Skip to content

Do not use "Any" for SSH and Webadmin access for the WAN Zone

Medium

Explanation

It is recommended to limit exposure of firewall administration services from WAN/untrusted zone. When necessary, leverage on remote VPN or limiting only from selected IP addresses, or use of Sophos Central for firewall administration.

For additional security control, enable RBAC and administrative accounts with 2-factor authentication using built-in RADIUS Server.

Rationale

When the device is exposed to the internet with service ports, it could be subjected to DoS, brute force attempts, and underlying vulnerability on service ports can be discovered by the attacker.

Impact

Exposing SSH and Webadmin access to any IP address could lead to brute force attempts on the Webadmin interface, Denial-of-Service (DoS) attacks from a wide range of IP addresses, and increased attack surface from potential adversaries.

Resolution

See Add local service ACL exception rule.

Related information