Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 4714 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block access between internal networks but give them full access to the internet

ChrisSoukup

Let's say I have 3 internal networks:
- Company-A
- Company-B
- Guest

There are two companies who share the network infrastructure with additional guest network.


The goal is to block/limit access between those networks but give them full access to the internet outside.
Currently I solved that with the following set of rules:

ACCEPT    Company-B   DNS   Company-A        (Give access to DNS Server of company A)
DENY        Company-B   AnyServices    Company-A & Guest
DENY        Company-A   AnyServices    Company-B & Guest
DENY        Guest            AnyServices    Company-A & Company-B
ACCEPT    Company-A & Company-B & Guest        AnyServices     AnyDestination

This setup actually works.

I'm just curious if this is the only method to solve this or if there is a cleaner way.
For example would it be possible to define a destination group which includes the whole internet but excludes all internal networks?



This thread was automatically locked due to age.
Parents
  • +1

    Hi, Chris, and welcome to the UTM Community!

    "a destination group which includes the whole internet but excludes all internal networks"

    In fact this is the "Internet" object, so you need to deny nothing and you can do all of the above, except DNS, with one rule:

    {Company A, Company B, Company C} -> {Services} -> Internet : Allow

    Normally, I would recommend sticking to DNS best practice, and you should do all of those things for company A, including Company B in step 1.  I would use Ian's suggestion and not give Company B access to Company A's DNS.  Do not allow the guests access to the UTM's DNS, rather force them to use the public OpenDNS or Google servers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,
    I haven't been aware that there was the "Internet" object - must have slipped under the radar.
    Now I could simplify the firewall rules.

    I also followed your recommendation not to let other companies/subtenants use the firewalls or other local company's DNS server. Guests are using the google dns server now, too.

  • 0 in reply to ChrisSoukup

    Hi,

    I have the same configuration and it does not work.

    My networks are ::

           Internal -> access to company res 10.240.x.x
           Guest -> Internet only 192.168.50.0/24

    My policies

            Any Deny Guest
            Guest ALLOW Internet
            Guest Deny Any
         
    From Guest it is possible to access Internal and the challenge of the network, I do not understand.

    A internal is given dhcp by a relay to my AD, and for west it gives the own UTM

  • 0 in reply to ManuelGutierrez

    You probably have Web Protection active, Manuel.  You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to ManuelGutierrez

    You probably have Web Protection active, Manuel.  You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML