How to configure your firewall against Petya or WannaCry attacks

By Chris McCormack 

The recent WannaCry and Petya malware outbreaks were the first widespread network worms for several years.

Worms differ from regular malware attacks because they can spread by themselves, often without needing any help from users.

Both WannaCry and Petya included what’s known as an network exploit: they sent out malicious network packets to take advantage of vulnerabilities in unpatched Windows computers on the network.

The good news is the IPS engine in Sophos SG and Sophos XG firewalls can help to stop attacks of this sort by watching out for, and neutralizing, malicious packets needed for the worm to spread.

However, there are some things you need to know if you want your Sophos firewalls to block network attacks *inside* your network as well as from outside.

(Spreading inside a network is known in the jargon as lateral movement. Hackers and crooks often use one trick to get in, and then another to find their way around internally.)

To prevent the spread of worms and bots on your network:

  • Reduce the surface area of attack: Review and revisit all port-forwarding rules to eliminate any non-essential open ports. Where possible use VPN to access resources on the internal network from outside rather than port-forwarding.
  • Secure any open ports: Apply suitable IPS protection to the rules governing that traffic.
  • Stay up to date: While we send automatic pattern updates,  it is important to consistently check that your firewall firmware is up to date to ensure the best protection, stability, reliability and performance.
  • Minimize the risk of lateral movement: Segment LANs into smaller subnets and assign those to separate zones that are secured by the firewall.  Apply suitable IPS policies to rules governing the traffic traversing these zones to prevent worms and bots from spreading between LAN segments.

Applying IPS protection to a Firewall Rule doesn’t get any simpler than this.

( is a Senior Product Marketing Manager, Sophos Network Security. This post has been reproduced from the Sophos Corporate blog).