Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 35369 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating a DMZ

ChrisMyburgh

Hey Guys

I have done the following to create a DMZ for a network that I administer.

The method of setting it up like this, is keeping the following in mind:

# Internal and External networks being able to access the DMZ via special ports
# Hosts in the DMZ not being able to reach internal network.
# Hosts in the DMZ network are able to communicate to one another.

===

1. Created an additional network range for the total required hosts on the Additional Address tab as per the following:

Name:                     DMZ-Network
On Interface:           Bridge1
IPv4 address:          192.168.10.1
Netmask:                 255.255.255.248
Assigned to node:   All (this applies to H/A clusters setups)

2. Added the new DMZ-Network to my allowed networks for DNS resolution.

3. Create NAT | Masquerading rule for the DMZ-Network to have a route to the internet.

DMZ-Network --> Uplink Interfaces

4. Create firewall rules for DMZ to Internet:

DENY:    Internal [DMZ-Network) --> ANY --> INTERNAL
ALLOW: Internal [DMZ-Network) --> SRV --> INTERNET
ALLOW: Internal [DMZ-Network) --> ANY --> Internal [DMZ-Network)

5. Create Destination NAT rules for DMZ-Network to be reached from any network:

Traffic Selector:               Any --> SpecialPort --> InternetGateway (Interface)

Destination Translation:   SpecialHost --> SSH


====

* Notes

- No DHCP required as all in DMZ are configured with a static IP.
- This configuration is working for me, but would like to have other recommendations / best practices as I am fairly new to setting it up.

TIA
Chris



This thread was automatically locked due to age.

  • If you set this up as additional addresses, then I think you took the wrong way.

    A DMZ is a separated network segment and therefor usually also needs a separate NIC (so 3 NIC's total) or a VLAN segregated NIC where you can segregate your Internal clients from the DMZ clients.

    For setting this up you would need to look under interfaces and create another interface (not additional addresses).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • in reply to apijnappels

    Hi Apijnappels

    Thank you for the reply, it does make sense. unfortunately all 6 NIC's have been used on the UTM ( I probably should have mentioned that).

    Perhaps DMZ may be the wrong term I am referring to here then for this type of setup ?

    Though I have setup firewall rules for this network space - would there possibly be any other security risks involved ?

    Thanks

  • in reply to ChrisMyburgh

    If you just need another subnet where you can separate network devices from other devices you can change one of your current interfaces (not an external interface connecting to the internet) and change this interface to a VLAN interface.

    You can then create multiple VLAN interfaces on a single physical interface.

    Remember though not to use VLAN 1 as it is reserved in UTM, and you also need to change your switch configuration to support the VLAN.

    The typical use for additional addresses on an (external) interface are to be able to use all your public IP-adresses in stead of just the first one.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • in reply to ChrisMyburgh

    Hi, Chris, and welcome to the UTM Community!

    I second apijnappel's suggestion about separating the networks on Layer 2 instead of Layer 3.  All any device in the pseudo-DMZ needs to do to be able to reach the other devices on the same Ethernet segment is to change its netmask.

    I had a hard time "seeing" your configuration.  If you want to pursue this thread, please insert a picture of your relevant firewall rules instead of describing them to us.  For example, the first rule is unnecessary as the default is to block unless explicitly allowed.  The third rule has no effect since traffic within a subnet does not transit the UTM

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA

  • For growth due to fewer interface in your firewall get a switch then create vlans in it and then create a Trunk port to Sophos where you bind your dmz vlan interfaces.

Unfiltered HTML