.

    When a client establishes a connection and accesses the web server, the web server obtains the interface address of the web application firewall (WAF) and not the client’s IP address. The HTTP header X-Forwarded-For carries the client’s IP address.

    Listening port

    Enter the port number on which to reach the hosted web server. The defaults are port 80 for HTTP and port 443 for HTTPS.

    You can use the same port (for example, 443) for SSL VPN and WAF. In this case, SSL VPN works on any IP address except the IP address (Hosted address) configured for WAF.

    WAF can't share the same port as the user portal. The default user portal port is 443.

    HTTPS

    If you turn this on, the hosted server is accessible through HTTPS and not through HTTP.

    HTTPS certificate

    If you selected HTTPS, select the certificate.

    XG Firewall supports SNI (Server Name Indication), allowing you to create more than one virtual web server that's accessible over the same IP address and port. You can assign a different certificate to each server. Servers are presented to clients based on the requested hostname.

    To create or upload a certificate, go to Certificates > Certificates.

    Redirect HTTP

    Select to redirect port 80 traffic to port 443.

    Domains

    Enter the FQDN configured for the web server, for example, shop.example.com.

    If you've turned on HTTPS, domain names of the selected HTTPS certificate show in the list. You can edit or delete these or add new domain names.

    You can use the wildcard *. at the start of a domain name only.

    Example: *.company.com

    A single WAF policy supports multiple wildcard domains. Virtual web servers with wildcard domains are only matched when there are no virtual web servers with specific domains configured.

    Example: A client request to the domain, test.company.com, will match with test.company.com before it matches with *.company.com before matching with *.com.

  5. Specify the details of the Protected servers. You can specify the web servers, authentication method, and allowed and blocked client networks. If you select path-specific routing, in addition to these settings, you can bind sessions to servers, specify the primary and backup servers, and use the WebSocket protocol.
    Note If you select multiple web servers, requests are balanced between the webservers.

    If you don't want to configure path-specific routing, specify the Web servers and Access permissions.

    Name

    Description

    Web server

    		Select the web servers from the Web server list. Alternatively, you can create new ones. You can see the selected web servers under Selected web servers.
    Allowed client networks

    Specify the IP addresses and networks that can connect to the hosted web server.

    Blocked client networks

    Specify the IP addresses and networks to block from connecting to the hosted web server.

    Authentication

    Specify an authentication profile for web applications.

  6. Optional Select Path-specific routing to forward specific path requests to the selected web servers. For example, if you specify the domain www.test.com, the path /web, and the web server Web server 1, a request for www.test.com/web is forwarded to Web server 1.
    NoteXG Firewall doesn't evaluate requests based on the order of path listing. It applies the paths, starting with the longest path and ending with the default path route. The default path is used only if a more specific path doesn't match the request.
    Some instances in which you can specify path-specific routing are as follows:
    • Send requests with a specific path (example: /products/) to a specific web server.
    • Bind each session to a web server, using Sticky session cookie. Example: If you host an e-commerce site and want a single server to serve users for the duration of a shopping session.
    • Send all requests to the specified web server with the others remaining as backup servers, using Hot-standby mode.

    Name

    Description

    Default path (path /)Select the edit button and select a web server for the default path.

    Requests that don't match a listed path are sent to the default route. If you delete the default route, XG Firewall denies requests that don't match a listed path with a 404 Not found response.

    Add new path

    Select to add a new path.

    You can add a path if you've added a web server.

    Path

    Enter the website path. Example: /products/

    Web serverSelect the web servers from the Web server list. Alternatively, you can create new ones. You can see the selected web servers under Selected web servers.
    AuthenticationSpecify an authentication profile for web applications.
    Allowed client networksSpecify the IP addresses and networks that can connect to the hosted web server.

    XG Firewall only implements the protection for IP host type IP and Network. Don't specify an IP range or IP list.

    Blocked client networks

    Specify the IP addresses and networks to block from connecting to the hosted web server.

    XG Firewall only implements the protection for IP host type IP and Network. Don't specify an IP range or IP list.

    Sticky session cookie

    Turn it on to bind a session to a web server. XG Firewall forwards a cookie to the user’s browser, enabling it to route requests from the browser to the same web server.

    If the server isn't available, the cookie is updated, and the session is switched to another web server.

    Hot-standby mode

    Turn it on to send all requests to the first selected web server. The other web servers remain as backup servers and are used if the first server fails.

    When the main server starts functioning again, the sessions are switched back to it. If you select Sticky session cookie, the session continues with the backup web server.

    WebSocket passthrough

    Turn it on to allow applications hosted on the specified site path to use the WebSocket protocol.

    Since RFC standards don't specify the protocol's data format, checks can't be implemented and WebSocket traffic is allowed without protection.

  7. Select Add new exception to specify the security checks to skip.

    Select the paths, sources, and security checks to skip. You can specify more than one exception in a WAF rule.

    Name

    Description

    Paths

    		Specify the paths for which you want to create an exception.

    You can use wildcards in the paths. Example: /products/*/images/*

    Operation

    		Select the Boolean operation for paths and source networks.

    Sources

    		Specify the IP addresses, range, list, or networks from which the traffic originates.

    Cookie signing

    		Skips check for cookie tampering.

    Cookie signing mitigates attempts to obtain private session data and engage in fraudulent activity by tampering with cookies. When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built from the name and value of the primary cookie and a secret that is known only to XG Firewall. If a request can't provide the correct cookie pair, the cookie is dropped.

    Static URL hardening

    Allows rewritten links for the specified paths and source networks.

    Static URL hardening prevents users from manually constructing deep links that lead to unauthorized access. When a client requests a website, all static URLs of the website are signed using a procedure similar to cookie signing. In addition, the response from the web server is analyzed regarding which links can be validly requested next.

    When you turn on static URL hardening, the entries for URL paths become case-sensitive. For example, if you add the path /rule.html and users enter /Rule.html, XG Firewall reports that the signature can't be found.

    Form hardening

    		Skips checks for web form rewriting.

    To prevent tampering with forms, XG Firewall saves the original structure of a web form and signs it. If the structure has changed when the form is submitted, XG Firewall rejects the request.

    Antivirus

    Skips anti-virus scanning for requests from the specified source networks and to the paths that you specify.

    Block clients with bad reputation

    		Skips checks for clients that have a bad reputation according to real-time blackhole lists (RBLs) and GeoIP information.
  8. Specify the advanced protection policies.
    Name
    Description

    Protection

    Specify a protection policy for the servers.

    Intrusion prevention

    Specify an intrusion prevention policy.

    Traffic shaping

    Specify a traffic shaping policy to allocate bandwidth.

  9. Specify the Advanced settings.

    Name

    Description

    Disable compression support

    When clients request compressed data, XG Firewall sends data in compressed form.

    Select this setting to turn off compression if web pages appear incorrectly or if users experience content-encoding errors. XG Firewall then requests uncompressed data from web servers and sends it to the client irrespective of the request’s encoding parameter.

    Rewrite HTML

    Select to rewrite the links of returned web pages to retain link validity.

    Example: If a web server's hostname is yourcompany.local, but the hosted web server’s hostname is yourcompany.com, absolute links like [a href='http://yourcompany.local/'] are broken if the link is not rewritten to [a href='http://yourcompany.com/'] before delivery to the client.

    You don't need to select this option if yourcompany.com is configured on your web server or if internal links on your web pages are always realized as relative links.

    We recommend that you use the option with Microsoft Outlook web access or SharePoint portal server.

    HTML rewriting affects all files with HTTP content type text/* or *xml*. * is a wildcard. To prevent corruption during HTML rewriting, make sure that other file types (example: binary files) have the correct HTTP content type.

    Rewrite cookies

    Select to rewrite cookies of the returned web pages.

    Pass host header

    Select to forward the host header requested by the client to the web server.

    You can use this to match the requested hostname with the web server when you've hosted more than one website on a server.

  10. Click Save.
    When you save a new or edited web server protection rule, XG Firewall restarts all web server rules. Live connections using any of these rules will be lost and need to be re-established.
You can see the WAF rule you created in the Firewall rules table.

Table of Contents

Requirements

  • A running instance of Sophos UTM with:
    • A public IP assigned to the external NIC of the Sophos appliance.
    • Basic Sophos configuration to serve as gateway for Internet access.
    • Either a full or trial Sophos license to be able to use the appliance's web protection feature.
  • A web server behind the Sophos UTM appliance with a basic web page for testing purposes.

Optional items for testing

  • A registered public DNS record (this can be emulated with local host files)
  • An SSL certificate from a Certificate Authority (e.g. DigiCert, Comodo, etc.) to publish HTTPS sites.

Sample configurations used for this tutorial

The infrastructure for this tutorial will be hosted at ProfitBricks. Below are the sample configuration details that will be used for this scenario and a screen shot of the topology. Sophos Appliance Public IP: 162.254.X.X Sophos Appliance Internal IP: 192.168.1.1* Web Server Internal IP: 192.168.1.11

Reserve an additional public IP address

The first step is to reserve an additional public IP address to separate the core services provided by the UTM (user portal, SSL VPN, etc) from the Webserver Protection feature in order to avoid multiple services running on the same IP/Port combination.

