This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do I need a Dmz

Hi

We have a Utm and at the moment we do not have or need a Dmz

We have just bought a pulse secure appliance that has two network ports internal and external.

I’m trying to decide the best way to set it up. If I create a new interface with a new IP address range and plug the wan connection from the pulse box not that. I can then nat an IP address to that box. I can block all the ports that I don’t need. If I then put the lan cable from the pulse secure box into our core switch the pulse secure box will have access to all internal systems.

However, I’m not sure what benefit this gives me over just setting up NAT straight to the pulse secure box that’s on the lan.

Can anyone think of a better way to do it?



This thread was automatically locked due to age.
  • I understand now that your question involves some theoretical questions that need to be addressed before the practical ones.

    1) Is Pulse safe to use directly connected to the Internet?

    I have never seen or heard of the product before this discussion, but since you characterize it as a VPN remote access solution, I have to conclude that it is designed to operate at the network perimeter as a specialized type of firewall.   I am assuming that it has a WAN (External) interface for accepting connections, and a LAN interface for providing access to resources after a connection is established.

    General principles for device security:   

    • make sure that you understand how the product works,
    • use that knowledge to ensure that it is configured correctly,
    • make sure that it is fully patched,
    • make sure that it can only be managed from devices on the Internal interface, and
    • only enable functions that you actually need to use.

    These principles also apply to UTM.  UTM has an unusual architecture, because it is directionless, so you have to teach it "internal" and "external" by the way you configure each function.   I don't think the product documentation provides enough guidance in this area.  Read the articles in the Wiki section of the forum, the article on "how to understand UTM port usage", and generally and article that is pinned to the top of one of the "forum" topic areas.

    Then read the documentation on the other product as well. 

    2) Can UTM help make Pulse more secure?

    Maybe.  UTM is not a magic disinfectant, it provides specific strategies for defending against specific types of threats.    Any network connection involves these components and processing stages:

    • a server process opens a "port" to listen for incoming connections of a particular type, in this example VPN Client connections.   UTM supports multiple VPN Client connection methods (protocols), and the Pulse device may do the same. 
    • a client sends a packet to that port to ask for a connection.
    • For VPN and many other protocols, the client and server go through an authentication process to decide whether to establish the session.
    • The session is established and the devices communicate using the selected protocol.
    • The session is closed and both devices say good-bye.

    With this framework, we can talk about how we can defend against attacks:

    • Phony replies:  A stateful firewall keeps track of packets so that it can distinguish between new connections and connections that are part of an existing conversation.   This ensures that the connection setup process is not bypassed.   Anything designed for remote access will have this capability.

    • IP Address Filtering / Country Blocking:   You can reduce your attack surface by deciding that you only accept connections from certain Source IP addresses.   If all of your users are local, do you need to accept connections from a different continent?  We block remote access from foreign countries.   When an employee travels overseas, they notify us of their current IP address and we allow remote access from that address only.   If they are in a different hotel every day, this is inconvenient for them but much safer for us.   UTM makes IP Address blocking fairly easy with the Country Blocking features.  However, Country Blocking applies to all types of connections, so you need to think through what exceptions may be needed before enabling a block.

    • You can protect against authentication attacks by using 2-Factor Authentication (2FA).    If you take credit cards, the PCI DSS standards say that you must use 2FA for all remote access, and they are correct because there are a lot of password guessing attackers on the internet.  UTM provides the OTP functions for its own services, and supports the separately-purchased DUO product, which operates as a RADIUS authentication server, if you want a 2FA product that supports both UTM and other vendors.    I do not think you will be able to put UTM authentication in front of the Pulse device, so I think you will need 2FA support in your Pulse configuration.   Pulse may need you to purchase a product like DUO to achieve 2FA.  

    • At any point in the conversation, an attacker may attempt to confuse the other device using a protocol violation.  "If I send 1000 Chinese characters when the other end is expecting a 3-digit number, can I cause something to crash and give me unintended capabilities?"   Each device will do some protocol checking, and patching helps to prevent these types of attacks from being successful.  The UTM Intrusion Protection System (IPS) is an added layer that looks for packets associated with something like 20,000 known attacks of this type.   Checking every packet for every known exploit can add a lot of overhead, so Sophos suggests tuning the subsystem so that it only checks attacks against the specific types of things that exist on your network.   They also suggest that old attacks probably do not matter because the targeted configurations should have been retired or patched.   There is a limited amount of checking that can be done on an encrypted VPN session, but IPS may be useful for integrity checking during session setup. 

    So you might benefit from having UTM in front of Pulse if you enable Country Blocking (or some other rules based on source IP address) and IPS.   For configuration purposes, this means:

    • The Pulse "internet" address is actually implemented as an additional address on UTM's WAN interface.  This is what users will configure on their laptop, but this address is never configured into the Pulse device.
    • The Pulse WAN interface connects to UTM on a dedicated "DMZ" interface, and 172.16.x.x was suggested as the numbering scheme for this subnet.
    • UTM NAT is used to convert the incoming Internet address to the DMZ address.
    • UTM Firewall rules are used to block access to any port on the Pulse address other than the ones that the Pulse device actually uses.
    • Pulse VPN is configured for NAT-Traversal, so that it is not confused by the address translation.
    • UTM Country Blocking and IPS provide some additional protection (assuming that this is more than what Pulse provides)

    Note:   you still need to carefully configure the Pulse VPN user capabilities so that you do not provide access to internal resources that are not needed by the user.

    If you cannot configure 2FA on the Pulse device, then you should abandon the product.   2FA is more important than NAC.

  • Can I ask two things

     

    1) when you set up the additional address you can set the "On Interface" if i select the DMZ do i need to put NAT rules to send trafiic to the DMZ

     

    2) Whould you connect the internal intreface on the Pulse box staright into the LAN or should that go back into the firewall.

     

    Many thanks