Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 34933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophis UTM and Unifi

Peter Evans

Hi all,

I'm considering installing Sophos UTM at my business. I currently have a unifi setup. Fibre Modem --> Unifi USG --> Unifi Switch --> Unif APs.

I have a few questions about the install. Firstly do I install the UTM in between the fibre modem and the USG, or between the USG and Switch? The main reason for using Sophos UTM is to fill in the gaps that the Unifi USG cant do. Mainly keeping a records of Mac addresses and website visited and Web filtering. My plan was to use it in transparent mode. I understand the issue with using it to record HTTPS as i will need to install a custom cert which is fine or live with the HTTPS cert errors.

Also i have 4 VLANs setup so if i was to put the UTM in between the USG and switch will the UTM pass all the VLANs i.e. trunking? 

My other idea was to use the UTM as a VPN server, currently the Unifi one is very buggy. So ideally the UTM will need to be installed between the fibre modem and the USG. if so does the UTM support pppoe? 

And finally to test the system i will be using an old intel i3 3220 and a 4 port intel nic. will this be ok for web filtering/reporting and VPN? not too concerned about AV and IPS, maybe i can look at this another time. My line connection is currently 100/20 with the option to upgrade to 300/30.

Sorry for all the questions 



This thread was automatically locked due to age.
Parents
  • 0

    I wrote this awhile back and submitted it for the WiKi, but it never made it in.    I hope it helps you understand the four common options, although you seem to introduce a fifth option which I did not consider:  placing UTM in front of the previous firewall.   My comments are general, the other replies have addressed particulars, such as the limitations when using PPPoE to your ISP.

     

    Options for deploying UTM into your Network

    When UTM is added to a network with an existing firewall, it can be configured in several ways.  Each option has an impact on the available defenses and on the complexity of implementation.

    1. As a node added anywhere on the internal network, behind the exiting firewall, but separate from the existing firewall.
      1. Limitations: Transparent Web Proxy, Transparent FTP, Transparent POP3, and Firewall Rules are not usable because traffic does not flow through the device on its way to the internet.   Transparent Web and FTP are important for ensuring complete protection from web-based threats.
      2. Security Risks: Loss of protection from the unusable features.
      3. Implementation: Nothing in the existing network is disrupted.   Traffic is routed to UTM by configuring Standard Web Proxy, WAF, SMTP Proxy, WebAdmin, VPN, and User Portal incrementally.
    2. Immediately behind the existing firewall in bridged mode.
      1. Limitations: QoS does not work on a bridged connection.  Transparent Web Proxy with AD SSO wil be unusable, because it will conflict with User Portal operating on the same IP Address and Port.  This can be avoided if you are willing to operate the User Portal on a non-standard port, but doing so may limit user’s ability to connect to the portal from some remote locations.  https://community.sophos.com/kb/en-us/121221
      2. Security Risks: Loss of protection from the unusable features.
      3. Implementation: Although it is somewhat complex to configure the UTM bridge, the new configuration is transparent to existing traffic.
    3. Immediately behind the existing firewall, in routed mode.
      1. Limitations:   This configuration should permit use of all features.
      2. Security Risks: None identified, because the existing firewall should block unneeded ports.   If implementing intermediate-risk zones, such as DMZ or Guest WiFi, the risks and limitations depend whether the intermediate zone is configured on the firewall or the UTM.  If configured on the UTM, the risks and defensive measures are the same as explained in the firewall replacement option.
      3. Implementation: This can be a difficult way to insert UTM into an existing network, because of the need to configure UTM and firewall settings at the same time.
    4. Replace the existing firewall.
      1. Limitations:   This configuration should permit use of all features.
      2. Security Risks: Failure to understand the UTM architecture, leading to unexpected openings on the internet.
        1. Create a DNAT to NULL entry for internet traffic to port 3400 for all internet-facing IP addresses. This port is opened on all interfaces and addresses when RED is enabled, but is not needed for internet-facing addresses.  https://community.sophos.com/kb/en-us/126989
        2. Create a DNAT to NULL rule for internet traffic to port 25, 465, and 587, for any internet IP addresses which are not intended for this purpose. When SMTP proxy is enabled, it opens these ports on all interfaces and addresses.  Because the proxy will protect all incoming traffic, it is not actually a security risk, but it tends to be flagged by security scanning services.  If SMTP authenticated submission  is not needed, 465 and 587 may be appropriate to DNAT-to-Null on all UTM IP Addresses.
    • A Filter Profile-Policy-Filter Action set may be needed for web traffic originating in an intermediate-trust zone such as a DMZ or Guest WiFi subnet. In these cases, it is appropriate to enable the Web Proxy to protect traffic heading to the internet, but block traffic destined for any IP address or DNS name that represents an internal destination.  This is needed because traffic from a DMZ to an internal destination, if allowed at all, should flow through the protective filter of a WAF site.   Both IP Address and DNS Name blocks can be configured in the Websites section of a Filter Action.
    1. Implementation: Unless the previous firewall configuration was trivial, this approach is difficult because of the need to replicate all configuration settings of the existing firewall at once.

    Changing from any one of these configurations to an alternative is likely to be difficult.  Given that the goal should be to enable all protection features, it is recommended to start with one of the last two options.

        

  • 0 in reply to DouglasFoster

    Doug's Options for deploying UTM into your Network is now in the Wiki.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML