UTM on AWS

Add to my manuals
37 Pages

advertisement

UTM on AWS | Manualzz

Sophos UTM on AWS

Quick Start Guide

Document date:

Monday, January 16, 2017

The specifications and information in this document are subject to change without notice. Companies, names, and data used in examples herein are fictitious unless oth erwise noted. This document may not be copied or distributed by any means, in whole or in part, for any reason, without the express written permission of Sophos Limited. Trans lations of this original manual must be marked as follows: "Translation of the original manual".

© 2017 Sophos Limited. All rights reserved.

http://www.sophos.com

Sophos UTM, Sophos UTM Manager, Astaro Security Gateway, Astaro Command Center,

Sophos Gateway Manager, Sophos iView Setup and WebAdmin are trademarks of Sophos

Limited. Cisco is a registered trademark of Cisco Systems Inc. iOS is a trademark of

Apple Inc. Linux is a trademark of Linus Torvalds. All further trademarks are the property of their respective owners.

Limited Warranty

No guarantee is given for the correctness of the information contained in this document.

Please send any comments or corrections to [email protected].

Contents

1 Introduction

2 Overview

3 Deployment Model

3.1 Stand Alone

3.2 Stand Alone with HA (Cold and Warm Standby)

3.3 Auto Scaling

4 Amazon Machine Image

4.1 PAYG vs BYOL

4.2 EC2 Key Pair

5 UTM Subscription

5.1 Delivery Methods

5.1.1 Single AMI

5.1.2 CloudFormation Console (Stand Alone)

5.1.3 CloudFormation Console (Auto Scaling)

5.1.4 CloudFormation Outputs

5.1.5 CloudFormation Resources

5.2 AWS Marketplace Product Support Connection

6 Stand Alone Configuration

6.1 Connect to Your Sophos UTM (Single AMI)

6.2 Connect to Your Sophos UTM (CloudFormation Console)

6.3 License Your Sophos UTM

6.4 Configure HA (optional)

7 Auto Scaling Configuration

7.1 Connect to Your Sophos UTM (Auto Scaling)

7.2 License Your Sophos UTM

7.3 Create an Internal Load Balancer

7.4 Configure the UTM WAF

7

7

7

8

10

15

17

17

17

12

12

13

19

10

11

12

5

6

19

20

20

21

25

25

25

26

27

Contents

7.5 Outbound Gateway for AWS

7.5.1 Deploy Outbound Gateway

7.5.2 Fallback Scenarios

8 Stop Using Sophos UTM (optional)

8.1 Terminate an Instance

8.2 Delete CloudFormation Stack

9 Sophos AWS Information

28

29

30

32

32

32

34

iv Sophos UTM on AWS

1 Introduction

Sophos UTM on AWS has been designed with AWS Cloud Architecture and AWS

Security Best Practice Guidance in mind. Our aim is to help customers with their AWS

Shared Security responsibilities and to conform to AWS recommendations on design ing fault tolerant and scalable Cloud architectures. Full guidance on AWS Architecture and Cloud security is out of scope for this document, but AWS provides very detailed information on its own sites: l https://aws.amazon.com/security/ l https://aws.amazon.com/architecture/ l https://aws.amazon.com/partners/

The goal of this document is to help customers quickly deploy and configure Sophos

UTM on AWS.

2 Overview

Sophos UTM on AWS is designed to easily deploy into AWS and provide you with secur ity tools like NextGen Firewall, Intrusion Prevention System (IPS), Web Application Fire wall (WAF), Web Protection, and Virtual Private Network (VPN) connections. UTM can be deployed on a single Amazon Elastic Compute Cloud (EC2) instance, in High Avail ability (HA) scenarios across AWS Availability Zones (AZs), and supports Auto Scaling with Elastic Load Balancing (ELB) to distribute traffic across multiple UTMs.

UTM provides this protection by using multiple integrated security applications to scan both inbound and outbound traffic to identify malware, potential threats, and anom alies. This all-in-one security approach avoids the need for installing and paying for multiple security products to protect your environment, which helps save on costs and simplifies deployment.

l

NextGen Firewall controls which augment or replace the AWS Security Groups and/or Network Access Control Lists (NACLs) l

Inline Network IPS that provides deep packet inspection with signatures auto matically updated by Sophos Labs l

VPN Gateway functionality to securely connect remote users and locations l

Integrated WAF with Reverse Authentication Support l

Outbound Web Security Controls to secure, protect and control connections from

EC2 Instances and Amazon WorkSpaces

UTM is built to provide advanced security without requiring expert level knowledge.

Designed to be useable and intuitive, UTM offers an easy to deploy and use suite of security tools to secure and protect your AWS environment.

7

3 Deployment Model

3 Deployment Model

Before starting with UTM, choose the deployment method for AWS. Sophos UTM on

AWS supports three deployment models that include: l

Stand Alone (no redundancy) l

Stand Alone with HA (cold and warm standby) l

Auto Scaling for inbound and outbound traffic

3.1 Stand Alone

In this model, UTM is deployed on an EC2 instance into a single Availability Zone (AZ).

Typically customers configure all traffic to route in and out of UTM as the perimeter gateway their Virtual Private Cloud (VPC).

