Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 908 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Had to create a LAN to LAN any any rule for RED60 deployment, is this safe?

Sidney Frey

Hi, recently we deployed a RED60 at a satellite office. Internet is working great, email and server access is fine. We found out though that when I try to ping devices on the RED network, it does not work. VoIP also doesnt seem to work when its internal. 

I did a policy test and found the packets are dropped due to no rule. I create a LAN to LAN rule set for any service any port etc. and that seemed to fix the issue. 

I found this article on setting up RED devices and they even say you may need to create a LAN to LAN rule to get traffic working: https://support.sophos.com/support/s/article/KB-000036362?language=en_US 

"For traffic to pass between the two firewalls, a LAN to LAN or similar rule must be created on each firewall."

 

Now my question to this community is, is this safe or even best practice? I am hesitant because of the "any to any" stuff. Since the RED device is considered LAN zone, I must create this rule because otherwise the sophos doesnt know to route my traffic to that network. Ive done some research and asked around and some techs are saying its not secure. 

Is there a better way to do this? Should I instead be creating some type of static route or perhaps in my rule for the destination instead of LAN should I specify just the RED devices subnet? Most of our VLANs are handled by our switches so normally internal LAN traffic never hits the firewall other than this scenario but I'm worried im creating a big security hole. Does anyone have any insight or information that could help calm my fears? Thank you! 



This thread was automatically locked due to age.
Parents
  • +1

    Now my question to this community is, is this safe or even best practice? I am hesitant because of the "any to any" stuff. Since the RED device is considered LAN zone, I must create this rule because otherwise the sophos doesnt know to route my traffic to that network. Ive done some research and asked around and some techs are saying its not secure. 

    Any rule that is Any to Any isn't safe by default. By creating a LAN Rule with Any Sources and Destinations, means that any traffic from that zone will now be open to talk with themselves.

    First i can recommend you to create a separate Zone for the RED's, instead of using the LAN Zone. (This will be better for management later.)

     

    If you can't change Zones for the RED anymore, then It's better to create a better rule, with the correct Source Networks and Destinations Networks.

    Close down your rule as much as you can, if a network or device don't need certain access, then don't allow it.

    You can do this by creating the correct networks and applying it on the rule. Here's an example:

    In this Rule the WiFi Network is allowed to talk with anyone at the Servers Network, but also need to be authenticated with XG, through AD or captive portal.

     

    Thanks!

  • 0 in reply to Prism

    Thanks, for now I have changed the destination network to the subnet that is used over there by the RED DHCP server which is 10.0.80.x

     

    For the zones, I will need to leave that alone for now but it should still function the same as I need LAN devices such as my PC to be able to ping them so even if I made a RED zone for management I still need to leave LAN zone in there. Right? 

     

    I guess the final step is to now define my source networks. All the VLANs are handled by my switch though, so the firewall isn't even aware of all those networks so I cannot even specify any of my internal subnets since none of them are in the Sophos. I'm wondering if I should set the source network to be the port that my Core switch is plugged into but that seems like it would pretty much give me the same result because I only have one port tagged as LAN. 

     

    I really appreciate your help with this, I think im still misunderstanding something slightly but I feel like this rule should be safe..

  • 0 in reply to Sidney Frey

    So after thinking about it more I think we are all set and I marked your answer as correct. 

     

    What I found is I will just need to add my VLANs as network objects, then in the source networks I can specify each subnet. In my case though, this is not necessary as I want ALL subnets to communicate, but I understand its best practice to specify them so I will do so. This helps prevent any future subnets or anything like that from automatically being added to the rule... For security though its going to allow the same traffic since im allowing all my internal subnets. 

     

    I also appreciate the info on the RED zones, I will look into doing that for better management down the line. 

  • 0 in reply to Sidney Frey

    Sidney Frey said:
    What I found is I will just need to add my VLANs as network objects, then in the source networks I can specify each subnet. In my case though, this is not necessary as I want ALL subnets to communicate, but I understand its best practice to specify them so I will do so.

    Sidney Frey said:
    All the VLANs are handled by my switch though, so the firewall isn't even aware of all those networks so I cannot even specify any of my internal subnets since none of them are in the Sophos.

    Sidney Frey said:
    Most of our VLANs are handled by our switches so normally internal LAN traffic never hits the firewall other than this scenario but I'm worried im creating a big security hole. Does anyone have any insight or information that could help calm my fears? Thank you! .

    (Sorry, Brain.exe didn't worked correctly and I didn't saw you mentioned the internal vlan traffic is being handled by the switch.)

    It pretty much depends on your own scenario.

    Some people like to do all inter-vlan routing over their switch, so their firewall doesn't have to handle that load, and whenever It's needed they will close down stuff with acl.

     

    But the best scenario is having the firewall handle all the internal traffic (If It can). This will allow you to protect your internal network from possible inside attacks, such as attacks coming from a internal machine that's trying to spread over your own internal network. *This would be the best practice.

     

    Sidney Frey said:
    This helps prevent any future subnets or anything like that from automatically being added to the rule..

    Exactly, by forcing the rule to use certain networks, it will prevent a lot of headache in the future, what if you create another LAN network that doesn't need at all to talk with the other's networks, then you will have to create another rule on top just to block it. (Or a exclusion on v18.)

    But since in your scenario most of it is being done on the switch, then you don't have "a lot to worry about" now.

     

    Thanks!

Reply
  • 0 in reply to Sidney Frey

    Sidney Frey said:
    What I found is I will just need to add my VLANs as network objects, then in the source networks I can specify each subnet. In my case though, this is not necessary as I want ALL subnets to communicate, but I understand its best practice to specify them so I will do so.

    Sidney Frey said:
    All the VLANs are handled by my switch though, so the firewall isn't even aware of all those networks so I cannot even specify any of my internal subnets since none of them are in the Sophos.

    Sidney Frey said:
    Most of our VLANs are handled by our switches so normally internal LAN traffic never hits the firewall other than this scenario but I'm worried im creating a big security hole. Does anyone have any insight or information that could help calm my fears? Thank you! .

    (Sorry, Brain.exe didn't worked correctly and I didn't saw you mentioned the internal vlan traffic is being handled by the switch.)

    It pretty much depends on your own scenario.

    Some people like to do all inter-vlan routing over their switch, so their firewall doesn't have to handle that load, and whenever It's needed they will close down stuff with acl.

     

    But the best scenario is having the firewall handle all the internal traffic (If It can). This will allow you to protect your internal network from possible inside attacks, such as attacks coming from a internal machine that's trying to spread over your own internal network. *This would be the best practice.

     

    Sidney Frey said:
    This helps prevent any future subnets or anything like that from automatically being added to the rule..

    Exactly, by forcing the rule to use certain networks, it will prevent a lot of headache in the future, what if you create another LAN network that doesn't need at all to talk with the other's networks, then you will have to create another rule on top just to block it. (Or a exclusion on v18.)

    But since in your scenario most of it is being done on the switch, then you don't have "a lot to worry about" now.

     

    Thanks!

Children
No Data