Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 6202 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ change has been requested, how secure is it?

David Orwig

In our environment the use of the DMZ on our UTM is relatively new to our setup. We use UTMs at all of our remote sites that are connected to the internet via VSAT. SG210s and SG135s for the most part. In the DMZ is a PC based webserver that reports data back to a cloud service. Everything is working fine. Remote managers can connect to the PC via teamviewer and all data from the PC is being deposited to the cloud service.

Here is the problem / situation: There have been requests in the upper chain of command that users inside the LAN at each remote site be able to directly access the PC based website in the DMZ, so they are asking that I open port 80 from my internal LAN to the DMZ (and obviously the reverse as well). I know how to make the changes........

Here's the actual question: How secure would that setup be? Does traffic from the LAN to DMZ (and vice versa) get the same level of packet inspection as WAN traffic? What risks would I be exposed to?

 

Thanks for your time,

Dave

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Dave and welcome to the UTM Community!

    I'm confused about your topology.  Could you show a simple diagram including a remote user, remote site, main site, UTM interfaces related to this and representative IPs?  Even a picture of a hand-drawn one would help.

    Are the connections between remote and main sites via a site-to-site VPN?

    How do the remote users reach the website now?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Currently, the PCs cannot connect to the web server. The SG 210 only allows traffic from the Zywall through the DMZ port out to the internet. The SG is setup to reject traffic from the DMZ to internal and also reject traffic from internal to the DMZ. This web server gather metrics and forwards them to a cloud based database. Initially, more than a year ago, there was no thought of any PCs requiring or desiring access to the web server. Within just a few weeks of the project being competed, someone says "Wouldn't it be nice if the PCs could browse directly to the web server......"

    I have no control over the web server nor the Zywall. No one was ever supposed to connect to the web server. Each of these are standalone sites and only report xml data back to the cloud based database. No VPNs

  • 0 in reply to David Orwig

    Dave, remember that the UTM firewall is stateful, so to enable the PCs to communicate with the servers, you need only allow 'Internal (Network) -> Web Surfing -> {Web Server}' traffic.  It sounds like there are no users from other locations that need similar access. That limits the ports that can go into the DMZ to the Web Server.  No unrequested traffic from the Web Server should be allowed.

    While using WAF would help protect the Web Server, it wouldn't do as much to protect your users as would running this traffic through Web Filtering with SSL scanning enabled.  In which case, you wouldn't need any explicit firewall rules.  See Configuring HTTP/S proxy access with AD SSO .  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to David Orwig

    Dave, remember that the UTM firewall is stateful, so to enable the PCs to communicate with the servers, you need only allow 'Internal (Network) -> Web Surfing -> {Web Server}' traffic.  It sounds like there are no users from other locations that need similar access. That limits the ports that can go into the DMZ to the Web Server.  No unrequested traffic from the Web Server should be allowed.

    While using WAF would help protect the Web Server, it wouldn't do as much to protect your users as would running this traffic through Web Filtering with SSL scanning enabled.  In which case, you wouldn't need any explicit firewall rules.  See Configuring HTTP/S proxy access with AD SSO .  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML