Hi - I am researching using Sophos UTM as a direct replacement for WebSense at some of our smaller remote offices (between 50 and 150 users at each).
Note, we will probably not use any of the other facilities of UTM other than the web monitoring functionality.
The existing WS system is set to filter web access by users having access to certain categories based on them being members of certain AD groups, plus the WS system listens to traffic on a mirrored switchport, i.e. the network traffic doesn't have to flow direct through the WS server.
Can Sophos be used as a direct replacement for these existing WS systems? if not what are the topology options and can anyone point me to UTM web filtering deployment specific documentation.
Thanks
the WS system listens to traffic on a mirrored switchport, i.e. the network traffic doesn't have to flow direct through the WS server.
By this, do you mean that you have another firewall with Intrusion Prevention? By "network traffic," do you mean traffic inside the network between devices on the network?
WebSense works by shadowing one of the switch ports out to the Internet (before NAT takes place) and if traffic is seen to an unauthorised website coming from a certain user's IP then it send a TCP reset to both the ends to break the connection, so it monitors and controls the traffic in a passive way.
The document you linked to explains how to use Sophos as a proxy - does that mean that the product will only filter traffic if it is set up that way (as a proxy)?
We have a wealth of network knowledge here but I am just having difficulty finding out exactly how the product can be deployed - hopefully Sophos have made available sufficient documentation to explain this, otherwise I am hoping that this forum will help guide us.
Also do you know if the demo license will activate the web filtering system so we can perform some tests?
I did exactly the same exercise a few years back. I removed Websense and mirror port setup and used a Sophos Web Security Appliance (I think they still sell them - its not a firewall just a web filter) but works as a proxy.
All the deployment scenarios are discussed in this PDF - so to page 7
Easiest way is to configure as an explicit proxy. So set firewall to only allow traffic from the appliance IP and push out the proxy setting via GPO and you are away...its a few clicks to get AD integration setup and then you can create rules based on group and time of day (allow group x access to social media between 1pm and 2pm etc)
In this setup the appliance just sits on your LAN and needs one connection to the switch.
There is a transparent option as well or they sell a bridge card. All explained in the PDF but we found explicit was simple to configure. The only thing to worry about is if you have lots of laptop users, when they go home their browsers dont work as they are set to look at a proxy. Loads of simple GUI tools to swap settings out there
The Sophos UTM is a different beast. Its a complete firewall appliance with web filtering function (plus lots of other modules you can buy) so it replaces your current firewall and does your web filtering at the same time. The firewall is really cool, super easy to use and supports next generation features like application blocking/throttling. Want to block dropbox app easy...just click the flow analyzer and click on dropbox then select 'block' and you are done.
In this configuration its between your internet feed and LAN and does everything so you dont need to configure proxy settings on your client.
The UTM is an amazing product, does all the filtering, IDS and web server security and if you have any remote sites the RED solution makes connectivity so simple you think there is some sort of magic happening.
You can get the full suite on demo running on a PC with a second NIC
1. there are several ways to handle mobile/laptop users, including WPAD proxy settings, transparent mode, and possibly the Sophos Endpoint Protection.
2. The UTM can run as a proxy with a single NIC if desired; afaict the only difference between the UTM and the Web appliance is the licensed features. The UTM can run the proxy in standard or transparent mode.
1. there are several ways to handle mobile/laptop users, including WPAD proxy settings, transparent mode, and possibly the Sophos Endpoint Protection.
2. The UTM can run as a proxy with a single NIC if desired; afaict the only difference between the UTM and the Web appliance is the licensed features.
The UTM can run the proxy in standard or transparent mode.
Barry
Thats all very well in a Windows world but not when all your Macs have a major fall out with Option 252 in MS DHCP server...grrrr;-)
Its a few years since I did this. At the time the Web appliance was a totally different interface/product to the UTM. Not sure if Sophos have moved it into line with the UTM now but for the price I cant see why you wouldnt get the UTM
Ah yes see now how you can use the UTM as Proxy - thanks for that. Totally useless now on a practical level but invaluable as one of those 'may possibly be useful' gems of information;-)
I should point out that if you run a single NIC, you lose the ability to run the IPS, possibly lose Application Detection and most QoS, and I'm not sure if NAT would work.
Quote