Network concept considerations

Question

Hello Sophos Community, 
 I am a Sophos beginner and have questions regarding the options for site connection via REDs or site-to-site VPN, as I have no practical experience here. 
 What are my requirements? 
 
 The idea is to connect 3 locations, whereby several zones/networks/VLANS are to be managed across those locations. Some networks are to exist uniformly across locations. 
 The complete security architecture of the Sophos environment should be active (app control, etc.). 
 It should be possible to manage several zones or alternatively network segments across locations (e.g. SD-RED-60 with VLAN support). 
 
 Simple example of Zones/Networks: 
 
 The alternatives are: 
 
 Implementation with one Firewall and SD-REDs: If I have understood correctly, only the unified mode can be used for REDs so that the security features take effect. However, this has the disadvantage that all traffic, including the WAN, is routed through the single Sophos firewall? 
 In addition, a RED cannot map several zones as administered in the firewall. It can only belong to one zone, right? If so, would you have to use network masking (Host and Networks) in the firewall rules? 
 
 Implementation via site-to-site with multiple firewalls: 
 
 In order to map several zones per location, a firewall would have to be available for each location and these would have to be connected via a site-to-site connection. 
 Is it then possible to administer these firewalls in parallel via Sophos Central with Templates. Or is there a catch? 
 
 About the alternatives: 
 - Is there a disadvantage in terms of firewall rules or security when working with REDs and network masking? - From your experience, what is the better approach, if at all possible, as described? 
 Many thanks in advance

Erick Jan · Accepted Answer

Hi Andreas, 
 Thank you for reaching out to the Sophos Community. For this kind of query, I recommend contacting your Sophos Sales/Partner to consider all the options and requirements for your environment needs.

Raphael Alganes · Answer

Hello Andreas, 
 As Erick suggested above this could be further discussed with your Sophos Sales Engineer or your Sophos Partner. 
 On the other hand, this would be my 0.2 c for this setup: 
 I'll just give my thoughts on your requirements and all other caveats you may further discuss with your SE or partner. 
 1. 
 Andreas Bolz said: The idea is to connect 3 locations, whereby several zones/networks/VLANS are to be managed across those locations. Some networks are to exist uniformly across locations. 
 Is there a pressing reason why you need networks to be uniform across locations? From what I can see (If I'm not mistaken), this is a fresh setup, so why not provide an IP addressing scheme that does not overlap with sites, so it saves you from configuration overhead: 
 Otherwise, you would need to follow these steps on the document guide for each site you deploy: 
 Overlap subnet on SF if you opt for a Sophos Firewall: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNS2sIPsecConnectionRBVPNNATSameSubnets/index.html 
 For RED, if you opt for a RED on the sites: https://support.sophos.com/support/s/article/KB-000035548?language=en_US - Configure LAN and RED devices to be on the same network 
 
 2. 
 Andreas Bolz said: The complete security architecture of the Sophos environment should be active (app control, etc.). 
 If you want to achieve this on RED, you'll need to opt for Standard/Unified deployment. Other deployment types cannot provide this unless you deploy Sophos Firewalls on each site/s respectively. 
 
 3. 
 Andreas Bolz said: It should be possible to manage several zones or alternatively network segments across locations (e.g. SD-RED-60 with VLAN support). 
 -This should be feasible on RED60 you may follow the KBA here: https://support.sophos.com/support/s/article/KB-000038298?language=en_US 
 
 Finally, 
 Andreas Bolz said: - From your experience, what is the better approach, if at all possible, as described? 
 Based on all the discussed requirements above (other caveats not included), what I may initially recommend: 
 
 Opt to create a subnet on sites that do not overlap with each other (unless there's a technical requirement for the setup) - as this saves a bit of configuration overhead 
 Avoid using the 192.168.0 and 192.168.1.0 addressing schemes on your environment 
 Use RED or SF on sites? - I cannot further say at this standpoint as some other details might be needed such as how many users on the network? bandwidth and FW resource on HQ if going down the path of Standard/Unified, how resource extensive their use are (branch)? future expansion, budget. etc. 
 Other details can be further discussed clearly with your Sophos Sales engineer or Partner. 
 
 That being all said, I do hope we provided some insights that could be helpful for your project. 
 Hope you have a nice day and thank you for choosing Sophos. 
 Regards,

Network concept considerations

Top Replies