Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Configuration Best-Practices Auditor

I have seen a lot of ASG systems out there, which have use a insecure or not (possible) optimal configuration in ASG. Some other manufacturers will bring up while configuration already a warning, when a setting may affect system security.

It would be nice to have a possibility to start a basic system configuration checker, which will check the configuration against some "best practice" recommendations and generate a little audit report with found issues, a small explanation and a recommendation to make it better.

Issues could be (to list some...)
- inappropriate configured proxies with access from ANY networks
- Webadmin Access or SSH access from ANY Networks
- Packetfilter rules from internal networks to Internet with ANY Service allowed
- Exceptions that may affect Security Services as IPS or AFC (as exclude source internal networks from IPS...or similar)
- Anti Portscan not activated
- Insecure passwords for users
- no FQN name set for SMTP proxy
- no BATV secret set for SMTP proxy

and so on...

11 votes
Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Sascha Paris shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
  • Chris commented  ·   ·  Flag as inappropriate

    I like the way Microsoft picks up this issue: They have a so called Best Practice Analyzer for many products which check various configurations against rules. This rules are updated regularely and contain misconfigurations as well as performance problems.

  • david haman commented  ·   ·  Flag as inappropriate

    From an IT Management and Security Director standpoint this makes the most sense to me. This would also give ASG a huge leg up on the competition out there.

  • david haman commented  ·   ·  Flag as inappropriate

    i also think there should be better hardware compaibility for the asg user who wishes tio run on a spare pc, i currently run on an Intel pentioum D 3.4 W/ 2gb ram, but had many issues trying to run asg on any amd x2 chip set, installation failed on a sb740 chipset, aswell as a nvidia 6100 chipset mp-bios bug 8254

  • Bob Alfson commented  ·   ·  Flag as inappropriate

    This is a great idea to mix with the one about being able to print out the configuration. What a great tool for tech support! My wife wrote a "sysinfo" script for IBM AIX boxes so she can get a quick look at what's happenning when people need help.

    An Astaro "Auditor" program would be much better than the raw information one gets from 'Config dump'.

    Practically speaking, there are some well-know mistakes that can be made, and some already receive warnings in WebAdmin. I suspect there are many more one could check for if one weren't concerned about mucking up the programming in the product.

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.