Home  ›  Sophos  ›  SOPHOS XG Firewall  ›  SOPHOS Firewall: 14 – Remote Access Policy

SOPHOS Firewall: 14 – Remote Access Policy

Print Friendly, PDF & Email

Created – July 17, 2019 by DunRan
Modified – May 12, 2020 by DunRan
Prerequisites –

Overview

Protecting your Corporate Network is a SOPHOS Firewall that stands between Internet Traffic from the outside world and internal Network Traffic. The Firewall monitors, evaluates and categorizes the incoming activities that are attempting to communicate with your network. Not all of these signals are benign, friendly, appropriate or harmless. The Firewall’s job, as the doorman to your network, is to stop bad traffic from coming in and ruining everybody’s day.

But, most organizations want authorized, recognized individuals to have access to the Corporate Network remotely. They want some employees to be able to work from home when appropriate, they want Vendors to be able to access the network for support and/or implementation purposes and they want roaming road warrior employees to have as close to the office experience as possible. All of which can be security risks.

As a Client, you need to select from the following policies (one from each Block) in order to ensure that all your Remote Users are treated the same way, in order to avoid security discrepancies among your site.

Policy Options

A – Remote Access Policy

  1. Home Systems Allowed – SSL VPN Access, Mandatory Corporate AV on Remote System
  2. Home Systems Allowed – SSL VPN Access, No Corporately Monitored AV Requirement
  3. Only “Member of the Domain” Computers are allowed Remote Access
  4. N/A – Remote Access Not Allowed

B – Remote Access Policy – RDS

  1. RDS Server – SSL VPN Access, Mandatory Corporate AV on Remote System
  2. RDS Server – SSL VPN Access, No Corporately Monitored AV Requirement
  3. RDS Server – Restricted by Block Hole Control Only
  4. N/A – No RDS Server Available

A1 – Home Systems – these systems will gain access to the Corporate Network by logging first onto the Firewall using an SSL VPN Client software provided by the organization, then launching a Remote Desktop Connector to take remote control of a workstation inside the Corporate Network.

As this home system temporary “bonds” to internal network, it could be a point of infection. Your organization has chosen that for a Home System to be allowed onto the Corporate Network, that computer must have installed a copy of the same AV software used by the Corporation.

LOGDEV NOTE: If using EP Advanced, a Home Use Policy is required to be created, and these Home Systems are to be placed under that Policy – this is to prevent Workplace restrictions regarding web site access from occurring.

A2 – Home Systems – as above, these systems will use the SSL VPN Client software provided by the organization, then launching a Remote Desktop Connector to take remote control of a workstation inside the Corporate Network.

Your organization has chosen that a Home System is not required to have the Corporate AV software – this is not recommended by LogDev.

LOGDEV NOTE: No Home Use Policy is required, as AV software is not mandated.

A3 – Member of the Domain Computers, such as Corporate Laptops and Surface Tablet Pros already have security management from the Corporate Network and AV (Anti-Virus) software that is centrally managed. No further actions are required on these types of systems, and these systems will use a 2-Factor Authentication logon mechanism. These Member of the Domain Systems also have the advantage of being able to “map” network drives remotely, similar to how the unit reacts when connected directly to the Corporate Network.

B1 – RDS Server – Systems allowed to use the RDS Server will gain access to the Corporate Network by logging first onto the Firewall using an SSL VPN Client software provided by the organization, then launching a Remote Desktop Connector to create a remote session on the RDS Server.

Your organization has chosen that for a Home System to be allowed to access the RDS Server, that computer must have installed a copy of the same AV software used by the Corporation.

LOGDEV NOTE: If using EP Advanced, a Home Use Policy is required to be created, and these Home Systems are to be placed under that Policy – this is to prevent Workplace restrictions regarding web site access from occurring.

B2 – As above, remote systems will use the SSL VPN Client software provided by the organization, then launch a Remote Desktop Connector to create a remote session on the RDS Server.

Your organization has chosen that a Home System is not required to have the Corporate AV software – this is not recommended by LogDev.

B3 – RDS Server – Black Hole Restriction. An RDS Server allows for remote control of a software image (not a particular workstation) on the Corporate Network. This Policy Option will allow access to the RDS Server from any location (without the need of 2-Factor Authentication), providing the network traffic is not coming from a geographical or country location that has been denied.

This is not recommended by LogDev.

AT Site Configuration

LOGDEV Techs are to update the AT Site Configuration with the Remote Access Policy selections chosen by the customer, along with the date of selection.