Cisco RV Router after Sophos?

I am guessing that your Cisco device is also a firewall.  If so, I do not recommend double-nat, so one of the firewall functions should be disabled.  I suggest putting the Cisco firewall in front with UTM behind it in bridge mode.   See my posts in the Wiki and other post about UTM port usage.

OK thanks, could you explain a little more? My initial thought was that the UTM is a better firewall than the Cisco RV, so that why I wanted it in front. 

So what would the purpose be for having the Cisco RV Router with Firewall in front of UTM in bridge mode? 

Sounds like option 3 in the Wiki would be the way to go to test a setup like Modem > UTM > Cisco RV > LAN. And if that didn't work just do option 4 and replace.

UTM is not a traditional firewall, which is probably why the word "firewall" is not in the product name.  It is a series of packetfilters, with the "Firewall Rules" layer being the fallback that is used if none of the other packetfilters are applicable.   This creates some complexity for system configuration.  To create a global block rule, you need to use a DNAT-to-DeadEnd rule, which is not intuitive.  A novice does not know this needs to be done at all, and the experienced user has to work hard to determine which which ports need to be blocked using this method.   I have tried to document everything I know about UTM port usage and which DNAT rules are needed in my post about "UTM Port Usage".   But if you have a firewall in fronbt, you can avoid all of the DNAT-to-DeadEnd mess.   Let the firewall do pure firewall processing based on sourceIP&Port-DestinationIP&port.  Then let UTM do the sophisticated packet filtering about which traffic is allowed based on reputation and content.

The hardest part about bridge mode is getting it set up.  You need two unused ports to create the bridge, and you need at least one working interface to make the change.  This is best done with a laptop connected directly to UTM.   For example, if your internal network is on 192.168.*.*, configure your laptop on a port using 10.10.10.*.   Once the bridge is established, it looks like any other interface.   You give it an IP address and subnet mask, specify the default gateway (the other firewall address) on the bridge interface, and configure static routes for internal network addresses.

Thanks. I guess the main reason I was considering UTM (or even something like pfSense) was I was thinking they were more traditional firewalls and/or better firewalls than the firewall in the Cisco RV Router.

But if UTM was not a better or more secure firewall then I would probably be fine no even implementing. I was just looking for the best security and firewall to put before the router or replace the router with.

On the contrary.  UTM is very useful because it can do things that a plain firewall cannot.  Web proxy (bad reputation blocking and policy enforcement), APT based on DNS blacklist and IP blacklist,  and Intrusion Prevention (hostile packet contents).

Also does Pop3 and smtp filtering for email, and webserver protection, but home users do not usually need those.

Very sophisticated except on the rudimentary task of source-destination block/allow rules.   It can do them too, but is more difficult than it should be, so a dumb firewall is useful.

I do not know the Cisco product or your license for it, so I do not know if yours has any features which may be comparable.  I had  low expectations because you called it a router, but since it was expensive it may have some of the capabilities.

Great stuff thanks. I think UTM sounds like a great option. I am mostly interested in a firewall for security, hack protection etc. and content filtering to block inappropriate websites and Youtube videos, etc. to be used with OpenDNS.

The Cisco Router really just has a firewall rule to block all incoming connections on the WAN. Basically anything that was not established is blocked by default and you can add rules.

Does the UTM firewall block all incoming connections out of the box? Where is the best resource for configuring the firewall, block/allow rules etc.?

Hi,

the UTM blocks everything by default, there are NO default rules. You have to build your own rules.

The easiest rule to get started with is internal network -> any (port) -> any (external site) -> allow -> log then MASQ internal network -> external interface.

From there you can add extra features like DNS, NTP, web and mail (smtp) proxies, DHCP server, static IP address assignments. You further tighten your outgoing rule by changing the any to selected ports and add functions to the web (http) proxy. Logging on the UTM is very good and helps resolve access issues quickly.

Ian

Hi,

the UTM blocks everything by default, there are NO default rules. You have to build your own rules.

The easiest rule to get started with is internal network -> any (port) -> any (external site) -> allow -> log then MASQ internal network -> external interface.

From there you can add extra features like DNS, NTP, web and mail (smtp) proxies, DHCP server, static IP address assignments. You further tighten your outgoing rule by changing the any to selected ports and add functions to the web (http) proxy. Logging on the UTM is very good and helps resolve access issues quickly.

Ian