Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 9324 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do I need a Dmz

PeterWeir

Hi

We have a Utm and at the moment we do not have or need a Dmz

We have just bought a pulse secure appliance that has two network ports internal and external.

I’m trying to decide the best way to set it up. If I create a new interface with a new IP address range and plug the wan connection from the pulse box not that. I can then nat an IP address to that box. I can block all the ports that I don’t need. If I then put the lan cable from the pulse secure box into our core switch the pulse secure box will have access to all internal systems.

However, I’m not sure what benefit this gives me over just setting up NAT straight to the pulse secure box that’s on the lan.

Can anyone think of a better way to do it?



This thread was automatically locked due to age.
Parents
  • 0

    I will disagree about UTM being a complete replacement for your device.   Nothing in UTM has the features of a Network Access Control system.   If you plan to use NAC, you should continue with implementing the Pulse solution.   I perceive NAC as useful but complex to implement.  If you are not doing NAC, then the question is whether you have all of the features you need in your UTM license.

    If you implement the Pulse solution, here are some things to consider:

    • Will Pulse have its own IP address, or do you need it to share a single IP address with UTM?   
      Sharing the IP Address requires resolving any port conflicts between the two devices.    I have no idea what ports the other device uses, but I have documented everything that I know about UTM port usage in this post:
      https://community.sophos.com/products/unified-threat-management/f/general-discussion/100848/how-to-understand-utm-port-usage
    • The second question is how to position Pulse in a "Logical" network design:   The obvious options are:
      • parallel to the UTM,
      • behind UTM, or
      • in front of UTM.   I doubt that Pulse has enough firewall features for everything to work if it is in front.   
    • Given the other decisions, what wiring scheme do you use for the physical network?

     

    Two IP address solutions

    • Each device has its own IP address and a full range of available port numbers.
    • There will only be one ISP connection, so you have these options for the physical network configuration:
      • Use a small (probably unmanaged) switch to connect the WAN interfaces of both devices to the ISP.
      • Create a bridge connection for the UTM WAN interface, so that UTM acts as the switch.  Bridges need to be created using spare NICs.
      • Put the Pulse on a DMZ behind UTM and use DNAT to forward Pulse traffic through UTM.   This is roughly identical to the one IP Address solution, but eliminates any concerns about port conflicts.

    One IP address solutions

    • UTM receives all traffic. Pulse traffic (designated ports) will be routed using DNAT from a DMZ interface on UTM to a WAN interface on Pulse.   Assuming that there is a switch behind the UTM, I would connect the internal interface of the Pulse directly to the switch.   Connecting both Pulse interfaces into UTM seems to create unwanted complications.   However, if UTM is acting as your only internal switch, then you have no choice.
    • The internal interface on Pulse should have an MTU of 1380 or less.   This allows the VPN overhead to be added to a packet without exceeding maximum packet size, which results in fragmentation and re-worked encryption.
    • If UTM is used for any VPN functions, the internal interface on UTM should also have an MTU of 1380 or less.

    I favor the two-address solution, with parallel wiring, because it eliminates NAT-Traversal issues for the VPN packets.

  • 0 in reply to DouglasFoster

    Wow thanks

    We have a few spare WAN IP addresses so my plan was to give the pulse box a dedicated WAN IP address. We allready have a WAN switch to allow us to split traffic to the 2 UTMs we have.

    I agree that im not sure I trust the Pulse to be straight on the WAN.

     

    My plan was to setup two network instances on the UTM. Pulse-Internal and Pulse External.

     

    I will point one of our additional IP addresses at the new Pulse Extrenal interface. This will have the Extrenal port on the Pulse plugged into it.

    If my understanding is corect that will make all traffic on that IP goes to the pulse box. I dont think I will need any NAT rules for this. I was then going to setup a firewall rule to only Allow port 80 and 443 making the pulse box only accessable on that IP and for those ports.

     

    My next step was to conect the pulse Internal port to the UTM's Pulse Internal interface. The Pulse box will have a static IP and subnet in the same range as the UTM Pulse interface.

    I thought I can then setup a Firewall rule from the Pulse secures Internal IP to our internal Network. Again this will probably only allow Web traffic. If I'm honest I do not know if I need any NAT rules for this.

    Does this make sense?

    Am I wrong?

     

  • 0 in reply to PeterWeir

    I understand now that your question involves some theoretical questions that need to be addressed before the practical ones.

    1) Is Pulse safe to use directly connected to the Internet?

    I have never seen or heard of the product before this discussion, but since you characterize it as a VPN remote access solution, I have to conclude that it is designed to operate at the network perimeter as a specialized type of firewall.   I am assuming that it has a WAN (External) interface for accepting connections, and a LAN interface for providing access to resources after a connection is established.

    General principles for device security:   

    • make sure that you understand how the product works,
    • use that knowledge to ensure that it is configured correctly,
    • make sure that it is fully patched,
    • make sure that it can only be managed from devices on the Internal interface, and
    • only enable functions that you actually need to use.

    These principles also apply to UTM.  UTM has an unusual architecture, because it is directionless, so you have to teach it "internal" and "external" by the way you configure each function.   I don't think the product documentation provides enough guidance in this area.  Read the articles in the Wiki section of the forum, the article on "how to understand UTM port usage", and generally and article that is pinned to the top of one of the "forum" topic areas.

    Then read the documentation on the other product as well. 

    2) Can UTM help make Pulse more secure?

    Maybe.  UTM is not a magic disinfectant, it provides specific strategies for defending against specific types of threats.    Any network connection involves these components and processing stages:

    • a server process opens a "port" to listen for incoming connections of a particular type, in this example VPN Client connections.   UTM supports multiple VPN Client connection methods (protocols), and the Pulse device may do the same. 
    • a client sends a packet to that port to ask for a connection.
    • For VPN and many other protocols, the client and server go through an authentication process to decide whether to establish the session.
    • The session is established and the devices communicate using the selected protocol.
    • The session is closed and both devices say good-bye.

    With this framework, we can talk about how we can defend against attacks:

    • Phony replies:  A stateful firewall keeps track of packets so that it can distinguish between new connections and connections that are part of an existing conversation.   This ensures that the connection setup process is not bypassed.   Anything designed for remote access will have this capability.

    • IP Address Filtering / Country Blocking:   You can reduce your attack surface by deciding that you only accept connections from certain Source IP addresses.   If all of your users are local, do you need to accept connections from a different continent?  We block remote access from foreign countries.   When an employee travels overseas, they notify us of their current IP address and we allow remote access from that address only.   If they are in a different hotel every day, this is inconvenient for them but much safer for us.   UTM makes IP Address blocking fairly easy with the Country Blocking features.  However, Country Blocking applies to all types of connections, so you need to think through what exceptions may be needed before enabling a block.

    • You can protect against authentication attacks by using 2-Factor Authentication (2FA).    If you take credit cards, the PCI DSS standards say that you must use 2FA for all remote access, and they are correct because there are a lot of password guessing attackers on the internet.  UTM provides the OTP functions for its own services, and supports the separately-purchased DUO product, which operates as a RADIUS authentication server, if you want a 2FA product that supports both UTM and other vendors.    I do not think you will be able to put UTM authentication in front of the Pulse device, so I think you will need 2FA support in your Pulse configuration.   Pulse may need you to purchase a product like DUO to achieve 2FA.  

    • At any point in the conversation, an attacker may attempt to confuse the other device using a protocol violation.  "If I send 1000 Chinese characters when the other end is expecting a 3-digit number, can I cause something to crash and give me unintended capabilities?"   Each device will do some protocol checking, and patching helps to prevent these types of attacks from being successful.  The UTM Intrusion Protection System (IPS) is an added layer that looks for packets associated with something like 20,000 known attacks of this type.   Checking every packet for every known exploit can add a lot of overhead, so Sophos suggests tuning the subsystem so that it only checks attacks against the specific types of things that exist on your network.   They also suggest that old attacks probably do not matter because the targeted configurations should have been retired or patched.   There is a limited amount of checking that can be done on an encrypted VPN session, but IPS may be useful for integrity checking during session setup. 

    So you might benefit from having UTM in front of Pulse if you enable Country Blocking (or some other rules based on source IP address) and IPS.   For configuration purposes, this means:

    • The Pulse "internet" address is actually implemented as an additional address on UTM's WAN interface.  This is what users will configure on their laptop, but this address is never configured into the Pulse device.
    • The Pulse WAN interface connects to UTM on a dedicated "DMZ" interface, and 172.16.x.x was suggested as the numbering scheme for this subnet.
    • UTM NAT is used to convert the incoming Internet address to the DMZ address.
    • UTM Firewall rules are used to block access to any port on the Pulse address other than the ones that the Pulse device actually uses.
    • Pulse VPN is configured for NAT-Traversal, so that it is not confused by the address translation.
    • UTM Country Blocking and IPS provide some additional protection (assuming that this is more than what Pulse provides)

    Note:   you still need to carefully configure the Pulse VPN user capabilities so that you do not provide access to internal resources that are not needed by the user.

    If you cannot configure 2FA on the Pulse device, then you should abandon the product.   2FA is more important than NAC.

  • 0 in reply to DouglasFoster

    Can I ask two things

     

    1) when you set up the additional address you can set the "On Interface" if i select the DMZ do i need to put NAT rules to send trafiic to the DMZ

     

    2) Whould you connect the internal intreface on the Pulse box staright into the LAN or should that go back into the firewall.

     

    Many thanks

Reply
  • 0 in reply to DouglasFoster

    Can I ask two things

     

    1) when you set up the additional address you can set the "On Interface" if i select the DMZ do i need to put NAT rules to send trafiic to the DMZ

     

    2) Whould you connect the internal intreface on the Pulse box staright into the LAN or should that go back into the firewall.

     

    Many thanks

Children
No Data
Unfiltered HTML