This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco RV Router after Sophos?

I have a fairly new Cisco RV router that cost a decent amount. Can I configure Sophos Home UTM to not perform routing and still use it other than just a switch?

Modem > Sophos Home UTM > Cisco RV Router > LAN

I would also still like to use the Content Blocking and access rules in the Cisco RV along with DHCP. Essentially I just want to Sophos Home UTM be a firewall.

Could I just turn off routing in Sophos Home UTM, connect the LAN on Sophos Home UTM hardware to WAN on Cisco RV and then have Cisco operate as it currently does? I guess it would be a little redundant for multiple firewalls and content filtering but I read that Sophos Home UTM is one the best firewall.



This thread was automatically locked due to age.
Parents
  • I am guessing that your Cisco device is also a firewall.  If so, I do not recommend double-nat, so one of the firewall functions should be disabled.  I suggest putting the Cisco firewall in front with UTM behind it in bridge mode.   See my posts in the Wiki and other post about UTM port usage.

  • OK thanks, could you explain a little more? My initial thought was that the UTM is a better firewall than the Cisco RV, so that why I wanted it in front. 

     

    So what would the purpose be for having the Cisco RV Router with Firewall in front of UTM in bridge mode? 

     

    Sounds like option 3 in the Wiki would be the way to go to test a setup like Modem > UTM > Cisco RV > LAN. And if that didn't work just do option 4 and replace.

  • UTM is not a traditional firewall, which is probably why the word "firewall" is not in the product name.  It is a series of packetfilters, with the "Firewall Rules" layer being the fallback that is used if none of the other packetfilters are applicable.   This creates some complexity for system configuration.  To create a global block rule, you need to use a DNAT-to-DeadEnd rule, which is not intuitive.  A novice does not know this needs to be done at all, and the experienced user has to work hard to determine which which ports need to be blocked using this method.   I have tried to document everything I know about UTM port usage and which DNAT rules are needed in my post about "UTM Port Usage".   But if you have a firewall in fronbt, you can avoid all of the DNAT-to-DeadEnd mess.   Let the firewall do pure firewall processing based on sourceIP&Port-DestinationIP&port.  Then let UTM do the sophisticated packet filtering about which traffic is allowed based on reputation and content.

    The hardest part about bridge mode is getting it set up.  You need two unused ports to create the bridge, and you need at least one working interface to make the change.  This is best done with a laptop connected directly to UTM.   For example, if your internal network is on 192.168.*.*, configure your laptop on a port using 10.10.10.*.   Once the bridge is established, it looks like any other interface.   You give it an IP address and subnet mask, specify the default gateway (the other firewall address) on the bridge interface, and configure static routes for internal network addresses.

  • Thanks. I guess the main reason I was considering UTM (or even something like pfSense) was I was thinking they were more traditional firewalls and/or better firewalls than the firewall in the Cisco RV Router.

     

    But if UTM was not a better or more secure firewall then I would probably be fine no even implementing. I was just looking for the best security and firewall to put before the router or replace the router with.

  • On the contrary.  UTM is very useful because it can do things that a plain firewall cannot.  Web proxy (bad reputation blocking and policy enforcement), APT based on DNS blacklist and IP blacklist,  and Intrusion Prevention (hostile packet contents).

    Also does Pop3 and smtp filtering for email, and webserver protection, but home users do not usually need those.

    Very sophisticated except on the rudimentary task of source-destination block/allow rules.   It can do them too, but is more difficult than it should be, so a dumb firewall is useful.

    I do not know the Cisco product or your license for it, so I do not know if yours has any features which may be comparable.  I had  low expectations because you called it a router, but since it was expensive it may have some of the capabilities.

  • Great stuff thanks. I think UTM sounds like a great option. I am mostly interested in a firewall for security, hack protection etc. and content filtering to block inappropriate websites and Youtube videos, etc. to be used with OpenDNS.

     

    The Cisco Router really just has a firewall rule to block all incoming connections on the WAN. Basically anything that was not established is blocked by default and you can add rules.