3.2 Stand Alone with HA (Cold and Warm

Standby)

In this model, UTM is deployed on a primary EC2 instance in a single Availability Zone

(AZ) with a secondary EC2 instance in a different AZ. Using AWS CloudFormation,

Amazon Simple Storage Service (S3), and Health Checks for Auto Scaling instances,

UTM leverages AWS services to determine the status of the primary EC2 instance. If the primary EC2 instance fails a health check, the Auto Scaling group transfers the

Elastic IP Address and all configuration settings stored in S3 over to the secondary

EC2 instance in a different AZ. You can select between cold standby (secondary EC2 instance has not been started) and warm standby (secondary EC2 instance is running in parallel with the primary EC2 instance but not actively inspecting traffic).

Sophos UTM on AWS

3 Deployment Model

Figure 1 Stand Alone with HA

3.3 Auto Scaling

In this model, UTM is deployed via three EC2 instances: one UTM controller and two

UTM workers (sometimes referred to as Queen and Swarm) that will scale depending on your traffic. The UTM controller resides in an Auto Scaling group and stores con figuration details, logs, and reports to an S3 bucket. The UTM controller uses the S3 bucket to restore configuration in the event that the EC2 instance is terminated and also provides configuration details to UTM workers. The UTM workers reside in another

Auto Scaling group, typically behind an external Elastic Load Balancing (ELB) Classic

Load Balancer, and inspect all inbound traffic. The UTM workers pull down UTM con figuration settings from S3 upon boot, if they receive a configuration change noti fication via the Amazon Simple Notification Service (SNS), or when they scale out depending on the traffic.

Auto Scaling UTM also offers an additional layer of security called Outbound Gateway

(OGW) which allows customers to inspect and scale security based on outbound con nections. OGW works by deploying gateway instances in VPC subnets (both local and remote) that forward all traffic to UTM workers via Generic Routing Encapsulation

(GRE) tunnels. After inspecting the traffic, the UTM workers forward the traffic outside

VPC or deny the request per the rules you configure.

Sophos UTM on AWS

8

3 Deployment Model

Figure 2 Auto Scaling

Below is a decision tree to help you decide which UTM deployment model fits your needs.

Figure 3 Decision Tree for UTM Deployment

9

Sophos UTM on AWS

4 Amazon Machine Image

4 Amazon Machine Image

Prior to deploying Sophos UTM on AWS, select which method of pricing you would like for UTM and corresponding EC2 key pair available.

4.1 PAYG vs BYOL

UTM supports Pay As You Go (PAYG) and Bring Your Own License (BYOL) pricing and is available in all AWS Marketplace regions. PAYG allows you to deploy UTM without any software licenses and pay an hourly usage fee based on the pricing listed on AWS Mar ketplace. PAYG is managed directly through AWS who charges your usage directly to your AWS monthly statement. Additionally, PAYG comes preconfigured with Essential

Firewall, Network Protection, Web Protection, and Web Server Protection modules enabled. For more information about the different UTM modules, please see Sophos

UTM Overview .

BYOL allows you to purchase a software licenses for one, two, or three years in advance from a Sophos partner without incurring any hourly fees except for the EC2 instance charge. BYOL also allows you to pick and choose which UTM modules to enable in addition to the Sandstorm module not available in PAYG

( https://www.sophos.com/en-us/lp/sandstorm.aspx

). To inquire about purchasing

BYOL for Sophos UTM on AWS, please email [email protected]

for details.

The following table shows each UTM product in AWS Marketplace, the deployment models supported, and pricing.

Product Name

Sophos UTM (PAYG)

Sophos UTM (BYOL)

Deployment Models Supported

Stand Alone UTM

Stand Alone UTM with HA (cold and warm standby)

Stand Alone UTM

Stand Alone UTM with HA (cold and warm standby)

Sophos UTM  (Auto Scaling

PAYG)

Sophos UTM  (Auto Scaling

BYOL)

Auto Scaling UTM

Auto Scaling UTM

Sophos UTM on AWS

10

4 Amazon Machine Image

4.2 EC2 Key Pair

You will need to create or use an existing EC2 Key Pair to use Sophos UTM on AWS.

Please refer to http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-keypairs.html

.

11

Sophos UTM on AWS

5 UTM Subscription

5 UTM Subscription

To subscribe to Sophos UTM on AWS, follow these steps:

1. Navigate to https://aws.amazon.com/marketplace/ and search for Sophos UTM.

2. Select the product you would like to deploy based on the deployment model

(Sophos UTM 9 vs. Sophos UTM 9 Auto Scaling) and pricing (PAYG vs. BYOL) you want.

3. Select the Region where you want to deploy.

4. Select the delivery methods under Pricing Details.

The delivery method will depend on how you’d like to launch Sophos UTM on AWS.

Generally speaking, there are two ways to deliver Sophos UTM on AWS: l

Single AMI l

CloudFormation Console

Once you complete either forms or delivery methods, you will be subscribed to

Sophos UTM on AWS.

5.1 Delivery Methods

UTM supports three delivery methods: l

Single AMI l

CloudFormation Console l

Manual Launch (EC2 Console, API, or CLI)

This Quick Start Guide will cover delivery methods Single AMI and CloudFormation Con sole.

Note – For information on launching AWS Marketplace products within the EC2 con sole, refer to How do I launch an AWS Marketplace product with the EC2 console?

Depending on how you deploy UTM, proceed to the appropriate selection.

Note – The only delivery method available for Sophos UTM (Auto Scaling) is the

CloudFormation Console.

5.1.1 Single AMI

Single AMI supports 1-Click Launch which allows you to install the Stand Alone UTM on a single EC2 and specify settings like EC2 instance type, AMI version (we recommend the latest), VPC settings, Security Groups, and Key Pair. Sophos has provided an EC2

Sizing Guide in the Sophos UTM on AWS Overview and Deployment Guide for

Sophos UTM on AWS

12

5 UTM Subscription assistance in choosing the correct EC2 instance type for your deployment. For help with the other settings, please refer to Launch Your Software on Amazon EC2 .

1. Select Single AMI and click Continue.

2. Under the 1-Click Launch menu, specify the following: l

Applicable Instance Type l

Version (we recommend the latest) l

Region l

VPC Settings l

Security Groups l

Key Pair

3. Click on Accept Software Terms & Launch with 1-Click.

On the next page, you should see the Software Installation Details summarizing the settings for the launch. From here, you can click Manage in the AWS Console to check the launch state of Sophos UTM under the EC2 service. Once the instance status reads as running, click on the Description tab to view the public IP address.

Please note the Public IP address to connect to your UTM (see chapter

Stand

Alone Configuration

). If you selected 1-Click Launch, you can now proceed to

chapter

AWS Marketplace Product Support Connection

.

5.1.2 CloudFormation Console (Stand Alone)

The CloudFormation Console allows customers to deploy Sophos UTM using a

CloudFormation template. This template provides options not available in the 1-Click

Launch such as defining the Elastic IP address, trusted Classless Inter-Domain Routing

(CIDR) networks, and Identity and Access Management (IAM) roles. You can follow the steps listed in this section for access to Sophos CloudFormation templates or down load all available templates at https://github.com/sophos-iaas/aws-cf-templates .

To use the CloudFormation Console, follow these steps:

1. In Amazon Marketplace click on one of the Sophos UTM search results and click

Continue.

2. Select CloudFormation Console as your delivery method.

3. Select a Version (we recommend the latest) and a Region.

4. Click Accept Software Terms.

After accepting the Software Terms, you should see a page with Next Steps indic ating that an email has been sent to confirm the subscription.

5. After your subscription has been confirmed, click Return to Product Page and select Launch with CloudFormation Console.

In the CloudFormation Console, you’ll be presented with the Create stack menu with the prepopulated S3 template URL.

6. Click Next.

13

Sophos UTM on AWS

5 UTM Subscription

7. Enter the parameter values for the CloudFormation template:

Stack Details

Stack name: A unique and descriptive name for the CloudFormation stack

VM Configuration l

AMI of UTM: Set to autodetect for the latest AMI l

UTM Instance size: Choose EC2 instance type for UTM. The default EC2 instance type is set to m3.medium or c4.large depending on your region

UTM Infrastructure Configuration l

VPC ID: Select in which VPC to install UTM l

Private Subnet ID: Select in which VPC private subnet to install UTM l

Public Subnet ID: Select in which VPC public subnet to install UTM l

Private Network CIDR: Classless Inter-Domain Routing (CIDR) address for your VPC private subnet l

Public Network CIDR: Classless Inter-Domain Routing (CIDR) address for your

VPC public subnet l

Existing Elastic IP ID: If you have an existing Elastic IP address you’d like to use for UTM, you can enter the address

Access Permissions l

SSH Key: EC2 Key Pair for SSH access l

Trusted Network CIDR (optional): Allows all traffic from this network

Tags (optional) l

Key: Arbitrary key that can be used to identify your stack for purposes such as cost allocation l

Value: arbitrary value for the key

Permissions (optional)

IAM Role: An existing IAM service role that CloudFormation can assume

Advanced (optional)

Note – For more information on advanced options refer to http:// docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-consoleadd-tags.html

.

8. Click Next.

9. On the Review page, review the values for parameter and click Create.

This will take you to the CloudFormation management console where you can watch the Status and Events of the CloudFormation stack creation.

Once the status reads CREATE_COMPLETE, navigate to Services > EC > Instances within the AWS Management Console to confirm UTM has been deployed on a newly

Sophos UTM on AWS

14

5 UTM Subscription created EC2 instance. Select the EC2 instance and the Description tab to view the

Public IP address. Please note the Public IP address to connect to your UTM (see chapter

Stand Alone Configuration

). If you selected CloudFormation Console for UTM

(Stand Alone), you can now proceed to chapter

AWS Marketplace Product Support Con nection

.

5.1.3 CloudFormation Console (Auto Scaling)

The CloudFormation Console allows customers to deploy Sophos UTM using a Sophos created CloudFormation template. This template uses different AWS Resources such as ELB, CloudWatch, Auto Scaling, and S3 to deploy and manage Sophos UTM. You can follow the steps listed in this section for access to CloudFormation templates or down load the templates at https://github.com/sophos-iaas/aws-cf-templates .

