Do I need a Dmz

Question

Hi 
 We have a Utm and at the moment we do not have or need a Dmz 
 We have just bought a pulse secure appliance that has two network ports internal and external. 
 I’m trying to decide the best way to set it up. If I create a new interface with a new IP address range and plug the wan connection from the pulse box not that. I can then nat an IP address to that box. I can block all the ports that I don’t need. If I then put the lan cable from the pulse secure box into our core switch the pulse secure box will have access to all internal systems. 
 However, I’m not sure what benefit this gives me over just setting up NAT straight to the pulse secure box that’s on the lan. 
 Can anyone think of a better way to do it?

apijnappels · Answer

That would be possible by creating 2 "dmz" interfaces. Since both interfaces of the Pulse device are connected to the firewall, you need 2 additional interfaces (so at least 4 in total, 1 external, 1 LAN, 2 dmz for pulse) 
 You can name those ie. Pulse-external and Pulse-internal or something like it. 
 Then you can create firewall rules and or DNAT with auto-firewall rules enabled that enable the needed ports from the internet to the external port of Pulse device. 
 And you can create firewall rules for traffic that should be allowed from Pulse internal to LAN. 
 PS: You could also just use the UTM as your VPN access point (if you have the right license that is), that way you might be able to completely omit the Pulse device.

DouglasFoster · Answer

I will disagree about UTM being a complete replacement for your device. Nothing in UTM has the features of a Network Access Control system. If you plan to use NAC, you should continue with implementing the Pulse solution. I perceive NAC as useful but complex to implement. If you are not doing NAC, then the question is whether you have all of the features you need in your UTM license. 
 If you implement the Pulse solution, here are some things to consider: 
 
 Will Pulse have its own IP address, or do you need it to share a single IP address with UTM? Sharing the IP Address requires resolving any port conflicts between the two devices. I have no idea what ports the other device uses, but I have documented everything that I know about UTM port usage in this post: https://community.sophos.com/products/unified-threat-management/f/general-discussion/100848/how-to-understand-utm-port-usage 
 The second question is how to position Pulse in a "Logical" network design: The obvious options are:
 
 parallel to the UTM, 
 behind UTM, or 
 in front of UTM. I doubt that Pulse has enough firewall features for everything to work if it is in front.

Given the other decisions, what wiring scheme do you use for the physical network?

Two IP address solutions 
 
 Each device has its own IP address and a full range of available port numbers. 
 There will only be one ISP connection, so you have these options for the physical network configuration:
 
 Use a small (probably unmanaged) switch to connect the WAN interfaces of both devices to the ISP. 
 Create a bridge connection for the UTM WAN interface, so that UTM acts as the switch. Bridges need to be created using spare NICs. 
 Put the Pulse on a DMZ behind UTM and use DNAT to forward Pulse traffic through UTM. This is roughly identical to the one IP Address solution, but eliminates any concerns about port conflicts.

One IP address solutions 
 
 UTM receives all traffic. Pulse traffic (designated ports) will be routed using DNAT from a DMZ interface on UTM to a WAN interface on Pulse. Assuming that there is a switch behind the UTM, I would connect the internal interface of the Pulse directly to the switch. Connecting both Pulse interfaces into UTM seems to create unwanted complications. However, if UTM is acting as your only internal switch, then you have no choice. 
 The internal interface on Pulse should have an MTU of 1380 or less. This allows the VPN overhead to be added to a packet without exceeding maximum packet size, which results in fragmentation and re-worked encryption. 
 If UTM is used for any VPN functions, the internal interface on UTM should also have an MTU of 1380 or less. 
 
 I favor the two-address solution, with parallel wiring, because it eliminates NAT-Traversal issues for the VPN packets.