Sophos Firewall: The Heart of My Secure Network

Hello everyone,

Today, let’s delve into a topic that is fundamental to the security and organization of any network: firewalls. They form the backbone of our digital defenses and regulate data traffic. Complementing this, we’ll explore VLANs, an often underestimated but essential technology for network segmentation and enhancing security.

Table of Contents

• The Indispensable Role of the Firewall
  • Tasks of the Firewall in Detail
    • Filtering Network Traffic: Granular Control Over Data Flow
    • Recognizing and Preventing Threats: Proactive Security Measures
    • Providing VPN Connections: Secure Communication Channels
    • Application Control and URL Filtering: Targeted Access Management
    • Deep Packet Inspection (DPI): Detailed Content Analysis
    • TLS Inspection: Decryption for Threat Analysis
  • Deeper Control: Nerdy Details for Fine-Tuning
• My Journey Through the Firewall World and My Choice for Sophos
• VLANs: Order and Security in the Network
  • My VLAN Implementation in Detail
• Why Not Sophos for Access Points and Switches?
• Final Words

The Indispensable Role of the Firewall

A firewall is far more than just a digital fortress wall. It acts as an intelligent guardian, analyzing, evaluating, and directing data traffic based on complex rules. It is the central element that protects our digital assets and enables smooth communication.

Its tasks are multifaceted and critical: it repels unauthorized access from the outside by meticulously examining both incoming and outgoing data traffic for anomalies and suspicious activities – in accordance with international standards such as the NIST Cybersecurity Framework. It can specifically block ports and protocols at the transport layer (OSI Layer 4) to prevent attacks such as port scanning or denial-of-service attacks. Furthermore, it analyzes data packets down to the application layer (OSI Layer 7) to gain deep insights and identify complex threats. Modern firewalls integrate sophisticated functions such as Intrusion Prevention Systems (IPS), which proactively detect and ward off attacks, Deep Packet Inspection (DPI), which enables detailed content analysis, Application Control, to manage the use of specific applications, and VPN gateways for secure remote connections. In short, a secure network is simply unthinkable today without a high-performance and intelligently configured firewall. It is the primary line of defense against the ever-growing and evolving threat landscape in cyberspace.

Tasks of the Firewall in Detail

Filtering Network Traffic: Granular Control Over Data Flow

Firewalls examine incoming and outgoing data packets at various levels of the OSI model to ensure compliance with defined security policies. This includes inspecting header information (source and destination IP address, ports, protocols) and deeper analysis of the payload to detect potential threats such as malware, data exfiltration, or unauthorized access attempts.

Through rule-based configurations, administrators can precisely control data traffic. For example, Quality of Service (QoS) rules can be implemented to prioritize bandwidth-critical applications, or bandwidth limits can be set for less relevant services. The additional protection of specific protocols such as Server Message Block (SMB) or Domain Name System (DNS) can be achieved through detailed access controls and the blocking of known vulnerabilities.

Modern firewalls utilize advanced methods such as machine learning and heuristic analysis to detect unusual network behavior. This can include sudden data volumes to unknown destinations or changes in the behavior of established applications. In such cases, automatic response mechanisms can be activated to isolate suspicious data traffic while simultaneously alerting administrators.

Especially in complex environments with diverse network segments and dynamic security requirements, the ability to analyze protocols up to the application layer (Layer 7) is crucial. This Deep Packet Inspection enables the identification and prevention of zero-day exploits or targeted attacks such as SQL injection or cross-site scripting (XSS), which target deeper vulnerabilities in applications.

In addition, many firewalls integrate dynamic threat intelligence databases that are updated in real time. This allows for the immediate blocking of IP addresses associated with known threats such as botnet communication or distributed denial of service (DDoS) attacks. Firewalls thus act not only as static filters but as dynamic protection instances that continuously monitor the network and adapt their defense mechanisms to current threat situations.

Recognizing and Preventing Threats: Proactive Security Measures

Modern firewalls utilize Intrusion Detection and Prevention Systems (IDS/IPS) to not only detect threats in real-time but also to analyze them using complex signature-based and heuristic algorithms. They correlate data from various network protocols and application streams to identify both known and novel attack vectors. The automatic integration of current threat intelligence feeds ensures the immediate detection of new attack methods and vulnerabilities, enabling the rapid implementation of appropriate protective measures.

Advanced analysis functions, including machine learning algorithms, enable the identification of anomalies in network traffic that could indicate targeted attacks such as Advanced Persistent Threats (APTs) or zero-day exploits. This includes the examination of suspicious patterns within individual data streams, but also complex cross-segment analyses to detect multi-vector attacks. The detailed logging of security-relevant events is essential for both real-time responses and comprehensive forensic analysis.

Providing VPN Connections: Secure Communication Channels

To establish secure connections between networks or individual endpoints, firewalls support various VPN protocols such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS), Internet Protocol Security (IPSec), Layer 2 Tunneling Protocol (L2TP), and modern alternatives like WireGuard. These protocols use different authentication methods and cryptographic algorithms to ensure the confidentiality and integrity of data traffic and protect it from unauthorized access and manipulation.

An SSL/TLS VPN encrypts the connection at the transport layer and enables secure remote access via standard HTTPS ports (port 443), increasing the likelihood that connections will be allowed even in restrictive network environments. IPSec, on the other hand, provides security at the network layer and is ideal for connecting remote locations (site-to-site VPNs) as it combines both encryption and authentication in one protocol. L2TP is often used in combination with IPSec to enhance security through additional authentication mechanisms.

The flexible configurability of these protocols allows for adaptation to specific requirements, such as the use of multi-factor authentication (MFA), support for dynamic IP addresses, or the implementation of split tunneling to selectively route traffic through the VPN tunnel. Modern firewalls can also continuously monitor the stability and integrity of VPN tunnels and initiate automatic protective measures in the event of detected anomalies.

VPN technologies not only offer protection against data theft but also form the basis for efficient cross-location collaboration without compromising security. Even in extensive, decentralized networks with a large number of endpoints, access remains precisely controllable through centrally defined policies.

Application Control and URL Filtering: Targeted Access Management

Through sophisticated control mechanisms, firewalls can not only allow or block specific applications and websites but also enforce differentiated policies based on user groups, schedules, and behavioral analysis. This significantly increases network security by dynamically excluding risky content while maintaining productivity by prioritizing business-critical applications.

In addition, dynamic filtering mechanisms that are synchronized with threat intelligence services enable a responsive adaptation to current threat situations. Rules can be automatically modified based on real-time data such as newly identified malware domains or potentially dangerous IP addresses. Advanced functions such as content scanning to check the content of websites and downloads, as well as integration with Security Information and Event Management (SIEM) systems, ensure that even complex threats, often hidden in encrypted data streams, can be detected and neutralized. This leads not only to improved security but also to increased transparency and traceability within the network.

Deep Packet Inspection (DPI): Detailed Content Analysis

Deep Packet Inspection (DPI) enables a detailed analysis of network traffic at all layers of the OSI model, particularly at the packet and application layers. Not only the header (metadata) but also the payload (user data) of each data packet is examined. This in-depth inspection allows for the analysis of complex content such as HTTP requests and responses, SSL/TLS certificates, and specific protocol implementations.

Through DPI, firewalls can identify malicious patterns such as signatures of known malware, unusual data transmission patterns, or non-compliant protocol usage. Modern systems increasingly use machine learning algorithms for this purpose, which make it possible to detect anomalies in data traffic even if they are not covered by explicitly defined signatures. An example of this is the detection of encrypted command-and-control traffic used by botnets to communicate with their command servers.

DPI mechanisms also enable the analysis of encrypted connections in combination with TLS inspection. This allows for detailed control over HTTPS connections without fundamentally compromising end-to-end encryption, although the implications for data protection must be carefully considered.

In addition to security-relevant aspects, DPI provides valuable insights into network usage. Administrators can monitor bandwidth usage by specific applications, identify potential bottlenecks, and develop policies to optimize network performance. The combination of security and performance analysis makes DPI an indispensable tool in modern IT infrastructures.

TLS Inspection: Decryption for Threat Analysis

TLS inspection is an essential technology for improving the security of modern networks, as it addresses the challenges posed by encrypted data traffic, which is difficult for conventional firewalls to inspect. Especially in combination with other security measures such as Intrusion Detection Systems (IDS) and Deep Packet Inspection (DPI), TLS inspection enables a significantly higher level of security.

