by Douglas Foster
Although UTM does not have the concept of security zones, the concept is still useful for planning a security strategy. In a complex environment, one can assume these different security levels, ordered from least-trusted to most-trusted
“Incoming” traffic involves a web client in a less trusted zone connecting to a web server in a more trusted zone. “Outgoing” traffic involves a web client in a more trusted zone connecting to a web server in a less-trusted zone.
The following security design should result:
For the purposes of this document, Web Traffic includes the following:
Proxy Modes can be Transparent or Standard, and UTM provides both HTTP(S) and FTP proxies using both Standard and Transparent modes.
A secure configuration should typically implement both types of proxy. The Standard Mode proxy is preferred, because it provides protection for non-standard ports, and permits a better implementation of https inspection. The Transparent Mode proxy is needed to protect devices and applications that cannot or will not honor Standard Proxy configuration, including infected devices that are deliberately trying to bypass the proxy. Transparent Mode is also useful for detecting devices that have not yet been configured for Standard Proxy.
In most firewall products, Access Control Entries are used to evaluate source and destination together. In UTM, any traffic handled by the proxies will bypass any firewall rules, so source-destination restrictions must be enforced in the proxy configuration. This requires extra care because the proxies implement source filtering and destination filter at different stages of the filtering process. When planning an implementation, consider that traffic can be blocked in multiple ways:
A few sites will be identified for proxy bypass, typically for performance benefits and risk reduction related to traffic with highly-trusted business partners. Some websites will use custom protocols, such as Citrix ICA, and these may need a proxy bypass for technical reasons.
In Standard Mode, bypass rules are configured at the client level, using either a proxy script or a static proxy exception. In Transparent Mode, bypass is configured using the “Transparent Mode Skip List”. If both proxy modes are enabled, then both exception methods must be used to ensure complete proxy bypass.
UTM provides three different methods for filtering FTP traffic, and the issues are slightly different between FTP client programs and web browsers. Browsers will apply the system proxy settings for ftp traffic, while FTP clients must be configured manually. Most FTP Client applications will support multiple proxy methods, including FTP, HTTP, SOCKS4, and SOCKS5. FTP Client applications do not support exceptions, so an automatic configuration (“proxy.pac” or “wpad.dat”) configuration file is not applicable.
Standard mode web proxy provides the best solution for both browser-originated FTP and Client-originated FTP. It provides complete logging of URL, user, IP address, and action taken. It provides the most granular control, is the only method that supports non-standard ports, and is the only method that allows user-specific rules. For browser-originated FTP, my testing indicates that Chrome does not pass NTLM information and does not trigger Basic authentication, so users are prevented from using that browser in FTP mode unless an alternate authentication method is used or an authentication bypass exception is configured. Of course, if authentication bypass is enabled, then user-specific controls are not possible and proxy logging will not include the user information.
The Transparent Mode FTP proxy provides limited functionality for traffic on port 21, and is the only FTP proxy option for use with Transparent-Mode Web Proxy. The Transparent Mode FTP proxy protects the Microsoft FTP client and any others that do not permit proxy configuration. Because the Transparent FTP proxy has limited capabilities, only a single set of actions is configurable, and the settings are applied to all sessions because user authentication is not supported.
The Standard Mode FTP proxy is only supported with FTP clients. If you configure a web browser to use the standard mode FTP proxy, the browser will hang when FTP traffic is attempted. Therefore, Standard Mode FTP proxy is only useful for FTP clients, and those products are better protected by configured Standard Mode Web Proxy. Consequently, I recommend leaving the standard-mode FTP proxy disabled and unused.
To ensure that all FTP traffic is proxied, you will want to use both Standard Mode Web Proxy and Transparent FTP proxy.
UTM uses three primary components to evaluate packets for web filtering, which are evaluated in order: Filter Profile, Policy, and Filter Action. This section explains their relationship to each other and how to configure them correctly and securely.
The first component is the Filter Profile. If you have web filtering enabled, you must have at least one filter profile to define which traffic is processed by the web filter. In a simple environment, there will be typically a single Filter Profile, configured for Transparent Mode and accepting traffic from all Internal IP addresses. You may need additional Filter Profiles for these situations:
Filter Profiles are evaluated in order, from top to bottom as displayed in the user interface. The first match on IP address and mode (IP destination port) determines which Filter Action is used. Consequently, if you have any overlapping network address ranges, the Filter Profile for the more specific IP address ranges should be positioned high in the list, and the larger ranges should be positioned lower in the list. Once a Filter Profile is selected, the lower-ranked Filter Profiles are ignored. If a Filter Profile is matched, firewall rules are bypassed. If no Filter Profile is matched, then firewall rules are applied.
The Filter Profile determines three things: The authentication method that will be used to identify users, whether https inspection will be utilized, and the list of Policies which will be evaluated for traffic that matches the Filter Profile.
After authentication is completed, the user and his group memberships are used to match the user to a Policy. The matching Policy determines the Filter Action that will be used.
Any single policy definition can be enabled or disabled independently for each Filter Action. Consequently, the “IT group” can be configured so that one policy is activated for traffic coming from the “Server” subnet, and a different policy is activated for traffic coming from the “Desktop” subnets.
If a user fails to authenticate by the method specified in the Filter Profile, then his traffic is handled as “Unauthenticated”. (No attempt is made to authenticate the user with a different method using a different Filter Profile.) A Policy definition can also specify how unauthenticated users should be handled, either with an explicit block or with an unauthenticated user policy.
The system-wide “Base” Filter Action is the default when all other configuration options fail. Consequently, it can be cannot be disabled, but it can be configured to specify any desired behavior. The Base Filter action is applied in these circumstances:
The Filter Action determines whether the web request will be allowed or blocked. For each Category, the system administrator specifies whether to Allow, Block, or apply a time Quota. By default, the category and reputation ratings come from a Sophos database, but the Websites tab can be used to create global rules to override the category, the reputation, or both. Within the Filter Action, local overrides can be defined to block or allow specific websites.
The Exceptions tab can be used to modify what security checks are enforced for a particular website. These are global rules which apply to all Filter Profiles, Policies, and Filter Actions. There is no equivalent option within the Filter Action configuration.
UTM has two types of Categories, which are used ambiguously. The website rating system applies a Category from a fixed list of possibilities. In the Websites tab, Category overrides are also chosen from this fixed list. To avoid confusion, it might be best to call these “Sub-Categories”
UTM groups the sub-categories into groups, which are also called Categories, but these should be called Super-Categories. The user can create new Super-Categories, and can move Sub-Categories to a different Super-Category. Unfortunately, the design of the user interface does not ensure that each Sub-Category is assigned to one and only one Super-Category, so the system administrator must be careful. If a sub-category is assigned to zero Super-Categories, or is assigned to multiple Super-Categories with different action rules, the behavior of UTM is unknown but probably undesirable.
Filter Actions are defined based on Super-Categories. If you change the mapping of Sub-Categories to Super-Categories, you should review all of your Filter Actions to ensure that the intended behavior of UTM is still accomplished.
Many businesses use a network-based login system based on Windows PCs and Active Directory. For those devices, the recommended authentication method is Active Directory Single Sign-On (AD SSO). This reliably authenticates the user to the web request, without any login prompts, because major browsers are able to pass NTLM information within the web request. (This process breaks down for https with transparent-mode proxy, which is another reason why standard-mode proxy is preferred.)
These organizations will have several possible exceptions to this general pattern:
When SSO authentication is expected but unsuccessful, then Basic authentication is invoked. The user will see a browser pop-up asking for username and password. These pop-ups tend to confuse users, so use of Basic authentication should be avoided as much as possible.
Understanding the relationship between Filter Profile, Policy, and Filter Action will help you configure UTM proxies effectively. Understanding the capabilities of Standard and Transparent modes will help you use both effectively. Understanding the behavior of these processes will help ensure that you do not create unintended vulnerabilities. The UTM proxy capabilities are very powerful, and it is hoped that this overview helps you configure them successfully on the first try.