Firewall updates – ignoring them is not an option!
“Never change a running system.” I’ve lost count of how many times I’ve had to listen to that saying. In IT, however, it simply doesn’t belong; it’s usually trotted out purely for convenience. We’ve all had bad experiences with updates that broke everything, or solved one problem only to introduce two new ones. And yes, it can be costly if you have to call in a professional.
Despite all that, anyone who doesn’t update their firewall has fundamentally misunderstood the concept of “security”.
In this blog post I’m going to look at the topic of “updates on the Sophos Firewall” and why they are so important.
Why are updates on the Sophos Firewall so important?
The answer depends heavily on what you expect from your firewall. I’m assuming most of you have bought or are already running a firewall to protect your corporate or home network from threats on the internet. That’s why it’s essential to keep the firewall software fully up to date. New vulnerabilities are discovered every day, and your firewall needs to know about them in order to fulfil its basic task of providing protection. A firewall lives on updates.
Let’s look at a concrete example. Here you can see the dashboard of a Sophos SG 310.
The 23 updates highlighted in red are hard to miss, right? Let’s see what kind of “bouncer” your firewall is for your network in this state. As you can see from the “Version information”, UTM version 9.210-20 is currently installed. That leads to the following:
- SSL Heartbleed vulnerability not yet patched
- Poodle vulnerability not patched
- XSS vulnerability not patched
- Various OpenSSH security updates not applied
- Other current known vulnerabilities
And those are just the most critical and important issues. In total, there are more than 3,500 changes that have not been applied to the system in our example. On top of that, the licence has expired, which means the firewall has disabled several security mechanisms and is no longer receiving pattern updates from Sophos.
Appearances can be deceptive…
You might now be thinking: “What’s this guy on about? My system is up to date, all updates are installed. Nothing can happen to me.” But if things look like they do in the next screenshot, you’ve got a very different kind of problem. ;-)
For all readers who are now looking at the screenshot and don’t quite see what I’m getting at, here’s a quick explanation. We’re looking at the dashboard of an Astaro firewall (Astaro was acquired by Sophos in 2011). Support for version 7 of the “Astaro Security Gateway” ended on 31 December 2012. This version will therefore never again indicate that updates are available.
My point is simply that a system which no longer receives updates is not necessarily up to date.
The fact that Windows XP no longer receives updates, for example, is not because it doesn’t need them any more, but because Microsoft officially stopped supporting it on 8 April 2014.
Updates aren’t everything
To achieve genuinely effective protection from a firewall, the firewall OS itself must be current, and all security updates must be applied regularly. But that alone is not enough. Whoever is responsible for a firewall must also be able to configure it correctly. There’s no benefit if firewall rules point into the void or important security features are disabled. You need to understand all the firewall’s functions, because a poor or faulty configuration can also have a negative impact on the network.
Conclusion
I hope the examples have made it clear that a firewall without updates cannot provide up-to-date protection. Configuring a firewall and keeping it current is no walk in the park, even if Sophos would like us to believe otherwise with their slogan “Security made simple”. The one-click update button may be easy enough to press, but that’s no guarantee everything will always run smoothly. Updates are crucial, but for the administrator they almost always mean work. Even so, you need to put convenience aside and either take responsibility yourself or hire a professional.
If you buy a firewall for protection, you need to understand that installation alone is nowhere near enough. A firewall requires regular care. From time to time you should log in to the system, run updates, review logs, carry out a threat analysis, and so on.
For everyone who doesn’t want to handle the setup and maintenance of their Sophos Firewall themselves, we offer convenient maintenance contracts. Or would you like assurance that your firewall is correctly configured? On request, we’ll gladly take a closer look at your firewall and subject it to a “security check”.