TLS inspection allows firewalls to decrypt encrypted data traffic – which now accounts for a large portion of internet traffic – and examine it for threats such as malware, phishing attempts, or unauthorized access. This process requires significant computing resources and sophisticated certificate management to ensure both high security standards and data protection.

The process is based on a “man-in-the-middle” architecture, in which the firewall establishes a separate, encrypted connection with the target server. At the same time, it generates a local certificate that is accepted as trusted by the client’s end device. This allows the data traffic to be transparently decrypted for analysis and re-encrypted after inspection. This requires that the internal Certificate Authority (CA) of the firewall is correctly integrated into the operating systems and browsers of the end devices.

The advantages lie in the precise detection of threats, the enforcement of detailed security policies, and the ability to apply granular access rules even for encrypted traffic. Administrators gain valuable insights into potentially malicious activities that would otherwise remain hidden in encrypted data traffic.

The challenges primarily concern data protection, as TLS inspection allows insights into potentially sensitive data. It is crucial to carefully configure exceptions for sensitive areas such as online banking or health portals. In addition, the high demands on computing power, especially in networks with high data volumes, as well as the administrative effort for managing the necessary certificates, are significant factors.

Deeper Control: Nerdy Details for Fine-Tuning

To further refine control over network traffic, administrators can delve deep into the configuration settings of the firewall. Here are a few examples:

• Stateful Packet Inspection: The firewall tracks the state of active connections and only allows packets that belong to an established session. This prevents the intrusion of unwanted, isolated packets.
• Content Filtering: In addition to URL filtering, file types (e.g., executable files) or specific content on web pages can also be blocked.
• Application Layer Gateway (ALG): For certain protocols such as FTP or SIP, which use dynamic port assignments, the firewall can act as an intermediary to correctly forward connections and minimize security risks.
• Traffic Shaping: The bandwidth for specific applications or users can be limited or prioritized to ensure optimal network performance.
• Geolocation Filtering: Traffic to or from specific countries can be blocked based on the geographical origin of the IP address.
• DNS Security: The firewall can filter DNS requests to prevent access to known phishing or malware domains.
• Intrusion Prevention System (IPS) Signatures: Administrators can activate or deactivate specific IPS signatures and adjust their severity to optimize detection accuracy and reduce false positives.

My Journey Through the Firewall World and My Choice for Sophos

Throughout my career, I have gained experience with a variety of firewall vendors, including heavyweights like Fortinet, Cisco, and Palo Alto Networks. Ultimately, however, I chose Sophos and have now been working with their firewalls for over eight years. My journey began with the UTM operating system of the original manufacturer Astaro before it was acquired by Sophos.

The transition to the XG operating system, later called Sophos Firewall OS and now simply Sophos Firewall, was a challenge for many long-time UTM users. The intuitive operating concept, the abundance of features, the speed, and the comprehensive possibilities of the Astaro UTM were outstanding. This quality was maintained under Sophos, as the development, at least in a leading capacity, continued to take place in Germany – proof that Germany was once known for quality and innovation, even if regulatory hurdles and political decisions do not always make it easy for companies today.

After the acquisition of Cyberoam by Sophos, the decision was made to continue developing two separate operating systems. Unfortunately, in my opinion, the wrong choice was made for the Cyberoam platform. Although it superficially offered a more modern architecture with its zone-based approach, this proved to be a more costly and complex path in hindsight. Sophos invested significant resources to bring the Cyberoam operating system, which was renamed Sophos Firewall OS, to an acceptable level. Numerous functions of the UTM, such as email security, RED management, and WLAN management, were migrated – and that was just the tip of the iceberg. This process spanned several years, and administrators like myself needed a lot of patience as the operating system was plagued with errors and lacked essential features for a long time. In the meantime, Sophos has overcome many of these initial difficulties and offers a solid foundation, especially for small and medium-sized networks.

Although the Sophos Firewall is not yet perfect, I appreciate the product and enjoy working with it, even if it has certain peculiarities and automatisms that are not always immediately comprehensible. Nevertheless, I can understand why some administrators turn to alternatives such as Fortinet or Palo Alto – especially in more complex corporate environments. The choice of firewall is also a matter of personal preference, comparable to the former faith wars between Nikon and Canon or Windows and macOS. Ultimately, what matters is that the person operating the system can work effectively with it.