This additional IP can be reserved from the ProfitBricks IP Manager by selecting the number of IP addresses needed and the region as depicted below.

Assign the new IP address to the Sophos UTM virtual machine

Once an additional IP has been reserved via IP Manager, assign it to the vNIC of the Sophos UTM virtual machine within the ProfitBricks Data Center Designer.

To do this:

  1. Select the server element.
  2. Go to the Network tab on the right-side Properties tab.
  3. Select the new IP from the Additional IPs drop-down menu and provision the changes, as seen in this screenshot:

Add the second IP address to the Sophos UTM

At this point, this second IP address can be added to the Sophos UTM.

Log in to the Sophos appliance and perform the following steps:1. Click on the Interfaces and Routing menu on the left hand side.2. Click on Interfaces.3. Click on the Additional Addresses tab.4. Click the 'New Additional Address' button and enter fill out the details based on the IP that was reserved on step 2. Make sure to select the External (WAN) interface and a Netmask of /32.

Enable the new IP address

The new IP address will be disabled by default. Make sure to enable it by clicking on the toggle switch as shown below.

Configure the interface address

As mentioned in Step 2, Sophos services such as SSL VPN and User Portal use the ANY network by default to support these services. In other words, all IP addresses assigned to the Sophos UTM could be used for these services.

In order to prevent a potential conflict:1. Click on Remote Access on the left navigation menu.2. Click on the SSL sub-menu.3. Click on the Settings tab.4. Click on the folder icon next to the 'Interface Address' field.5. Drag and drop the External (WAN)(Address) into the Interface Address field.6. Click the Apply button.

Enable the user portal

If the user portal is enabled, set up the configurations: 1. Click on Management on the left navigation menu.2. Click on the User Portal sub-menu.3. Click on the Advanced tab.4. Scroll down to the Network Settings section and click on the folder icon next to the 'Listen address' field.5. Drag and drop the External (WAN)(Address) into the Interface Address field.6. Click the Apply button.

Define a Real Webserver

The next step is to define a Real Webserver. This is the internal web server's IP address that will be used by Sophos to forward traffic from the internet.

To do this:

  1. Click on Webserver Protection on the left navigation menu.
  2. Click on the Web Application Firewall sub-menu.
  3. Click on the Real Webservers tab.
  4. Click on the New Real Webserver button.
  5. Specify a name for the Webserver.
  6. Click '+' icon to define the host.
  7. In the Add network definition pop-up box:
  8. Specify the name of the server.
  9. Set Type as Host. (Optionally, you can select DNS Host if Sophos can resolve the hostname of your webserver)
  10. Enter the IP address.
  11. Click Save.8 Back on the Real Webserver configuration, select Type: Plaintext (HTTP), and enter Port:80
  12. Click Save.

Create the Virtual Webserver

We can now create the Virtual Webserver that will be Internet-facing and accessible from the Internet.

Here is a sample configuration:

Sophos Web Protection
  1. Click on Webserver Protection on the left navigation menu.
  2. Click on the Web Application Firewall sub-menu.
  3. Click on the Virtual Webservers tab.
  4. Click on the New Virtual Webserver button.
  5. Specify a name for the Virtual Webserver.
  6. Select the new IP address that was reserved earlier from the Interface drop-down menu.
  7. Select Plaintext (HTTP) for the Type.
  8. Select Port 80.
  9. Under Domains, click the '+' icon to add the public IP address for testing.
  10. Alternatively, a FQDN can be entered if a registered domain is available.
  11. Under Real Webservers, check the box for the real webserver that was created in step 8.
  12. Leave the Firewall Profile as No Profile for testing.
  13. It is best practice to assign a Firewall profile. Please review the firewall profiles and/or create a new one according to your needs.
  14. Click Save.

Turn on the Virtual Webserver

Remember to turn on the Virtual Webserver by toggling the switch button as depicted below.

Sophos Web Protection License

Check the website

At this point, the website should be accessible by going to the public IP that was defined earlier over HTTP, or via the registered domain name if the DNS records were updated accordingly.

Create a secure site with HTTPS

Turn Off Sophos Web Protection

Most sites need to be secured via HTTPS in order to encrypt the data being sent from the visitor's computer to the web server. You will need to obtain an SSL certificate from a well-known certificate authority (CA) in order to avoid browser warnings when visiting the site.

The procedure for publishing a secure site (HTTPS) is the same as for a regular HTTP site, except that you need to assign an SSL certificate to the virtual webserver.

To set this up on the virtual webserver page, use the following configurations:

  • Type: Encrypted (HTTPS) or Encrypted (HTTPS) & redirect.
  • Port: 443.
  • Certificate: This can be uploaded via the Certificate Management section under Webserver Protection.