     

    Does the UTM firewall block all incoming connections out of the box? Where is the best resource for configuring the firewall, block/allow rules etc.?

Reply
  • Great stuff thanks. I think UTM sounds like a great option. I am mostly interested in a firewall for security, hack protection etc. and content filtering to block inappropriate websites and Youtube videos, etc. to be used with OpenDNS.

     

    The Cisco Router really just has a firewall rule to block all incoming connections on the WAN. Basically anything that was not established is blocked by default and you can add rules.

     

    Does the UTM firewall block all incoming connections out of the box? Where is the best resource for configuring the firewall, block/allow rules etc.?

Children
  • Hi,

    the UTM blocks everything by default, there are NO default rules. You have to build your own rules.

    The easiest rule to get started with is internal network -> any (port) -> any (external site) -> allow -> log then MASQ internal network -> external interface.

    From there you can add extra features like DNS, NTP, web and mail (smtp) proxies, DHCP server, static IP address assignments. You further tighten your outgoing rule by changing the any to selected ports and add functions to the web (http) proxy. Logging on the UTM is very good and helps resolve access issues quickly.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi and welcome to the UTM Community!

    I'm not familiar with the Cisco RV, but my vote is that you sell it.  Like Doug and Ian said, the UTM is more than just a firewall.

    The decision to use the "firewall" terminology in WebAdmin was made, if I recall correctly, after Sophos acquired Astaro.  In the Astaro days, the term used was, as Doug comments, packetfilter.  As Ian says, a firewall should block everything not explicitly allowed, and the UTM does that.

    It is also a "stateful" firewall with a connection tracker, so you don't need to open inbound ports to be able to receive responses to requests allowed outbound.

    With Intrusion Prevention, you are further protected from malicious responses in inbound traffic allowed through by the connection tracker or firewall rules.

    With Application Control, you have next-generation-firewall capabilities that allow you to block, for example, YouTube, but allow Netflix even though they use some of the same ports.

    With Web Filtering, you can block your kids from accessing p0rn and violent sites.

    Etc., etc., etc.

    Yup, the Cisco is just a complication that could be sold now for more than in a few months. [;)]

    Cheers - Bob
    PS See #2 in Rulz.  Also see Doug Foster's READ ME FIRST: UTM Architecture.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks all. I've installed UTM in a VM and I am testing. Really liking it. I think I will just sell the RV Router.

     

    So under Network Protection, what are some recommendations out of the box for hardening since I'm getting rid of the RV? Do I need to create global block rules? This Cisco Router by default just blocked all incoming connections from the WAN.

  • First thing if you are really worried about security is do not put the UTM in a VM.

    As I pointed out in an earlier post, the UTM blocks everything by default.

    You can turn on selective country blocking.

    You really need to workout what you are trying to achieve before building rules.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Got it. Thanks. Yeah the VM is just for testing and to see the capabilities. Really liking UTM so far.

     

    As far as what to do, well I don't need anything open. So I just want to block everything and maximize security so if that's set by default then I should be good. Aside from that I will enable Country Block, which is a great feature along with content blocking for inappropriate sites etc.

  • Since content providers have servers all over the world, I'm hesitant to block "All" for any but specific countries - rather use the "From" selection.

    When you went through the Installation Wizard, it made some firewall rules for you that you will want to keep in most cases, so you should go look at them.  Also, be sure to read the information in the links I provided in my post yesterday.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks again all! I think this is the best forum ever.

    One of the main reasons I wanted to keep the RV and sort of double firewall was because I was concerned about messing up the UTM configuration or allowing more than the Cisco router firewall does.

    So if I wanted to ditch the RV and get going would this be a good overview to follow? https://techbast.com/2015/03/perform-a-basic-configuration-sophos-utm-in-12-simple-steps.html

    Should I allow all in Step 8?

  • You should never use a "any any" rule, permit just that what you need.

    Regards mod