Sophos UTM: Options for deploying the UTM into your Network

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

When UTM is added to a network with an existing firewall, it can be configured in several ways.  Each option has an impact on the available defenses and on the complexity of implementation.

  1. As a node added anywhere on the internal network, behind the exiting firewall, but separate from the existing firewall.
    1. Limitations: Transparent Web Proxy, Transparent FTP, Transparent POP3, and Firewall Rules are not usable because traffic does not flow through the device on its way to the internet.   Transparent Web and FTP are important for ensuring complete protection from web-based threats.
    2. Security Risks: Loss of protection from the unusable features.
    3. Implementation: Nothing in the existing network is disrupted.   Traffic is routed to UTM by configuring Standard Web Proxy, WAF, SMTP Proxy, WebAdmin, VPN, and User Portal incrementally.
  2. Immediately behind the existing firewall in bridged mode.
    1. Limitations: QoS does not work on a bridged connection. Transparent Web Proxy with AD SSO wil be unusable, because it will conflict with User Portal operating on the same IP Address and Port. This can be avoided if you are willing to operate the User Portal on a non-standard port, but doing so may limit user’s ability to connect to the portal from some remote locations.
    2. Security Risks: Loss of protection from the unusable features.
    3. Implementation:   Although it is somewhat complex to configure the UTM bridge, the new configuration is transparent to existing traffic.
  3. Immediately behind the existing firewall, in routed mode.
    1. Limitations: None. This configuration should permit use of all features.
    2. Security Risks: None identified, because the existing firewall should block unneeded ports.   If implementing intermediate-risk zones, such as DMZ or Guest WiFi, the risks and limitations depend whether the intermediate zone is configured on the firewall or the UTM. If configured on the UTM, the risks and defensive measures are the same as explained in the firewall replacement option.
    3. Implementation: This can be a difficult way to insert UTM into an existing network, because of the need to configure UTM and firewall settings at the same time.
  4. Replace the existing firewall.
    1. Limitations: None. This configuration should permit use of all features.
    2. Security Risks: Failure to understand the UTM architecture, leading to unexpected openings on the internet.
      1. Create a DNAT to NULL entry for internet traffic to port 3400 for all internet-facing IP addresses.   This port is opened on all interfaces and addresses when RED is enabled, but is not needed for internet-facing addresses.
      2. Create a DNAT to NULL rule for internet traffic to port 25, 465, and 587, for any internet IP addresses which are not intended for this purpose. When SMTP proxy is enabled, it opens these ports on all interfaces and addresses. Because the proxy will protect all incoming traffic, it is not actually a security risk, but it tends to be flagged by security scanning services. If SMTP authenticated submission is not needed, 465 and 587 may be appropriate to DNAT-to-Null on all UTM IP Addresses.
      3. A Filter Profile-Policy-Filter Action set may be needed for web traffic originating in an intermediate-trust zone such as a DMZ or Guest WiFi subnet. In these cases, it is appropriate to enable the Web Proxy to protect traffic heading to the internet, but block traffic destined for any IP address or DNS name that represents an internal destination. This is needed because traffic from a DMZ to an internal destination, if allowed at all, should flow through the protective filter of a WAF site.   Both IP Address and DNS Name blocks can be configured in the Websites section of a Filter Action.
    3. Implementation: Unless the previous firewall configuration was trivial, this approach is difficult because of the need to replicate all configuration settings of the existing firewall at once.

Changing from any one of these configurations to an alternative is likely to be difficult.  Given that the goal should be to enable all protection features, it is recommended to start with one of the last two options.