Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Transcription

1 Proxy Protocol Support for Sophos UTM on AWS Sophos XG Firewall How to Configure VPN Connections for Azure Document date: April

2 Contents 1 Overview Azure Virtual Network and VPN Gateway Requirements Virtual Networks VPN Connections and Local Sites Azure Virtual Network with XG Firewall Requirements Custom IPsec Profiles IPsec Connections Conclusion

3 1 Overview Proxy Protocol Support for Sophos UTM on AWS Microsoft Azure is a leading infrastructure as a Service (IaaS) provider for Microsoft Windows-based servers. Azure is the second largest Cloud Service Provider (CSP) overall. Many companies are either looking at the business potential of the Azure platform, using it for test workloads and prototyping, or are in the process of moving workloads, in part or in sum, to Azure. One of the requirements for any such migration is connectivity. Customers require the ability to move a workload to Azure without having to re-train their end users or significantly modifying dependent systems. This is a key requirement to improved adoption; whether migrating to the cloud or deploying in a hybrid environment. Microsoft offers third-party connectivity services for its Azure platform in the form of ExpressRoute (much like AWS DirectConnect); however, many companies want to deploy their own VPN gateways to securely connect to their Azure virtual networks. This allows them to leverage their existing investment in network security and access controls. Sophos UTM and Sophos XG Firewall can be used to create site-to-site VPNs and secure remote access to AWS and Azure resources respectively. These all-in-one solutions use a modular approach that allows you to select just the components you need for your security and compliance requirements. For VPN connectivity with Azure, you ll need at least the Network Protection subscription for Sophos UTM to be enabled. For XG Firewall IPSec site-to-site VPNs are included in the base license and do not require an additional subscription. In this document we will look at how the Sophos UTM and XG Firewall can be configured to establish a VPN connection with Azure to simplify your cloud migration. 3

4 2 Azure Virtual Network and VPN Gateway Because both the Sophos UTM and XG Firewall require an Azure VPN Gateway to connect with, the first chapter of this guide will focus on setting up the minimum components for this setup in Azure: A Virtual Network (VNET) and a VPN Gateway. Note that these steps are optional if you have already deployed a VNET or VPN Gateway that can be reused. Azure currently supports two types of VPN connectivity: Dynamic routing and static routing (policy based VPN). In this guide we will explore setting up a static routing VPN gateway for Azure and the relevant settings on UTM and XG Firewall, as both UTM and XG Firewall do not currently support the IKEv2 protocol, required for dynamic routing VPN connectivity. 2.1 Requirements The unique public IP address assigned to the UTM or XG Firewall at the local site (Azure currently only supports static IP-based connections) Subnet details of the local network(s) in the on-premise network A user account with the appropriate rights in Azure Resource Manager to create a VNET and VPN Gateway A pre-shared key you wish to use for the connection between the Azure VPN gateway and your on-premise UTM or XG Firewall Create a virtual network Define a VPN connection and local site 2.2 Virtual Networks As Azure VPN Gateways are used to connect to a Virtual Network (VNET) inside Azure, the obvious first step is to create such a VNET. Virtual Networks consist out of one or multiple subnets used by your Azure-hosted compute resources, and function as the remote tunneled networks for the site-to-site VPN tunnel. If you have already defined one or multiple VNETs, proceed to the next step in this guide. 1. Open the Azure Resource Manager Portal 2. Open the navigation pane (top left corner) and go to New -> Networking -> Virtual Network 3. Select Resource Manager from the Select a deployment model dropdown menu 4. Provide the following details: a. Name: The name you wish to associate with this virtual network, used for identification purposes 4

5 Proxy Protocol Support for Sophos UTM on AWS b. Address space: The CIDR network address block for your virtual network (default /16) c. Subnet name: The name you wish to use for the first subnet in your VNET d. Subnet address range: The subnet range for the first subnet in your VNET (must match the network part of the CIDR block used for the VNET) e. Subscription: The subscription this VNET and subnet should belong to f. Resource group: Select an existing resource group or create a new one to house this virtual network g. Location: Select the Azure Datacenter location this virtual network and the associated virtual machines should reside in 5. Click Create to create the new Virtual Network 6. (optional) Move virtual machines to this network, or create new VMs that should be reachable through your site-to-site connection 2.3 VPN Connections and Local Sites The next step in building the site-to-site tunnel with Azure is to attach a VPN gateway to the VNET we have just created. 1. Open the Azure Resource Manager Portal 2. Open the navigation pane (top left corner) and go to New > Networking > Virtual Network Gateway 3. Enter a name for the VPN Gateway in the Name field 4. Select the VPN Gateway type 5. Select Policy-based as the VPN type 6. Leave the SKU set to Basic as this is the only option available for policy-based VPN Gateways 7. Click Virtual network and select the VNET we created in the previous step (or select an existing VNET if you skipped the previous step) 8. Enter a range within the selected VNET s CIDR block to use for the gateway in the Gateway subnet address range field 9. Click Public IP address to create a new or select an existing public IP address a. (optional) Click Create new to create a new public IP address object i. Enter the name for the public IP address in the Name field ii. Click OK to save the public IP address object and return to the previous menu 10. Select the subscription this VPN Gateway should belong to from the Subscription dropdown menu 11. Select the Azure datacenter location from the Location dropdown menu 12. Click Create to deploy the VPN Gateway (note that deployment can take up to 45 minutes) 5

6 13. Once the VPN Gateway has been provisioned, go to the Virtual Network Gateway settings menu and select the new VPN gateway 14. Select Connections from the Settings menu and click Add to define a new site-to-site VPN tunnel 15. Enter the name for this tunnel in the Name field 16. Select Site-to-Site (IPSEC) from the Connection type dropdown menu 17. Click Local network gateway and select Create new to define the on-premise VPN endpoint for this connection a. Enter a name for the local gateway in the Name field b. Enter the public IP address for your UTM or XG Firewall in the IP address field c. Enter the subnet(s) in your on-premise network you d like to access through the tunnel in the Address space field (note that the portal adds an additional field for each subnet you wish to add) d. Click OK to save the local network gateway 18. Enter the PSK you wish to use for this gateway in the Shared key (PSK) field 19. Click OK to save the connection Once these settings have been deployed, the configuration of your VNET and VPN Gateway has been completed. Proceed to the relevant chapter in this guide for the UTM or XG Firewall configuration required to connect to the newly created VPN gateway. Make sure to write down or memorize the IP address assigned to the new gateway (open the Properties in the Settings of your VPN Gateway to find the public IP address currently associated with the gateway) along with the pre-shared key you ve entered for this connection as we ll need them later on. 3 Azure Virtual Network with XG Firewall In this example we assume you are using a Sophos XG Firewall as the local gateway to your network, functioning as the gateway for your local network client devices. The resulting network layout looks as follows: 6

7 Proxy Protocol Support for Sophos UTM on AWS Figure 1: XG Firewall VPN with Azure Architecture Overview Since the XG Firewall performs the same task as the UTM in this scenario, the same benefits of having reduced overhead in routing management and a significantly simplified (hybrid) cloud deployment apply. An obvious additional benefit the XG Firewall has over the Sophos UTM is that, while still maintaining the advantages of transparent connectivity like with the UTM, the XG Firewall offers additional filtering based on Endpoint status which can be applied to firewall policies to prevent allowed network traffic from infecting your cloud environment. 7

8 3.1 Requirements A completed VNET and VPN gateway configuration The public IP address of the Azure VPN Gateway and the pre-shared key for the Azure VPN connection A Sophos XG Firewall deployed as gateway on the local site Configuration of the site-to-site tunnel is defined both in Azure and on Sophos XG Firewall, and since we ve already deployed the VNET and VPN Gateway previously, we can move right to the configuration of the XG Firewall in this chapter. A high-level overview of the steps required includes: 1. Create a custom IPsec Profile 2. Create a new IPsec Connection 3.2 Custom IPsec Profiles To support the specific VPN settings used by Azure, we ll need to either modify an existing IPsec Profile or create a new one. As the XG Firewall has no specific limit on the number of IPsec Profile, we suggest creating a new profile using the following steps: 1. Open the XG Firewall Admin Console 2. Navigate to the VPN menu item located in the Configure submenu 3. Open the IPsec Profile tab and click Add to define a new profile a. Set the name of the profile by entering a name in the Name field b. (optional) If a description is desired for future reference, enter it in the Description field c. Enable Re-keying (the renegotiation of an existing connection s shared keys without downtime) by ticking the Allow Re-keying checkbox d. Set the number of retries allowed for Key Negotiation in the Key Negotiation Tries field (the default value is 3, setting this to 0 will enable indefinite retries) e. Set the authentication mode by selecting either the Main mode or Aggressive mode radio buttons (note that Sophos strongly recommends not using Aggressive mode as this might leave the keying phase of the tunnel initiation vulnerable to eavesdropping, see: f. Make sure Pass Data in compressed format checkbox is unticked a. Set the Phase 1 encryption algorithm to AES 256 from the dropdown menu b. Set the Phase 1 authentication algorithms to SHA 1 from the dropdown menu c. Select 2 (DH 1024) from the Diffie-Hellman checkboxes in the DH Group (Key Group) list d. Set the key lifetime in seconds to by entering this value in the Key Life field e. (optional) You can modify the default 120 second re-keying margin by entering the desired amount of seconds in the Re-key Margin field XG will use this value to determine when to start the rekeying process for an existing connection 8

9 Proxy Protocol Support for Sophos UTM on AWS f. (optional) Enable re-keying margin randomization to prevent automatic eavesdropping by entering a percent value in the Randomize Re-keying Margin by field g. Disable dead peer detection by unticking the Dead Peer Detection checkbox h. Set the Phase 2 encryption algorithm to AES 128 from the dropdown menu i. Set the authentication algorithm to SHA 1 by selecting it from the dropdown menu j. Select None from the PFS Group (DH Group) menu to disable perfect forwarding secrecy k. Set the key lifetime for the phase 2 connection to 3600 seconds by entering this value in the Key Life field 2. Click Save to store the profile and continue With the new profile created, we can now proceed with the configuration of a new IPsec Connection. 3.3 IPsec Connections IPsec Connections combine the remote gateway and IPsec connection policy elements from the Sophos UTM into a single item, resulting in one less step in this guide. To create a new IPsec Connection, proceed as follows: 1. Open the XG Firewall Admin Console 2. Navigate to the VPN menu item located in the Configure submenu 3. On the IPsec Connection tab click the Add button to create a new IPsec tunnel 4. Start by naming the connection by entering a name in the Name field 5. (optional) Set a description in the Description field 6. Select Site-to-Site from the Connection type dropdown menu 7. Select the IPsec Profile we ve created in the previous step from the Policy dropdown menu 8. Select the action to take when the VPN connection is (re)started by selecting an option from the Action on VPN Restart dropdown menu Select Disable to only allow manual reconnection, Respond Only to allow XG Firewall to respond to re-initiation or Initiate to allow both response and autonomous reconnection. 9. Next, select the Preshared Key authentication type from the Authentication Type dropdown menu in the Authentication Details section 10. Enter or copy the Azure Pre-shared key we wrote down or memorized earlier into the Preshared key and Confirm Preshared Key fields 11. Under Endpoint Details select the local XG Firewall s WAN interface from the Local dropdown menu and enter the Azure VPN Gateway IP address in the Remote field 12. Select the IPv4 radio button under Network Details to set the type of tunneled network 9

10 Note IPv6 is not fully supported in Azure at the time of this writing. 13. Fill in the Local Subnets field by clicking the Add button to set the local subnets that can use this VPN connection 14. Select a local LAN network range or address from the Local LAN Address dropdown menu 15. (optional) To add a new host or range, select Create new 16. Enter a name for the new network object in the Name field 17. Set the IP family by selecting the IPv4 radio button 18. Select the network object type by selecting either IP (a single IP address), Network (a single IP subnet), IP Range (a freeform range defined by a starting and an end IP) or IP List (a comma separated list of IP addresses) 19. (optional) You can add the new network object to an existing or a new IP host group by a group from the IP Host Group dropdown menu by clicking the Add New Item button 20. (optional) To create a new group select Create new 21. Enter a name for the IP address host group in the Name field 22. (optional) Set a description in the Description field if required 23. Set the type of IP objects to IPv4 by selecting the corresponding radio button from IP Family 24. (Optional) add existing hosts, networks, IP ranges or IP Lists by clicking the Add New Item on the Select Host dropdown menu Note the new object will be added to the IP Host Group automatically. 25. Click Save to proceed and return to the previous configuration dialog 26. (optional) Tick the NAT Local LAN checkbox to enable address translation of the local network when communicating with the remote network in the tunnel this can be used to solve overlap issues 27. (optional) When NAT Local LAN is ticked, use the NATed LAN dropdown menu to select the IP address or IP address range to which the local network should be NATed. 28. (optional) Select Create New to define a new IP Host object, see step 12.a.i for more details on this process 29. Click Save to proceed and close the configuration dialog 30. Select IP Address from the Local ID dropdown menu to have the XG Firewall identify itself by its IP address when communicating with the Azure VPN Gateway 31. Note: When the Local ID field is left blank XG will default to using IP address authentication 32. (optional) When your XG Firewall sits behind a NAT boundary, make sure to enter the Public IP for your firewall in the corresponding field 33. (note) Starting with Sophos XG Firewall version 16, NAT-T detection is enabled by default, thereby no longer requiring you to tick the Allow Nat Traversal box to enable this functionality 10

11 Proxy Protocol Support for Sophos UTM on AWS 34. Add the Azure VNET s network range to the Remote LAN Network box by clicking the Add New Item button 35. To add a new range, select Create new 36. Enter a name for the new network object in the Name field 37. Set the IP family by selecting either the IPv4 radio button 38. Select the network object type by selecting either IP (a single IP address), Network (a single IP subnet), IP Range (a freeform range defined by a starting and an end IP) or IP List (a comma separated list of IP addresses) 39. (optional) You can add the new network object to an existing or a new IP host group by a group from the IP Host Group dropdown menu by clicking the Add New Item button 40. (optional) To create a new group select Create new 41. Enter a name for the IP address host group in the Name field 42. (optional) Set a description in the Description field if required 43. Set the IP object type to IPv4 by selecting this radio button from IP Family 44. (Optional) add existing hosts, networks, IP ranges or IP Lists by clicking the Add New Item on the Select Host dropdown menu 45. Click Save to proceed and return to the previous configuration dialog 46. Set how the Azure VPN gateway will identify itself to IP Address by selecting this Remote ID type from the Remote ID dropdown menu and fill in the corresponding field with the Azure VPN Gateway s IP address. 47. (optional) Unfold Quick Mode Selectors to define the protocols allowed inside the tunnel Note VPN tunnels are also susceptible to firewall rules, but the selection here limits the protocols that are allowed inside the tunnel prior to applying the firewall s rules increasing the potential filtering efficiency. 48. Select ICMP to restrict traffic inside the tunnel to ICMP only 49. Select UDP to restrict traffic inside the tunnel to UDP only 50. Enter the port or range of ports allowed between the local network and the remote network by entering them in the Local Network field (multiple ports are separated by commas (,), ranges can be defined by the use of a hyphen (-)) 51. Enter the port or range of ports allowed between the remote network and the local network by entering them in the Remote Network field 52. Select TCP to restrict traffic inside the tunnel to TCP only 53. Enter the port or range of ports allowed between the local network and the remote network by entering them in the Local Network field (multiple ports are separated by commas (,), ranges can be defined by the use of a hyphen (-)) 11

12 54. Enter the port or range of ports allowed between the remote network and the local network by entering them in the Remote Network field 55. Select All to allow unrestricted traffic flow inside the tunnel 56. (optional) Unfold Advanced Settings to enable tunnel disconnection when idle by ticking the Disconnect when tunnel is idle checkbox 57. Set the amount of time in seconds (in which no activity takes place inside the tunnel) when a VPN tunnel is to be declared idle in the Idle session time interval field 58. Click Save to store this new IPSec VPN Connection 59. (optional) Accept the key notification update to continue 60. Click the red dot under Activate to enable the connection 61. (optional) Click the red dot under Connection to manually initiate connection setup and connect to the Azure VPN Gateway Once the connection establishes correctly, the Red dot under Connection should turn green, and you ll have the option to open additional details about the connection by clicking the I button next to the green dot. This will take you to the Connection Detail screen where you can see the remote and local subnets inside the tunnel. Note XG Firewall does not create automatic firewall policies for VPN traffic, so you ll need to configure a User / Network Rule in the Firewall that allows traffic between the VPN zone and the zone representing your local network. 4 Conclusion This concludes the instruction on how to configure XG VPN connections to Microsoft Azure. For more configuration examples (on firewall rules for example, or further site-to-site VPN configuration options) please visit our knowledgebase at 12