In combination with user authorisation, this allows fine-grained control over the operations that are accessible to each user, ensuring that the principle of minimal privilege can be enforced. Additionally, different privilege levels can be assigned to individual users to only grant the access needed for their role. To address this, enabling SSL for LDAP requests can be done by checking the box marked “SSL” as highlighted.ĪSSIGNING INDIVIDUAL LOCAL ADMINISTRATOR ACCOUNTSĪssigning individual administrator accounts ensures that every action can be traced back to the user who is responsible for making that action. Please note that by default, plain text communication is used to communicate with the LDAP Server which would cause administrative credentials and sensitive configuration to be sent across the network unencrypted and so be vulnerable to interception. To configure LDAP for Sophos UTM, please refer to Section 5.7.2.3 LDAP in the following article: Please refer to the following URL for more information: In the drop down list for “Backend”, select RADIUS and configure the rest of the parameters using the same steps that were used for TACACS+. The way to configure RADIUS authentication in Sophos UTM is similar to TACACS+. Please refer to section 5.7.2.5 TACAS+ in the following documentation for more information on how to configure TACACS+: To enter the host name instead of the IPv4 address, choose “DNS Host” from the drop down list “ Type”.Ĭhoose the interface you wish users to be authenticated from in the “ Advanced” tab, then add the TACACS+ server name and IP Address and the TACACS+ parameters, for instance the port number and symmetric server secret key, which would be supplied by the TACACS+ server administrator. Click “New Authentication Server“, and choose the TACACS+ protocol in the dropdown menu in Backend.Ĭlick the green plus button to enter the IPv4 address of the TACACS+ server and specify a name in the “ Name” field. Go to Definition & Users -> Authentication Services -> Servers. To configure Sophos UTM to use TACACS+, you can use the following steps in WebAdmin: We will discuss three common methods for configuring central authentication in Sophos: TACACS+, RADIUS, and LDAP. This simplifies account management processes, such as by ensuring that users’ accounts can easily be disabled across all network devices once they leave the organisation. The use of a central authentication service allows organisations to easily and centrally manage user accounts. ACCESS CONTROL Configure CENTRAL Authentication As such, the menus might differ for other versions. Please note that the following recommendations were verified against a Sophos UTM 9 appliance. There is a command line interface for Sophos UTM, however Sophos are understood to prefer supporting the GUI and provide documentation for this approach, as such it will be used for this guide. Sophos is just one of the vendors that provides such solutions to many organisations, alongside Check Point, FortiNet, Juniper, and Cisco. The aim of this article is to provide guidance for network administrators on how to harden Sophos UTM firewalls. Firewalls are used as the main defence for an organisation’s network infrastructure, and are used to prevent unauthorised access to or from the private network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |