This article describes the steps to configure the RED (Remote Ethernet Device) when it's used with Sophos UTM, to pass PCI DSS compliance check. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM v9.4 and above
Logon to the command line interface (CLI) using loginuser account and type su to switch to the root account, then type the following commands:
cc red tls_1_2_only$ =1 exit
There are 2 items to be aware of if this is enabled:
RED devices use a self-signed certificate in a private trust model rather than the public CA trust model, so there is no danger of a Man-in-the-middle attack fooling the RED device or the Sophos UTM. Also certificate pinning techniques are used to ensure that only our RED devices can connect to the RED server on Sophos UTM. For more reading about certificate pining, please visit Certificate and Public Key Pinning.
However the self signed certificate can be flagged as a problem on some security audits that don't take the full context of it's use into account. If this is the case, the following steps can be used to ensure that RED server port is only accessible from the source IP addresses of the RED devices themselves.
We need to create a DNAT rule in Sophos UTM which takes any inbound connections over TCP 3400, and route them to a null interface (any non-existent IP). We then create a second rule to exempt the expected RED traffic from being sent to this null interface / IP.
First, we need to add a rule that matches the traffic from the internet on port 3400, and sends it to NULL. The NULL object is a host object with a non-routable IP address. This rule ensures that any RED traffic not coming from the branch office address is dropped at the first module in the pipeline.
Go to Network Protection > NAT > NAT and select + New NAT Rule...
Second, we create a No-NAT rule that takes the connections from your determined RED IP address, and does nothing with them. This sounds weird but is entirely legitimate in Sophos UTM interface. As long as this is positioned above the rule we created in the previous step (NAT rules are processed in a top-down fashion), the genuine RED traffic will hit this rule instead and therefore not be routed to the NULL address
Unfortunately the above combination of rules is only really viable when the IP address of the RED site is static. If this is dynamic, the source address in the first rule above would need changing each to time the RED IP address changes.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.