VLANs: Order and Security in the Network

Another fundamental building block of my network configuration is VLANs (Virtual Local Area Networks). Regardless of the network size – and my home network certainly surpasses the infrastructure of some smaller companies – VLANs offer immense flexibility and make a significant contribution to security. As a technology enthusiast, I operate a large number of devices. My smart home alone includes over 50 components, from smart kitchen appliances to networked sockets and intelligent body scales, washing machines, and my electric car. Many of these devices are not exactly reserved in terms of their communication behavior and willingly send data home. To maintain an overview and minimize potential security risks, I consistently rely on VLANs and have, for example, set up separate VLANs for my smart home devices to isolate them from the rest of the network.

The underlying idea is simple: if one of these devices is compromised, the damage remains limited to the respective VLAN and does not have direct access to my sensitive data or other devices on the main network. In addition, I operate dedicated VLANs for my server infrastructure, a separate test network for experiments, a VLAN for my trusted end devices, and another for my Network Attached Storage (NAS). All data traffic between these VLANs is routed through my Sophos Firewall and thoroughly inspected there. This allows precise control of access rights and ensures that no unwanted communication takes place. My UniFi Pro Max Switch in combination with the UniFi Access Points reliably handles these complex requirements even with a high device density.

My VLAN Implementation in Detail

• VLAN 10 (Management): For managing the network infrastructure (switches, access points, firewall).
• VLAN 20 (Trusted Devices): For my primary work devices (laptops, desktop PC).
• VLAN 30 (Servers): For all my servers, including NAS systems.
• VLAN 40 (Guest Network): An isolated network for guests without access to my main network.
• VLAN 50 (Smart Home): For all IoT devices (cameras, smart assistants, household appliances).
• VLAN 60 (Media Devices): For streaming devices and smart TVs.
• VLAN 70 (Printers): For network printers and scanners.
• VLAN 80 (Test Environment): An isolated network for experiments and software tests.
• VLAN 90 (Security Cameras): For my surveillance cameras, isolated for security reasons.
• VLAN 100 (Gaming Consoles): For game consoles to separate potential traffic from the main network.
• VLAN 110 (Mobile Devices): For smartphones and tablets.
• VLAN 120 (DMZ): For servers that need to be accessible from the internet (e.g., web servers), with restricted access rights to the internal network.
• VLAN 130 (Backup Network): A separate network for backup systems and data traffic.
• VLAN 140 (VoIP): For Voice-over-IP devices to ensure voice quality.
• VLAN 150 (Development): For development machines and environments.

Why Not Sophos for Access Points and Switches?

In my previous post, I indicated that while I am a proponent of functioning ecosystems, I no longer rely on Sophos in the area of access points and switches. This statement understandably led to some inquiries. The advantages of a unified ecosystem are obvious: a central management interface, harmoniously coordinated hardware and software, and often simplified configuration.

However, the reason for my decision is relatively simple and based on specific experiences. Although Sophos offers excellent products in the firewall sector, I unfortunately could not find satisfactory stability and performance with their newer AP6 Access Points. The devices simply did not function as I expected and as is essential for a smooth network. These negative experiences with the access points were ultimately the decisive point that prompted me to replace the Sophos switches as well. In direct comparison, I am much more convinced by the solutions from UniFi in terms of flexibility, performance, and especially the user-friendliness of the management interface. UniFi offers an intuitive platform that is both accessible for beginners and powerful for experts. I will comprehensively explain my conscious decision for UniFi Access Points and Switches instead of Sophos in a future, detailed blog post, and will also go into more detail about the specific challenges I experienced with the Sophos AP6 models.

Final Words

Firewalls and a well-thought-out network architecture with VLANs are the fundamental cornerstones of a secure and efficient network – regardless of whether it is a home network or a corporate environment. With careful planning and the selection of the appropriate hardware, even complex networks can be clearly structured and operated securely. My personal preference continues to be the combination of Sophos firewalls and UniFi components for access points and switches.

Stay tuned for my next article, in which I will delve deeper into the reasons for my decision for UniFi in the area of network devices.

Until next time,

Yours, Joe