This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recommendation for external facing servers and a simple question on where a rule is generated

Hello all,

Networking certainly isn't my forte and I've only really been handling our UTM sporadically for 2 years, so please bear with me.  I did not install the UTM nor was I the primary admin, but I want to make sure that we're decently secure.

We have 2 external facing servers (an ADFS and a CRM) as seen here:

Should this be the only rule needed to protect them or should they really be in WAF or have a separate network range (like internal/VPN users only). The CRM is used primarily by our Sales and Finance people whom would be on business issued devices. The ADFS server, is used by the CRM server, another remote office UTM via UTM VPN to UTM VPN and is also host to an external data gateway for some MSFT/Azure services.  I guess it is more the "Any" to "Any" rules that have me nervous.

Secondly, I see this rule right under the first two:

and was wondering where it was generated.  It mentions SSL VPN, but on the destination end, I'm not seeing all our RED devices / Remote office networks and to me at least, these should be included.

Any insight or advice you can provide this old newbie would be appreciated!



This thread was automatically locked due to age.
Parents
  • 1. WAF is more secure than DNAT. I would switch to WAF.

    2. For  ADFS and a CRM you don't need to forward "ANY" to the server. Mostly https +1-2 Ports should be enough.
    (currently you allow RDP from all over the world too ... check the security log to see the result)

    3. rule 3 is for users logged on via SSL-VPN. The checkbox "automatic firewall rule" is checked ... i'm not a friend of this..

    for RED-Connections and other locations, you should have additional rules ...


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I'd agree with Dirk.  Anytime you can use WAF (Web Application Firewall) for applications, do that instead of port forwarding.

    Forwarding 'Any' ports is a terrible networking practice.  If you have to forward ports, it should never use this rule and should be only the port(s) you need to forward.  'Any' use of the ports can open you up to some nasty port scanning vulnerability issues on the external side of things.

    If you can avoid it, don't allow RDP sessions from the outside.  I would force people to use VPN, then have the ability to RDP into a machine from there.  I don't even allow that at my home, you have to VPN in to my network first, then I can RDP from there.  Even my cameras to monitor my house isn't accessible externally without using VPN.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • I'd agree with Dirk.  Anytime you can use WAF (Web Application Firewall) for applications, do that instead of port forwarding.

    Forwarding 'Any' ports is a terrible networking practice.  If you have to forward ports, it should never use this rule and should be only the port(s) you need to forward.  'Any' use of the ports can open you up to some nasty port scanning vulnerability issues on the external side of things.

    If you can avoid it, don't allow RDP sessions from the outside.  I would force people to use VPN, then have the ability to RDP into a machine from there.  I don't even allow that at my home, you have to VPN in to my network first, then I can RDP from there.  Even my cameras to monitor my house isn't accessible externally without using VPN.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
  • Thanks and ! This is what I was afraid of.

    I'll look at seeing what I'm capable of doing without breaking anything, as I attempted WAF with a NextCloud server as a test and it didn't play too well with the features and in particular the Let's Encrypt certs.

    I located the SSL "origin" of the #3 rule and was able to add the missing networks.

    I've installed XG at home (I was sad that UTM 9.X Home doesn't exist)  for my own home network, and am slowly making the switch over from an Asus router with MERLINWRT in use now, so all these tips are greatly appreciated.

  • You can install UTM9 Home version currently ...

    ... but XG is the next step and a good idea to try it.

    UTM9-Home:

    Create your (private-)account at https://myutm.sophos.com/ and you get your free UTM-Home license.

    "Join today and get instant access. You can manage your product licenses here. Plus, you'll get a free, fully-functional home use license for Sophos UTM."


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • you can still install UTM Home.  I am currently not a fan of XG, it just doesn't flow right for me and things you think you do correctly aren't even the case.  I hear there are plenty of videos on how-tos, but I'm just not there yet for it after trying it a couple of times.  I'll probably hold out until UTM goes down with the ship, lol

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)