Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 8 subscribers
  • Views 1915 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Moving from Managed Firewall to Sophos

Kevin Lane

We currently have a managed firewall with our ISP, along with external IP Address that we use,

We are wanting to save money by bringing this in house, but of course this comes with questions and problems mainly for me....

So i could do with some guidance on how to make sure that I setup the interfaces correctly and that I can get out on the web lol

Currently all traffic go through the UTM Device, Such as Email (inbound and outbound scanning), and HTTP/S (content filtering)

But also we have servers within the internal network that need access to the over internet so I presume I would need some NAT solution for this, but virgin call this a security policy change request, I have copy of the juniper firewall Config but have requested an up to date version of this,

And of course still reaming full protected

Thanks



This thread was automatically locked due to age.
  • +1

    Depending on what packages you bought will help determine what will help you protect better.  If you can list those it will help more.

     

    For example, do you have Web Server Protection? https://community.sophos.com/kb/en-us/120388

    Otherwise, you need to establish a few things, one why SG?  If you just bought I would go XG.  But that is a different topic.

    • You need to setup your LAN, WAN, DMZ and other subnets, Interfaces & Routing -> Interface 
      • Since you have email and internet working I am assuming you have this also, if you do not have a DMZ, pick an interface and configure it out.  I would go with a different subnet then your LAN.  

     

    • On your WAN interface you need to set the additional addresses, Interfaces & Routing -> Additional Interfaces 
      • These are the other external IP addresses you have setup for your servers in your DMZ

     

    • Now you want to have your servers talk out to the internet but only for the traffic you want, so you will go to Network Services -> Firewall
      • Here you will select DMZ and allow whatever services or protocols you need your servers to talk to the internet with outbound traffic.
        • The rule should be Source DMZ
        • Services (Example) HTTP
        • Destinations (Example) Any
        • Action Allow
        • Time Period Always
        • Check Log Traffic so you can see what is going on.

     

    • Now you also want the people to get to your servers, this is where you make NAT rules go to Network Protection -> NAT -> NAT
      • Create a new NAT rule, select the position (read firewall rules position https://help.f-secure.com/product.html?business/linux-security/11.00/en/concept_65EDE5505E7349878E3E1A3453928A6F-11.00-en)
      • Rule Type DNAT for Destination
      • For traffic from: You can select ANY if this is a Web Server you want anyone to see or if this is a specific client you want to access say an SFTP server you would use their IP's 
      • Using service Example Port 22 for SFTP or Port 80 & 443 for a Web Server
      • Going to External WAN 
      • Change Destination to: Select your Internal IP in the DMZ for that server
      • Change the Service to: This is if you want to change the port, typically application specific or if you have changed common ports on the server itself, i.e. DNS from 53 to whatever.
      • Check log initial packets (I would)

    Basically the DNAT will only allow who you want through, you should also have AV running and look into server hardening for DMZ placed servers based on the OS you are using as well.

    Respectfully, 

     

    Badrobot

     

  • 0

    The biggest issue with migrating to UTM is that its architecture is different from firewalls, because it does not have access control lists based on source-destination pairs.   The Sophos documentation (at least at my last check) lacks tutorials, which is especially disappointing given the uniqueness of the product architecture.   Consequently, your best bet is to hire a consultant.   The downside to consultants is that they tend to do the work without doing the knowledge transfer that enables you to be safe and self-sufficient when they are gone.

    For those who want to implement on their own, or who want to be self-sufficient after the consultant leaves, this forum has tutorials which attempt to provide what the documentation lacks.   Start with the Wiki article about architecture, as it is fundamental.   There are other articles in the WiKi section.  Some other articles are pinned to the top of specific forums.

    With that background, you can ask specific questions to get answers to specific situations.

     

  • 0

    You might not be looking for this answer, but in your managed firewall you currently have, you (most likely) also pay for knowledge (both in managing the firewall as in best practices for preventing trouble).

    The questions you ask give me a feeling that at this moment there's not a lot of knowledge inside your organisation about managing and maintaining firewalls in general. First question you need to answer for yourself is whether or not you trust the current level of knowledge in your organisation enough to setup such a crucial piece of equipment as a (next-gen) firewall.

    I think your best bet might be to get a consultant involved in setting everything up and select them to not only set everything up, but to educate you in the process and have them explain why things are setup the way they are. That might be the best way to get a jump-start into managing your own Sophos environment. At the same time you can start reading in this Sophos community like Douglas suggested.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    it is a shame i cant do a reply to all, i do appreciate all of the comments and suggestions, just to give a bit more back ground, I've been using the UTM device in question for sometime and i do feel comfortable in doing certain things,  that being said i do know i have the support of Sophos at hand should i need it, and i have used it for 1 or 2 things,

     

    i understand that a consultant might be a good option and in some cases you could be correct however, when the change over happens i will have a period of flexi time to get myself up to speed and should i need it i will contact Sophos, maybe i'm over thinking things considering the ownership will be down to myself but i think i should be OK.

     

    i will add a visio  diagram and give you what i think should be correct, and if there needs to be any changes then i will update them.

  • 0

    Hi Kev,

    I just looked at your first thread here - were you ever able to deselect Sandstorm in Web Filtering?

    I would still suggest a consultant even with your experience of two years.  For example, did you follow The Zeroeth Rule in Rulz?

    If you do decide to use a consultant, be sure to get references to confirm that you can get good answers to what the guys suggested above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML