Sophos has released the MR2 for v195 today, it will hardening the webadmin interface, for thoose who allow <ANY> access:
The adoption rate of our new Sophos Firewall v19.5 firmware continues to be our fastest ever, with nearly half of install base already running the latest major release 19.5.
We are pleased to announce the availability of our second major maintenance update to v19.5 with this release.
What’s New in SFOS v19.5 MR2
Important Security and Hardening Enhancements
With this release, we are implementing two security enhancements that help harden your firewall and follow industry best-practices for the protection of your firewall from attacks.
Web Admin access for specific IPs:
- We strongly recommend disabling web admin console access from all WAN sources (the Internet) to reduce the potential for a brute force or reconnaissance attack. Instead, we suggest that remote management of your firewalls be performed through Sophos Central which is free for all customers.
- However, if you absolutely need to provide WAN access to the web admin console, v19.5 MR2 enforces WAN access from specific IP addresses and networks using an ACL exception rule (Administration > Device access > Local service ACL exception rule). It will no longer be possible to enable web admin console access from all WAN sources.
- There is no impact for existing deployments: Web admin access if already enabled from all WAN sources continues to work even after you upgrade onto v19.5 MR2 except if it is no longer being used (see next point). However, as mentioned above, we strongly encourage you to disable this or at least use the new ACL exception rule to improve your security posture.
Web Admin or User Portal Access from all WAN sources (Internet) disabled after 90 consecutive days of inactivity:
- Many customers have setup WAN access to the web admin console and/or User Portal long ago, do not use it, and have forgotten about it, leaving their firewalls potentially exposed to a brute force or reconnaissance attacks from the Internet.
- 19.5 MR2 will automatically disable web admin and/or user portal access from the internet (all WAN sources) after 90 consecutive days of inactivity.
- Access configured using the new ACL exception rule will NOT be disabled even after 90 days of inactivity.
- There is no impact for existing deployments with active usage. If you have Web admin or User portal access enabled from all WAN sources, access to these portals will remain unaffected as long as there is activity at least every 90 days.
Be sure to check out our recent article on Best Practices for Securing Your Firewall
New How-To Guides
- Routing and NAT configuration for IPsec: New how-to tutorials are linked directly from the relevant section of the product to help with IPsec deployments including use cases such as system generated DHCP relay traffic, authentication traffic, and traffic to a host through existing IPsec tunnel.
- Dynamic Routing: Now supports up to 4K multicast groups for added scalability in the dynamic routing deployments. This eliminates any issues related to dynamic routing failing to join multicast groups.
- SD-RED: A new banner is added to notify admins about the approaching EoL (End-of-Life) for legacy RED 15(w) and RED 50 devices. Customers should upgrade their RED devices to the latest models with higher performance and improved connectivity.