This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do I need a Dmz

Hi

We have a Utm and at the moment we do not have or need a Dmz

We have just bought a pulse secure appliance that has two network ports internal and external.

I’m trying to decide the best way to set it up. If I create a new interface with a new IP address range and plug the wan connection from the pulse box not that. I can then nat an IP address to that box. I can block all the ports that I don’t need. If I then put the lan cable from the pulse secure box into our core switch the pulse secure box will have access to all internal systems.

However, I’m not sure what benefit this gives me over just setting up NAT straight to the pulse secure box that’s on the lan.

Can anyone think of a better way to do it?



This thread was automatically locked due to age.
  • I must say that your description is very cryptic to me, please add a picture for more clarity on what you want to connect where (in relation to your internet connection and the UTM).

    I'm not sure what a pulse appliance does, but if you need to connect it on the inside of the UTM and it needs to be accessible from outside, then a DMZ is a good solution.

    By creating a DMZ and also make sure you have appropriate firewall rules (only allowing the necessary traffic from DMZ to LAN and vice versa) you have the best level of security should the pulse appliance be breached.

    This is of course true for every other device or service that is accessible from the internet.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Apologies for not being clear.

     

    The Pulse Secure box ia  VPN and NAC server. It allows you to access internal resources via a webbased proxy.

    I actiually found this artical. It would suggest that a 2 arm 2 dmz would be the best but not sure how I would set this up on the UTM. We currently do not have a DMZ setup.

     

     

    kb.pulsesecure.net/pkb_mobile

  • That would be possible by creating 2 "dmz" interfaces. Since both interfaces of the Pulse device are connected to the firewall, you need 2 additional interfaces (so at least 4 in total, 1 external, 1 LAN, 2 dmz for pulse)

    You can name those ie. Pulse-external and Pulse-internal or something like it.

    Then you can create firewall rules and or DNAT with auto-firewall rules enabled that enable the needed ports from the internet to the external port of Pulse device.

    And you can create firewall rules for traffic that should be allowed from Pulse internal to LAN.

    PS: You could also just use the UTM as your VPN access point (if you have the right license that is), that way you might be able to completely omit the Pulse device.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • So would I create two new interfaces on the UTM. say a 192.168.0.0 for pulse-external and 192.169.0.0 for pulse-internal

    In the Additional interfaces assign an IP at pulse external interface.

    Would I then not need to create the DNAT jsuta a firewall rule for inbound onto the Pulse box

     

  • 192.168.0.0 is okay (if not already in use somewhere).

    192.169.0.0 is not advisable since it's not RFC1918 and is most likely in use somewhere on the internet (see https://en.wikipedia.org/wiki/Private_network).

    In stead of using anything from the 192.168.0.0/16 range it might be better to use something from the 172.16.0.0/12 range since these are less likely to give (future) problems with other locations that are using a "standard" addressing scheme.

     

    For all traffic coming from the internet and going to your pulse external connection you will need a DNAT rule for traffic from Internet (or any), going to External (Address) change destination to IP-address of Pulse-external interface. In the DNAT you can tick the option for Auto-firewall rule.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Peter, as apijnappels said, the UTM can do all of the things the pulse can do.  The limitation with the UTM's HTML5 remote access method is that it is very resource-intensive and I wouldn't recommend it if you expect to have more than two users on it simultaneously.  My preferred solution would be the free SSL VPN client with SSL VPN remote access.  That will allow you all of the same access control you can have with the Pulse.  If you want strict security, you can add one-time passwords for two-factor authentication.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • To be honest the pulse box has been bought by a previous employee.

    How do you do 2fa on the utm vpn.

  • 2FA can be set up under Definitions & Users => Authentication services => One Time passwords.

    It uses TOTP (just like Google Authenticator and authy, but also has it's own Sophos authenticator app that can be used).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I will disagree about UTM being a complete replacement for your device.   Nothing in UTM has the features of a Network Access Control system.   If you plan to use NAC, you should continue with implementing the Pulse solution.   I perceive NAC as useful but complex to implement.  If you are not doing NAC, then the question is whether you have all of the features you need in your UTM license.

    If you implement the Pulse solution, here are some things to consider:

    • Will Pulse have its own IP address, or do you need it to share a single IP address with UTM?   
      Sharing the IP Address requires resolving any port conflicts between the two devices.    I have no idea what ports the other device uses, but I have documented everything that I know about UTM port usage in this post:
      https://community.sophos.com/products/unified-threat-management/f/general-discussion/100848/how-to-understand-utm-port-usage
    • The second question is how to position Pulse in a "Logical" network design:   The obvious options are:
      • parallel to the UTM,
      • behind UTM, or
      • in front of UTM.   I doubt that Pulse has enough firewall features for everything to work if it is in front.   
    • Given the other decisions, what wiring scheme do you use for the physical network?

     

    Two IP address solutions

    • Each device has its own IP address and a full range of available port numbers.
    • There will only be one ISP connection, so you have these options for the physical network configuration:
      • Use a small (probably unmanaged) switch to connect the WAN interfaces of both devices to the ISP.
      • Create a bridge connection for the UTM WAN interface, so that UTM acts as the switch.  Bridges need to be created using spare NICs.
      • Put the Pulse on a DMZ behind UTM and use DNAT to forward Pulse traffic through UTM.   This is roughly identical to the one IP Address solution, but eliminates any concerns about port conflicts.

    One IP address solutions

    • UTM receives all traffic. Pulse traffic (designated ports) will be routed using DNAT from a DMZ interface on UTM to a WAN interface on Pulse.   Assuming that there is a switch behind the UTM, I would connect the internal interface of the Pulse directly to the switch.   Connecting both Pulse interfaces into UTM seems to create unwanted complications.   However, if UTM is acting as your only internal switch, then you have no choice.
    • The internal interface on Pulse should have an MTU of 1380 or less.   This allows the VPN overhead to be added to a packet without exceeding maximum packet size, which results in fragmentation and re-worked encryption.
    • If UTM is used for any VPN functions, the internal interface on UTM should also have an MTU of 1380 or less.

    I favor the two-address solution, with parallel wiring, because it eliminates NAT-Traversal issues for the VPN packets.

  • Wow thanks

    We have a few spare WAN IP addresses so my plan was to give the pulse box a dedicated WAN IP address. We allready have a WAN switch to allow us to split traffic to the 2 UTMs we have.

    I agree that im not sure I trust the Pulse to be straight on the WAN.

     

    My plan was to setup two network instances on the UTM. Pulse-Internal and Pulse External.

     

    I will point one of our additional IP addresses at the new Pulse Extrenal interface. This will have the Extrenal port on the Pulse plugged into it.

    If my understanding is corect that will make all traffic on that IP goes to the pulse box. I dont think I will need any NAT rules for this. I was then going to setup a firewall rule to only Allow port 80 and 443 making the pulse box only accessable on that IP and for those ports.

     

    My next step was to conect the pulse Internal port to the UTM's Pulse Internal interface. The Pulse box will have a static IP and subnet in the same range as the UTM Pulse interface.

    I thought I can then setup a Firewall rule from the Pulse secures Internal IP to our internal Network. Again this will probably only allow Web traffic. If I'm honest I do not know if I need any NAT rules for this.

    Does this make sense?

    Am I wrong?