Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 8821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

forbid Access from / for a specific Network / Subnet

Andreas Czech

Hi Guys,

these Time I've a really strange Situation and hope for your Help / a good Idea.

Situation:

I've a Subnet which should only be able to connect using VPN. So I created the VPN by Remote Access SSL and disabled the Firewall Rule (DNS, Websurfing). I tried to connect to the Internet and to my Surprise it still works. Then I tried to disable this Network completely and disabled (for testing) the Masquerading Rule, but it still works (Internet Access). And now I tried to create an Network Rule which forbids all Traffic from this Subnet and maybe you guess that it still works -> confused.

Maybe someone has an Idea of what goes wrong here?

No Masquerading Rule, nothing that allows the Traffic through the Firewall and although a Rule to block all Network in the Firewall -> but still Internet-Access. I'm confused



This thread was automatically locked due to age.
  • 0

    On your VPN Profile, you configure an Allowed Networks list.   Traffic for those destinations go through the VPN tunnel, and everything else is handled by the PC's network connection.   I think this is the reason for your symptoms.  It is also probably all that needs to be done for your scenario.   This is called split-tunnel VPN.

    An alternative is for the VPN Profile to allow all networks, to create a full-tunnel VPN .   This forces all network traffic to flow to the UTM, which means that you need to have configuration rules to block whatever is needed.   UTM has a unique architecture:  traffic which goes through a proxy will bypass the firewall rules.   That is why this configuration is more complicated.

    To illustrate:

    Assume you  SSL VPN traffic arrives on 10.10.10./24nd is only supposed to have access to 192.168.10.0/24, but your entire network uses many subnets within 192.168.0.0/16.  VPN access to Internet should also be blocked.

    Firewall Rules

    1. ALLOW traffic from 10.10.10.0/24 to 192.168.10.0/24 port ANY.
    2. BLOCK traffic from 10.10.10.0/24 to ANY port ANY. 

    Web Proxy, FTP Proxy, POP3 proxy, etc

    • Ensure that 10.10.10.0/24 is not on any Filter Profile allow network range, OR
    • Create a Filter Profile for 10.10.10.0/24 which is linked to a policy and a Filter Action that blocks everything, then give it precedence over any filter profile that includes 10.10.10.0/24 in a larger network range.

    WAF

    • Use Access Control on Site Path Routing to prevent access from the VPN subnet
  • 0 in reply to DouglasFoster

    I am not a fan of full tunnel mode.   It prevents the client PC from printing a local file to a local printer if the printer connection uses TCP/IP.   

    An argument for full tunnel is that it prevent the PC from creating an unfiltered pipeline from bad guys on the Internet, through the client PC, then into your network, and forcing the traffic through the tunnel ensures that everything goes through your corporate filters.

    My opinion is that we need to worry about an infected client PC, whether or not it has access to its command-and-control server.   So I limit the VPN clients to web and terminal emulation protocols.  As long as the terminal emulation does not allow file redirection, it should be impossible for an infected client to harm your network.

  • 0 in reply to DouglasFoster

    Hi Douglas,

    thanks for precise Answer.

    Regarding the VPN means -> if I disabled it (or is deleting needed?) this solves the Situation (this Subnet has again no Internet access?

    the VPN shouldn't be reachable by the Internet, which should solve the Problem you describe. Every Client in this Subnet should need to establish a VPN to the UTM to reach the Internet (or other Local Subnets), all other Traffic should be blocked. How would you realize that? What Kind of Remote Access do you prefer (SSL, ...)?

    Andy

  • 0 in reply to Andreas Czech

    If your restricted PCs are already on a subnet that attaches to your PC, you have two network objects to secure:

    • The "Restricted PC without VPN" address range, and
    • the "Restricted PC with VPN" address range.   

    Follow the general outline in my previous note, to ensure that both Firewall Rules and each proxy Allowed Networks matches your requirements.

    For a better background on how UTM works, read the articles in the Wiki section, and these additional posts:

    • HOW TO: Understand UTM Port Usage
    • Optimizing web proxy – Lessons Learned
  • 0 in reply to DouglasFoster

    DouglasFoster said:
    On your VPN Profile, you configure an Allowed Networks list.   Traffic for those destinations go through the VPN tunnel, and everything else is handled by the PC's network connection.   I think this is the reason for your symptoms

    I disabled and as nothing happened deleted the VPN Profile. Still nothing (Access from this Subnet to the Internet).

    still no Effect. :-( I rebooted the UTM -> still no Effect.

    I created a Filewall-Rule to block all Traffic from this Subnet -> no Effect

    I disabled the Masquerading for this Subnet -> no Effect

     

    thanks for your Suggestions on the VPN, but I want to solve this first.

  • 0 in reply to Andreas Czech

    from a PC connected via VPN do a trace route. Maybe you are not connected through UTM 

  • 0 in reply to Ol Deda

    will try this once my UTM works again

  • 0 in reply to Andreas Czech

    Andreas, it sounds like there might be traffic going via Web Filtering - is the VPN Pool in 'Allowed Networks' for one of your Web Filtering Profiles?

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  Ich behaupte auch eine deutsche Version, die ursprünglich vom Mitglieder hallowach übersetzt wurde, als wir zusammen im Jahre 2013 eine große Revision machten.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML