Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 5145 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Practice for RED Tunnel firewall rules and routes?

john_kenny

Ive been using XG and UTM for a while now and have used RED a few times, but ive got a dedicated server now in the cloud and i installed XG on it for my edge firewall.  I setup a red tunnel from my xg to that xg but i had a windows 2019 vm running on the server and somehow i had an intrusion on an app.  Ive no idea how it got in as i have web filtering on and ips and atp, but still it got in.

It was a remote desktop manager app and the logs showed user attempts on the sessions which wasnt what i use, i assumed id be secure enough using the red tunnel for the access to the app and i dont have incoming rules for that vms ip.

Is red secure? the intrusion either happened via the red vpn or the wan connection but as i say the WAN rules have every feature enabled and double malware scanners and batch processing in the web filter, ips is general policy and atp is on for log and drop.  However the red rules for my access are less strict, VPN to LAN i use without web filtering but i still use ips general policy on both ends rules.

I only have static routes my side and i use the vms ips on /32 addresses for each route i need to use, the server side has no routes as i didnt think it would need them as its just one way traffic really and its initiated from my side.

My XG does use web filtering on the LAN to VPN rule with http & https scanning, quic block, sandstorm and ftp scanning aswell as IPS general policy and atp is also on.

So as you can see i assumed i covered all the bases to keep my sessions secure but i assumed wrongly.

Is there a decent guide for RED tunnels XG to XG which includes firewall rules, routes and interface setup?

Thanks

JK



This thread was automatically locked due to age.
  • 0

    The point is: RED is an "Basic SSL VPN Tunnel on Layer 2". 

    So the setup is simple and after setting up the tunnel, you basically attach a cable from XGA to XGB. So you have to deal with the routing, transfer network, etc. 

    The protocol is secure and everything you send in RED Port A will be encrypted and send to RED Port B. Simple as that. 

     

    I assume there is some kind of wrong networking or false configuration or somebody managed to get in your system in other levels. Do you use a Endpoint on the server? 

    I am an fan of using Intercept X for Server advanced.

    https://www.sophos.com/en-us/products/server-security.aspx

  • 0 in reply to LuCar Toni

    Yeah im a Sophos MSP partner so I def have Intercept X on the server however i killed the server as soon as i realised something was really really wrong (well powered off the VM).  I think i'll detach the network adapter from the VM in question and power it back up to investigate.

    Problem is i was using Devolutions Password Server on the Windows server 2019 vm so sophos Intercept X wouldn't have caught anything with that.  Its a web api server and i had only just installed it and copied my db over to it and was starting to apply Azure AD auth.  It was just i wrongly assumed id covered the bases and that i would have been fairly safe over VPN.  The other VMs on the VMware ESXI 6.7 & Vcenter 6.7 server are Ubuntu OS's so they don't have any security as such on those, Sophos Server linux has no real time protection as i did try that on the other vms at one point.

    Thanks for the replay though, I think i will try to dig through my Sophos Central logs now you reminded me lol.

    JK