To use the CloudFormation Console, follow these steps:

1. In Amazon Marketplace, click on one of the Sophos UTM (Auto Scaling) search res ults and click Continue.

2. Select CloudFormation Console as your delivery method.

3. Select a Version (we recommend the latest) and a Region.

4. Click Accept Software Terms.

After accepting the Software Terms, you should see a page with Next Steps indic ating that an email has been sent to confirm subscription.

5. After your subscription has been confirmed, click Return to Product Page and select Launch with CloudFormation Console.

In the CloudFormation Console, you’ll be presented with the Create stack menu with the prepopulated S3 template URL.

6. Click Next.

7. Enter the parameter values for the CloudFormation template:

Stack Details

Stack name: A unique and descriptive name for the CloudFormation stack

Parameters l awsAMI: Set to autodetect for the latest AMI l awsAvailabilityZone1: Choose an AZ for the UTM controller and first UTM worker l awsAvailabilityZone2: Choose an AZ for the second UTM worker l awsKeyName: EC2 Key Pair for SSH access l awsNetworkPrefix: Choose between PAYG or BYOL l awsTrustedNetwork: Specify a network that can access your VPC on these ports (we recommend only trusted networks should be configured for SSH and port 8080 access)

15

Sophos UTM on AWS

5 UTM Subscription l basicAdminEmail: Email address that will receive UTM and SNS notifications

(this information is not sent to Sophos) l basicAdminPassword: Admin account password that will be used to access the UTM WebGUI (this information is not sent to Sophos) l basicCity: Used for configuring the self-signed Certificate Authority (this information is not transmitted to Sophos) l basicCountry: Used for configuring the self-signed Certificate Authority (this information is not transmitted to Sophos) l basicHostname: Used for configuring the self-signed Certificate Authority

(this information is not transmitted to Sophos) l optionalExistingElasticIP: Elastic IP address assigned to UTM (if left empty a new Elastic IP will be allocated automatically) l optionalExistingS3Bucket: S3 bucket to store and restore backups (if left empty a new bucket will be created automatically) l optionalLicensePool: S3 bucket where UTM license is stored (only applicable to BYOL)

Tags (optional) l

Key: Arbitrary key that can be used to identify your stack for purposes such as cost allocation l

Value: Arbitrary value for the key

Permissions (optional)

IAM Role: an existing IAM service role that CloudFormation can assume

Advanced (optional)

Note – For more information on advanced options refer to http:// docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-consoleadd-tags.html

.

8. Click Next.

9. On the Review page, review the values for parameter.

This will take you to the CloudFormation management console where you can watch the Status and Events of the CloudFormation stack creation. Stack creation time may vary but typically takes anywhere from six to ten minutes to complete.

Once the Status reads CREATE_COMPLETE, you can review the information in the

Outputs tab.

10. Under Capabilities, select I acknowledge that AWS CloudFormation might create

IAM resources and click Create.

Sophos UTM on AWS

16

5 UTM Subscription

5.1.4 CloudFormation Outputs

This section contains information regarding resources created by the CloudFormation template.

l

PublicIPAddress: Elastic IP address (EIP) assigned to the UTM controller (Queen), which can be used for VPN connections or inbound NAT l

QueenScalingGroup: Auto Scaling group for UTM controller l

S3Bucket: S3 bucket used to store license, logs, reports, and synchronize UTM worker configurations l

ConfigurationSNSTopic: SNS topic to notify UTM workers of configuration changes l

SwarmScalingGroup: Auto Scaling group for UTM workers (default setting of 2 workers) l

VPCID: VPC ID used for Auto Scaling groups l

Region: AWS Region for UTM l

ELB: public facing ELB load balancer for web traffic (ELB will not become func tional until UTM WAF settings have been configured; DNS A record name is shown under EC2 Load Balancers description)

5.1.5 CloudFormation Resources

This section provides the full list of AWS resources that have been created. Please note the resource names for items such as worker CloudWatch alarms, Auto Scaling policies, security groups, and Network Access Control Lists (NACLs). You will need this information when adding additional layers to your VPC.

5.2 AWS Marketplace Product Support

Connection

After you have subscribed to Sophos UTM on AWS, you are eligible to receive Sophos technical support. Sophos offers Premium support for all customers who select PAYG pricing. Premium support provides 24/7 technical support direct from Sophos support engineers. To receive this support, you’ll need to register your product with the AWS

Marketplace Product Support Connection ( https://aws.amazon.

com/marketplace/support-contacts ).

In addition to the benefits of Premium, AWS customers can also purchase another level of supported called Enhanced Plus. This support tier is only available to cus tomers who deploy Sophos UTM BYOL but gives priority case handling and VIP access

17

Sophos UTM on AWS

5 UTM Subscription to senior resources. For more information, please contact aws.

[email protected]

.

Note – For more information on the Sophos support levels, see https://www.sophos.

com/en-us/medialibrary/PDFs/Support/Sophos-Support-Plans.pdf

Sophos UTM on AWS

18

6 Stand Alone Configuration

6 Stand Alone Configuration

The following section covers required topics like connecting to Sophos UTM and licens ing but also covers optional topics for the different deployment methods. Depending on how you launched Sophos UTM, proceed to the appropriate selection.

6.1 Connect to Your Sophos UTM (Single

AMI)

After you have successfully deployed the UTM, you can access the WebGui via a web browser, EIP, and port number of 4444, e.g., https://elastic_ip_address:4444/.

1. Connect to Sophos UTM.

The first time you connect you will see a browser warning due to a self-signed cer tificate.

2. Click on the option to continue to the site.

This leads you to the Sophos UTM login page.

Figure 4 Sophos UTM Login

3. Enter the basic system information: l

Hostname l

Company l

City l

Country, etc.

19

Sophos UTM on AWS

6 Stand Alone Configuration

Note – Both username and passwords are case-sensitive and the UTM by default will block access attempts after three failed attempts. If you suspect that you may have triggered this protection feature you must wait for the ten minutes timeout period to expire before you can attempt access again.

Note – Use only alpha-numeric characters in the password field when entering this parameter during stack creation. If you require a more complex password, change it after logging in to Sophos UTM via the web console.

6.2 Connect to Your Sophos UTM

(CloudFormation Console)

After successful creation of your CloudFormation stack, use the Elastic IP address you provided in the template to connect to your Sophos UTM. If you’ve forgotten this IP address, you can review the CloudFormation Outputs section. You can access the

WebGui via a web browser, EIP, and port number of 4444, e.g., https://elastic_ip_

address:4444/. You’ll need to enter basic system information like hostname, com pany, city, country, etc.

Note – Both username and passwords are case-sensitive and the UTM by default will block access attempts after three failed attempts. If you suspect that you may have triggered this protection feature you must wait for the ten minutes timeout period to expire before you can attempt access again.

Note – Use only alpha-numeric characters in the password field when entering this parameter during stack creation. If you require a more complex password, change it after logging in to Sophos UTM via the web console.

6.3 License Your Sophos UTM

If you selected PAYG, you don’t need to license Sophos UTM as the license has already been bundled with the AMI. You can also use a 30 day free trial for Sophos UTM

(Auto Scaling) to test the deployment before purchase.

Note – Free trials will be automatically converted to paid subscriptions upon expir ation.

When using BYOL versions of Sophos UTM, you’ll need a license file to unlock the UTM subscription features during free trial and production. You can store the BYOL license file in an S3 bucket, which is loaded during the boot up process. After the free trial, you can upload the production license in Management > Licensing > Installation section,

Sophos UTM on AWS

20

6 Stand Alone Configuration and once the license had been uploaded details will be shown on the Management >

Licensing > Overview tab.

For more information on BYOL, please contact [email protected]

.

Figure 5 Sophos UTM Licensing Tab

6.4 Configure HA (optional)

After you have configured and licensed (if applicable) the Stand Alone UTM, you can configure the system for High Availability (HA) as described in chapter

Stand Alone with HA (Cold and Warm Standby)

. The process requires that you run a conversion util ity that converts the Stand Alone UTM to an HA (cold or warm standby).

Depending on the latest UTM release published in the AWS Marketplace, there may not be an Amazon Machine Image (AMI) that supports the conversion utility for your ver sion. If so, the user interface will post a message to check back in a couple of days after the latest release is published.

Before proceeding with the Conversion feature, you will need a valid AWS Access Key

ID and AWS Secret Access Key. The AWS keys are created using the AWS IAM module.

You can follow the steps listed in Managing Access Key for IAM Users to create an

AWS Access Keys ID and AWS Secret Access Key.

After creating the Access Key ID and a Secret Access Key select the HA deployment model for conversion. The conversion features support two HA models: l

HA (Cold Standby) – Active/Passive – in this deployment scenario, Sophos UTM will be placed in an Auto Scaling group that will automatically start a new EC2 instance and transfer configuration settings in the event the current EC2 instance

21

Sophos UTM on AWS

6 Stand Alone Configuration hosting UTM fails a health check .

l

HA (Warm Standby) – Active/Passive – in this deployment scenario, Sophos UTM will be placed in an Auto Scaling group that will automatically transfer con figuration settings to a running EC2 instance in the event the current instance hosting UTM fails a health check.

To begin the conversion process, follow these steps:

1. Navigate to the Sophos UTM WebAdmin dashboard and select Management >

HA/Autoscaling.

Figure 6 Conversion Utility

2. Enter the AWS access key ID and the AWS secret key.

3. Select your Amazon deployment type.

4. Click Conversion Pre-Check.

This initiates the conversion process for Sophos UTM. The Conversion feature will use CloudFormation templates to convert the stand alone Sophos UTM into HA

(warm or cold standby). We recommend you run the Conversion utility during a maintenance window as the process will start and stop several services.

The Conversion Pre-Check screen will highlight:

Sophos UTM on AWS

22

6 Stand Alone Configuration l

The current EC2 Key Pair used for the deployment of the Sophos UTM instance l

The current EIP, if available l

The VPC for the single/standalone UTM l

The current UTM license model (PAYG or BYOL) l

The VPC Subnets for your deployment model (two for HA solutions) l

The current Security Groups for the Sophos UTM EC2 Instance l

Current size of configuration, log, and database files l

AZ for your deployment model (two AZs are required for HA) l

CloudFormation Stack Name l

Optional – (Default) Copy log files from UTM standalone instance to new deployment.

l

Optional – (Default) Copy database from UTM standalone instance to new deployment.

l

Optional – (Not Default) Terminate UTM standalone after completion of con version process.

5. Click Convert to begin the conversion process.

The conversion process will create the required AWS resources to support the

Sophos deployment model per your selection. Additional resources will include

VPC Subnets, Security Groups, Auto Scaling groups, and CloudWatch metrics to support the new deployment model. You can watch the Conversion feature status results and CloudFormation stack events under the CloudFormation Management

Console to check the status of the conversion.

After running the Conversion feature, you can review three menus to confirm the completed status: l

Sophos UTM conversion results l

AWS EC2 Instance Status l

VPC subnets

The following figures show the completed status for the HA (Warm Standby) con version.

23

Sophos UTM on AWS

6 Stand Alone Configuration

Figure 7 Results of Conversion Utility

The EC2 Instances menu shows two new EC2 Instances replacing the previous stan dalone instance.

Figure 8 New EC2 Instances Hosting UTM HA

Sophos UTM on AWS

24

7 Auto Scaling Configuration

7 Auto Scaling Configuration

The primary use case for Auto Scaling is to support inbound Web Application Firewall

(WAF) security using the Sophos UTM Webserver Protection feature set. This feature set combines reverse proxy functionality and WAF protection and requires two ELB load balancers (external and internal). The next section will guide a user connecting to

Sophos UTM, licensing the Sophos UTM, and creating an internal load balancer used for

EC2 instances hosting a web application.

7.1 Connect to Your Sophos UTM (Auto

Scaling)

Upon successful creation of your Auto Scale UTM Stack there will be three UTMs shown in your EC2 Instances section: l

One Sophos UTM instance labeled “Queen” l

Two Sophos UTM instances labeled “Worker”

The solution is designed so that all configuration and management is done via the

Queen UTM, which then stores all configuration settings in S3 and gathers all logging information via the syslog protocol.

The Queen Elastic IP used for management should match the Sophos UTM public IP address shown in the CloudFormation Outputs section. Sophos UTM instance creation will typically lag the CloudFormation creation and the EIP may not be attached to the

Queen UTM until the instance is fully launched and ready.

Note – Each UTM worker has a public IP and this can be used to connect to that UTM.

Any changes made on worker UTMs will be overwritten by the Queen configuration, and will not be synchronized to other workers.

7.2 License Your Sophos UTM

If you selected PAYG, you don’t need to license Sophos UTM as the license has already been bundled with the AMI. You can also use a 30 day free trial for Sophos UTM

(Auto Scaling) to test the deployment before purchase.

Note – Free trials will be automatically converted to paid subscriptions upon expir ation.

When using BYOL versions of Sophos UTM, you’ll need a license file to unlock the UTM subscription features during free trial and production. You can store the BYOL license file in an S3 bucket, which is loaded during the boot up process. After the free trial, you

25

Sophos UTM on AWS

7 Auto Scaling Configuration can upload the production license in Management > Licensing > Installation section, and once the license had been uploaded details will be shown on the Management >

Licensing > Overview tab.

For more information on BYOL, please contact [email protected]

.

Figure 9 Sophos UTM Licensing Tab

7.3 Create an Internal Load Balancer

To create an internal ELB, proceed as follows:

1. In the AWS EC2 area beneath Load Balancers click Create Load Balancer.

The Define Load Balancer page opens.

2. Make the following settings: l

Load Balancer Name: Enter a descriptive name.

l

Create LB inside: Choose the VPC to install into.

3. Create an internal load balancer: Select this to ensure it is specified that you cre ate an internal ELB.

4. Enable advanced VPC configuration: Select this option if you want to select sub nets.

l

Listener Configuration: The default listener configuration of using HTTP will suffice for your test, but can be modified as needed.

l

Select Subnets: Choose the private subnets you created in the last section.

3. Click Next: Assign Security Groups.

The Assign Security Groups page opens.

Sophos UTM on AWS

26

7 Auto Scaling Configuration

4. Select the default VPC security Group.

5. Click Next: Configure Security Settings.

Note – At this point you’ll be notified that your load balancer is not using a secure listener.

6. Click Next: Configure Health Check.

For the example modify the default health check so that Ping protocol uses TCP.

7. Click Next: Add EC2 Instances.

8. Add the appropriate EC2 instances that will use the internal load balancer.

9. Click Next: Add Tags.

10. Add a tag and click Review and Create to continue.

11. Review your settings and click Create.

The load balancer is created and appears in the load balancer list.

7.4 Configure the UTM WAF

Now that you have configured the internal load balancer you can configure the UTM

Webserver Protection module so that it listens for HTTP traffic and, after scanning, sends it to the internal ELB for distribution.

To do so, proceed as follows:

1. Log in to the controller UTM and navigate to Webserver Protection > Web Applic

ation Firewall.

2. Click on New Virtual Webserver and make the following settings.

l

Name: Enter a descriptive name.

l

Interface: Select the Sophos UTM interface where traffic will arrive on and leave the Type and Port to HTTP and 80.

l

Domains: Enter the DNS name assigned to your public ELB that was created during the Stack creation. This is the URL that you will use for testing.

