Sophos XGS: How to configure IPS feature on Sophos XGS

Hacker working on computer on blue background. Laptop monitor with lock on screen, fire, money, email, shield signs. Hacker attack concept. Vector illustration can be used for cybercrime and security

Overview

The article guides how to configure the Intrusion Prevention (IPS) feature on the Sophos XGS firewall device that helps check network traffic for anything unusual to prevent DoS and other phising attacks

Also protect your network from attacks of worms, viruses, hackers and other risks on the Internet

Diagram

Configuration situation

The article will test IPS feature of Sophos XGS. We will custom IPS policy to drop Brute force attack traffic on RDP 3389 port, the enterprise’s AD server will NAT port 3389 out

Configuration steps

  • Enable Remote desktop of AD server
  • Create host of AD server on Sophos XGS
  • Nat port 3389 of AD server out on Sophos XGS
  • Check the activity of external access to AD server via Remote desktop
  • Create IPS policy drop attack Brute force
  • Add IPS policy to the NAT firewall rule
  • Using tools on Kali linux to attack Brute force via RDP port
  • Check IPS log
  • Check performance of Sophos XGS
  • Check Kali linux

How to configure

Enable Remote desktop of AD server

Create host of AD server on Sophos XGS

  • Go to SYSTEM -> Choose Hosts and services -> Choose IP host -> Click Add
  • Entername and enter IP local of AD server -> Click Save

NAT port 3389 of AD server out on Sophos XGS

  • Go to PROTECT -> Choose NAT rules -> Click Add NAT rule -> Choose Server access assistant (DNAT)
  • Choose AD server host that was created before -> Click Next
  • Choose WAN port of Sophos XGS -> Click Next
  • Choose REP service (If there is no RDP service, please create it in System services -> Services)  -> Nhấn Next
  • Choose Any -> Click Next
  • Click Save and finish

Check the activity of external access to AD server via Remote desktop

Create IPS policy drop attack Brute force

  • Go to PROTECT -> Choose Intrusion prevention -> Choose IPS policies -> Click Add
  • Enter name -> Click Save
  • Click Edit icon of the newly created IPS policy
  • Click Add
  • Enter Brute force in Smart filter box -> Click Enter
  • Choose Drop packet in Action -> Click Save
  • Click Save

Add IPS policy to NAT firewall rule

  • Back to Firewall rule -> Choose DNAT for AD server rule that was automatically created before  -> Choose created IPS policy in Detect and prevent exploits (IPS) -> Click Save

Using tool on Kali linux to attack Brute force via RDP port

  • Scan opened port 3389 of the victim system with the command nmap 192.168.1.0/24 -p3389
  • Create 2 file user.txt containing the list of usernames you want to brute force and passwords.txt containing the list of passwords you want to brute force on the Desktop
  • Open terminal on Desktop and execute brute force attack command to RDP port of NAT server
  • Command: hydra -L user.txt -P passwords.txt 192.168.1.14 rdp
  • Click Enter

Check IPS log

Check performance of Sophos XGS

  • Performance of Sophos XG still stable

Check Kali linux

  • Cannot brute force

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.