Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 3712 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up LAB-Network security settings

Kosta88

Hello,

I want to build a lab alongside my productive environment at work. It is imperative though that there can be no access from lab into productive environment, except for RDP. I have an RDP-Manager which I want to use, and my laptop is in the productive network.

What I have done up until now:

- created a Hyper-V-Switch (dedicated port on the server), which connects to an untagged port for VLAN50 on the HP-Switch (VLAN1 for that port is excluded)

- created a dedicated interface on the Sophos, Ethernet VLAN, assigned it VLAN ID 50, and connected that interface to a tagged port on a HP-Switch (VLAN1 for that port also excluded)

- set up a Masquerading Rule, LAB-Network -> Uplink Interfaces

- opened Web and DNS for the LAB-Network

- on my Home-Work Site-to-Site-IPSec-Tunnel I added the LAB-Network, so that I can access it from home too

- I created following rules in the firewall:

1. Allow: Home-Network / Work-Network -> 3389 -> LAB-Network

2. Drop: Home-Network / Work-Network / LAB-Network -> Any -> Home-Network / Work-Network / LAB-Network

It seems to work.

Is it wrong? Does it make sense? Can it be done better?

Thank you.

 



This thread was automatically locked due to age.
  • 0

    "It is imperative though that there can be no access from lab into productive environment, except for RDP."

    "1. Allow: Home-Network / Work-Network -> 3389 -> LAB-Network"

    Don't you mean the following?

    1. LAB-Network -> 3389 -> Home-Network / Work-Network : Allow

    The Drop rule is not necessary unless you have rules like 'Home-Network/Work-Network -> ??? -> Any : Allow' instead of 'Home-Network/Work-Network -> ??? -> Internet IPv4 : Allow'.  In fact, a default drop line in the Firewall log contains more problem-solving information than does a logged Drop rule.

    Also, you will want to consider #2 in Rulz.  You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Don't you mean the following?

    1. LAB-Network -> 3389 -> Home-Network / Work-Network : Allow

     

    I want to be able to connect per RDP FROM my productive environment (it's where my management laptop is located at) TO my LAB-environment.

Unfiltered HTML