Note – This can be found in AWS EC2 area in the Load Balancers list. If you have many ELBs listed in this section, you can confirm the correct one by getting the name from the CloudFormation Resources section. Click on the

Description tab and copy the full DNS Name shown.

l

Real Webservers: List the internal ELB you have created, which is what traffic will be sent to once scanned. To create a new DNS object for this internal ELB, click on the green Plus icon located to the right of the Real Web servers text. Enter a descriptive name for the Real Webserver and then click on the green Plus icon to the right of the Host field to create the actual DNS

27

Sophos UTM on AWS

7 Auto Scaling Configuration host object. Copy the internal ELB DNS name into the Hostname field and enter a descriptive name for this new network definition.

Figure 10 Virtual Webserver Configuration on Sophos UTM l

Firewall Profile: Choose the Basic Protection firewall profile.

3. Click Save.

4. Enable the new Virtual Webserver by clicking the toggle switch.

The toggle switch turns green.

Note – To the right of the Real Webservers text you’ll see the status of the new internal ELB DNS object you created. It should change to green as shown below in a few moments. If it does not, check your settings as Sophos UTM is not able to resolve the DNS name used.

7.5 Outbound Gateway for AWS

Outbound Gateway (OGW) is an additional feature within Sophos UTM Auto Scaling that acts as an outbound load balancer. OGW serves two main purposes, first to scale

Sophos UTMs to handle increasing outbound traffic loads, and second to establish Inter net routes for EC2 instances that are located within VPCs without Internet gateways.

Use cases for the OGW include: l

Virtual Desktop Infrastructure (VDI) access to the Internet (e.g. Amazon

WorkSpaces) l

Server instance access to the Internet (including web access)

Sophos UTM on AWS

28

7 Auto Scaling Configuration

Typical deployment per VPC will consist of three UTM instances, one controller where configuration is performed, and two workers (one per Availability Zone). Both con troller and workers are contained within Auto Scaling groups, which will launch a replacement UTM should one fail, and workers may also scale under high load. In addi tion to the Sophos UTM, there are gateway instances which are deployed within each

VPC. There is a minimum of two per VPC, deployed into separate subnets, with High

Availability by way of a failover mechanism. To facilitate external traffic routing they connect to Sophos UTM on AWS workers via GRE (Generic Routing Encapsulating) tun nels (established during deployment of the gateways).

Note – OGW for BYOL requires you purchase Network Protection or FullGuard.

7.5.1 Deploy Outbound Gateway

To use OGW, you can deploy via the Resource Manager or manually via a CloudForm ation template (required for remote VPCs). This guide will show how to deploy OGW via the Resource Manager. For information on deploying OGW manually via CloudForm ation, please refer to Sophos Knowledgebase .

To deploy Sophos UTM on AWS OGW load balancers via the Resource Manager, pro ceed as follows:

1. In the UTM navigate to Network Protection > Outbound Gateway for AWS.

Figure 11 OGW Menu

2. Click on New Outbound Gateway.

The Add Outbound Gateway dialog box opens with the activated Resource Man

ager checkbox.

29

Sophos UTM on AWS

7 Auto Scaling Configuration

Note – You cannot change the usage of the Resource Manager after creating the gateway.

3. Make the following settings:

Failover Group: Define the group of load balancers for fallback.

Note – For more information on failover groups see chapter

Fallback Scenarios

.

Group Name (if New Failover Group is selected): Enter the name of the new group.

Position: If requested, change the position number, defining the priority of the gate way.

AWS Subnet ID: ID of a fresh and empty AWS subnet, the gateway should be deployed to.

Note – Do not use an existing client subnet or a subnet which is already in use.

Networks: Insert the network object for the client subnet in the same availability zone.

Comment (optional): Add a description or other information.

4. Make the following advanced settings:

Gateway Network Prefix: If the displayed prefix is already in use, change it.

5. Click Save.

The gateway is saved and displayed in the list.

6. Repeat the steps for second gateway using the data of the other two subnets.

You can only enable the object once CloudFormation reports the stack creation as complete.

Note – If you have to change anything like changing the manual deployment into auto matic deployment, delete the Outbound Gateway and create a new one.

7.5.2 Fallback Scenarios

OGW supports several fallback scenarios: l

HA Scenario

In this scenario there is a fallback for every load balancer.

l

Active-Active Scenario

In this scenario the load balancers fallback for each other.

l

2 Active, 1 Fallback

In this scenario you have two active load balancers and one fallback for both.

In every case the network numbers are more important than the order.

Example 1:

Sophos UTM on AWS

30

7 Auto Scaling Configuration

In this scenario Y takes over if X fails, because network A is not assigned to another instance. Z works as passive standby. If X and Y fail, Z takes over.

Instance

Instance X

Instance Y

Instance Z

Order

1

2

3

Network

A

B

Example 2:

In this scenario Z is fallback for X and Y because both networks are also assigned to Z.

Instance

Instance X

Instance Y

Instance Z

Order

1

2

3

Network

A

B

A, B

31

Sophos UTM on AWS

8 Stop Using Sophos UTM (optional)

8 Stop Using Sophos UTM 

(optional)

If you wish to stop using Sophos UTM in your environment, you can terminate the instance (Stand Alone) or delete the CloudFormation stack (all other Sophos UTMs).

8.1 Terminate an Instance

Before you terminate the instance, verify that you won't lose any data by checking that your Amazon EBS volumes won't be deleted on termination and that you've copied any data that you need from your instance store volumes to Amazon EBS or Amazon S3.

To terminate the instance, proceed as follows:

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/ .

2. In the navigation pane, select Instances.

3. Select the instance and choose Actions.

4. Select Instance State, and then select Terminate.

5. Select Yes, Terminate when prompted for confirmation.

8.2 Delete CloudFormation Stack

Before you terminate the instance, verify that you will not lose any data by checking that your Amazon EBS volumes won't be deleted on termination and that you have copied any from the list of stacks in the AWS CloudFormation console, select the stack that you want to delete (it must be currently running).

To delete a Stack, proceed as follows:

1. Click on the Stack and then either right-click or choose Delete Stack from the

Actions drop-down menu.

A message will appear asking you to confirm deletion.

2. Click Yes, Delete.

Note – After stack deletion has begun, you cannot abort it. The stack proceeds to the DELETE_IN_PROGRESS state.

After the stack deletion is complete, the stack will be in the DELETE_COMPLETE state.

Stacks in the DELETE_COMPLETE state are not displayed in the AWS CloudFormation console by default. To display deleted stacks, you must change the stack view setting as described in the CloudFormation User Guide under Viewing Deleted Stacks .

Sophos UTM on AWS

32

8 Stop Using Sophos UTM (optional)

If the deletion failed, the stack will be in the DELETE_FAILED state. For solutions, see the

Delete Stack Fails

troubleshooting topic of the CloudFormation User Guide.

33

Sophos UTM on AWS

9 Sophos AWS Information

9 Sophos AWS Information

Sophos AWS landing page: http://www.sophos.com/aws

Other links:

EC2

Reseller Program

VPC

Sophos UTM on AWS

34

Glossary

A

Amazon WorkSpaces

Desktop computing service on the AWS cloud. Allows to provision cloud-based virtual desktops.

AMI

Amazon Machine Image

API

Application Programming Interface

APN

AWS Partner Network

Auto Scaling

Web service to launch or terminate

Amazon EC2 instances automatically based on policies, schedules and health checks.

Availability Zones

Each Amazon data center location is called a region, each region contains multiple distinct locations called Availability Zones, or AZs.

AWS

Amazon Web Services

AWS CloudFormation

Free service for AWS customers which provides tools needed to create and manage the infrastructure a particular software application requires to run on

AWS.

AWS Partner Network

Global partner program for Amazon

Web Services, which is focused on helping partners build a successful AWSbased business.

AZ

Availability Zone

B

BYOL

Bring Your Own License

C

CIDR

Classless Inter-Domain Routing

Classless Inter-Domain Routing

Set of IP standards to create unique identifiers for networks and individual devices.

CLI

Command Line Interface

CloudFormation Console

User interface of the CloudFormation service.

E

EBS

Elastic Block Store

EC2 Instance

Compute instance in Amazon EC2 service.

EIP

Elastic IP

Glossary

Elastic Compute Cloud

Amazon EC2 provides scalable computing capacity in AWS which allows users to rent virtual computers to run their own computer applications.

Elastic IP

Static IP addresses for dynamic cloud computing, which is associated with an account. You control the address until you explicitly release it.

Elastic Load Balancing

Load balancing solution which automatically scales incoming application traffic across multiple targets.

I

IAM

AWS Identity and Access Management

Identity and Access Management

Amazon web service to control who can use your AWS resources and in which way.

Intrusion Prevention System

Network security and threat prevention technology that examines network traffic flows to detect and prevent vulnerability.

ELB

Elastic Load Balancing

G

Generic Routing Encapsulation

Tunneling protocol which provides a private, secure path for transporting packets through an otherwise public network.

N

Network Access Control List

Security layer which acts as firewall to control traffic in and out of subnets.

O

OGW

Outbound Gateway

GRE

Generic Routing Encapsulation

P

PAYG

Pay As You Go

H

HA

High Availability

High Availability

System design protocol that ensures a certain absolute degree of operational continuity.

S

S3

Simple Storage Solution

S3 bucket

Logical unit which stores objects that consist of data and metadata which describe the data.

36 UTM 2 Sophos UTM on AWS

Glossary

Security Group

Acts as virtual firewall for an AWS instance to control inbound and outbound traffic.

Simple Notification Service

Notification service which provides mass delivery of messages, predominantly to mobile users.

Simple Storage Service

Amazon web service which provides storage through web services interfaces.

SNS

Simple Notification Service

SSH

Secure Shell

V

Virtual Private Cloud

VPC provides secure data transfer between private enterprises and public cloud provider. Each data remains isolated from every other data both in transit and inside the cloud provider's network.

Virtual Private Network

Private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol such as

PPTP or IPsec.

VPC

Virtual Private Cloud

W

WAF

Web Application Firewall

Web Application Firewall

WAF, also known as reverse proxy, applies a set of rules to an HTTP conversation and therefore protects webservers from attacks and malicious behavior like cross-site scripting (XSS),

SQL injection, and others.

UTM 2 Sophos UTM on AWS 37

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement