Advanced Security Valvaris - Corp. Protection on Private PC and Network Config.

Last updated
May 8, 2022
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 11
OS edition
Enterprise
Login security
    • Password-less (PIN, Biometric, Face)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Security updates
Default - allow security updates
Windows UAC
Maximum - always notify
Network firewall
Third-party router
Real-time protection
Sophos Intercept X Advanced with XDR
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Sophos Central - Managed and Monitored - Default Deny Policy
Malware testing
No malware samples
Periodic security scanners
Sophos Best Practice is to not enable scheduled scans since the Product covers a wide range of Protection Layers:
Quote from Sophos: "Because of real-time scanning and the background scanner that is always running, there's not much need for full system scans."
Secure DNS
Sophos XGS Firewall handles DNS requests with Uplink Server Quad9
VPN
None
Password manager
1 Password (Only Browser Plugin) Microsoft Edge Chromium
Browsers, Search and Addons
Microsoft Edge Chromium
Maintenance and Cleaning
DELL Support Assist
Personal Files & Photos backup
OneDrive Premium
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Microsoft Settings Sync - Browser Sync and OneDrive Sync
Device backup routine
Automatic (scheduled)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Shopping. 
  5. Banking. 
  6. Downloading software. 
  7. PC and cloud gaming. 
  8. Multimedia. 
  9. Streaming. 
Computer specs
Brand: Alienware m17 R4
CPU: i7-10870H
GPU: RTX 3080 Mobile 16GB
RAM: 32 GB
Storage: SSD (DELL -> Samsung Drive)
Personal changelog
Infrastructure and Software Change
Feedback Response

General feedback

valvaris

Level 5
Thread author
Verified
Well-known
Jul 26, 2015
243
Hello to all,

first a huge Disclaimer:
- > Software and Hardware in use is Company / Enterprise grade.
- > All Licenses in use are purchased with my own Money (Private) and NOT SPONSORED by the Vendors in any way!
- > This Configuration is my own Opinion and would love to share my Experience with the MalwareTips Community.
- > Configurations shared here can be unpractical for some and need a deeper understanding how the products function.
- > I will keep my configuration short and not go too deep in to what function covers what... (Protection alone [Would be a Wall-of-Text] otherwise)

My First Line of Defense is Network. With the Sophos XGS Firewall Appliance and segmentation of Networks: (Sophos XG / XGS Series of Firewalls are Zone Based Firewalls/Rules. It can be difficult to understand how Networks are effected by them!)

Example:
192.168.2.0 /30 - LAN Zone
10.222.222.0 /30 - Corp. Zone (Why such an IP-Address -> Not to Conflict with Routed Address on the Company Side)
192.168.5.0 /30 - IoT Device Server Zone
192.168.3.0 /28 - WiFi Zone with VLAN (Example 5 as a virtual interface) [Reason is to detach Access Point Management VLAN 1 from the Network] Broadcast Mitigation Unifi Products -> Will be replaced with a Sophos APX 120 Access Point in the future!

All features from the Sophos XGS Firewall Appliance that come with the XStream Protection Bundle are enabled and in use!
Just to name a few:
- Granular User Rules with Firewall features / ATP / IPS / Content Filter / DPI / SSL-Inspection / RED SD-WAN Orchestration / Sophos Central / DoS / Anti-Spoofing with Trusted IP and MAC Binding / ZeroDay Protection and so on...

Clarification:
There is no Active Directory or Directory Services in use. Users can be Managed directly from the Appliance as Local Users with MFA and Client Authentication Agent (Software).

Primary Firewall Rule Set is -> Default Deny
This means if the User is not logged on = Drop All!!! <- LAN Zone = No Internet / No Local Network
The other Zones are Configurated with dedicated Hosts and therefore have very granular Rules for that specific Zone Only with all Protections Modules enabled like mentioned above.

Only Protocols in use is: HTTP / HTTPS / DNS / NTP

As for the Private Laptop:

It is protected with Sophos Intercept X Advanced with XDR (Live Response and Data Lake = Enabled) and Managed in Sophos Central. The devices and network is configured with Security Heartbeat - So if a device becomes infected or something suspicious is happening it will ISOLATE itself automatically - Then it tries to clean itself and informs the admin! - With the Forensic tools build in to Sophos Central a Root Cause will be generated.

On default (My Configuration) all known Applications are blocked from execution and only the ones I truly use and need are Allowed specifically. (Build in to Sophos Intercept X Advanced)

With Sophos Intercept X Advanced with XDR there are so many Protection layers and can highly recommend to check them out: Sophos Intercept X Endpoint Protection

All my personal data is synced with OneDrive Premium as a backup measure with Personal Safe Enabled for Critical Data.

I know it is very short in terms of information. [view disclaimer on top of page]

I do not use Consumer grade AV-s or Firewalls anymore since there has to be a trust with Vendor / Dev. team behind it. Since I work in a company that mainly sells Sophos Products I got my hands-on-experience with it and learned allot about how they function and how big the community is behind Sophos. That is the reason I chose to convert my Ubiquiti Infrastructure with a F-Secure EPP for Computer AV, UDM-Pro and AccessPoints to Sophos XGS Firewall and Sophos AV Product.

On how I got my licenses for the products is simple - > I bought them (No NFR Licenses or Sponsorship)!!!

Sincerely
Val.
 

valvaris

Level 5
Thread author
Verified
Well-known
Jul 26, 2015
243
Why "Basic Security" again?!!! @MalwareTips Moderation Team

If it is again because of Backup then please delete this topic. - Data is Synced with the Cloud! - Critical Things are in Personal Safe! - To restore the System in its current state again takes about 20 Min. - Since all is connected with Online Services.

This system is not used for Malware Samples or even does not have a VM - WSL and such...

I do not argue that a Backup makes sense but in this case - With all the Cloud features enabled in this configuration. What do I need to do to be up an running?!:

- Install Windows 11
- Connect with Microsoft Account
- Wait for Sync
- Install Drivers from Windows Update since Dell has its repository there too
- Install Steam
- Install Sophos Agent
- Done!

Even a Backup can be more of a security risk because nobody takes the time to verify if the Backup can be restored or is Malware free.

Sincerely
Val.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
7,965
Periodic Scanners -> it's reserved in general for 3rd party tools, not for the already r-t product installed.

Device recovery & backup -> for full image system backup, You can set cloud services in Personal Files & Photos backup.

And what if there is no InterNet connection or Your cloud services has issues? You can't trust only in cloud services, the ideal would be to count with cloud services, and also to have offline redundant backups in different external devices.
 
Last edited:

valvaris

Level 5
Thread author
Verified
Well-known
Jul 26, 2015
243
Great config! The only thing missing is Sophos MTR.
Yeah for a Private PC Setup that would be super overkill the MTR Service is AWESOME specially the "Advanced" - Like this I get to learn how XDR works and start queries to check if my system is safe. The added advantage is the learning experience how some things work and I get to tinker with XDR. Thank you for the feedback :D

Sincerely
Val.