Hi,
I have read multiple threads but I am a little confused now on how to set up the sophos.
I have read about using DMZ, using DNAT, assigne the public IP's to the Sophos wan interface. But as said I am now a little more confused of whats the best way or maybe also the preferred setup.
Maybe I can get some new input from you guys.
From my ISP I have 1 static public IP and also a /28 Public network (13 IP's usable, one is the gateway which has been assigned by the ISP)
The Sophos is set up on a virtual machine on a ESXi. The ESXi is connected with one interface directly to the internet with the single public ip mentioned above. (eth0)
The Sophos has 3 virtual lan interfaces.
One connected with vswitch 0 to eth0 of the ESXi having one of the /28 net. Lets call this external. The interface of the Sophos has the netmask /28. IP .14 and as gateway the .1 of the same /28 net.
The next interface on vswitch 1 was ment to be the interface for VM's used as different services. The IP ist another one of the /28 network. Lets call this internet_lan. IP .13 netmask /28
The last interface is connected on vswitch 2 which has a local network 192.168.100.1. Also running a DHCP server on this interface for the 192.168.100.0 network. Lets call this internal
For the "internal" network everything is clear to me and everything works fine.
My thought actually was that the VM's on internet_lan would be directly accessable through their public IP and I only would need to set up Firewall rules for the specific VM's. e.g. SSH, Webserver and so on.
Lets make some examples of the VM's which will have public IP's of the /28 network.
- VM1: IP .2 gateway: .13 Services: SSH, Webserver Port 80 & 443
- VM2: IP .3 gateway: .13 Services: SSH, Webserver Port 80 & 443
- VM3: IP .4 gateway: .13 Services: SSH,
- VM4: IP .5 gateway: .13 Services: Terminal Services (RDP)
- VM5: IP .6 gateway: .13 Services: SSH, Mail (POP3S, IMAPS, SMTPS)
and so on....
Of course I want to give the VM's the best protection Sophos can deliver. So a solution where the VM's are not protected by Sophos is no solution.
When using NAT I would need to configure different Ports on the external side for SSH, Webserver and so on that it will find it correct direction to the destination.
So I would rather prefer speaking directly to the servers e.g. SSH with their public IP and configuring the Firewall which Ports to let through to which VM. Or is there a downside which I don't think of?
Is there any way to achieve this?
Do I need another IP Address from another subnet / network for the external interface of the Sophos? Or has this no impact that the external and internet_lan interface have got an IP address of the same /28 network?
Or do I need to assign the whole /28 network IP addresses to the external interface and then work with DNAT and using a local IP range for the VM's?
I had a look at Web Server Protection (WAF) which seems to be ok for web Services as it seems to determine the correct webserver through the url.
If I got that right this is the most secure way for webservers to be made public as Sophos gives the best protection for the webserver this way. Have I got that correctly?
How about using SSL certificates e.g. verisign or comodo? Usually the certificate can only be signed for one (sub)domain linked to one IP.
It was ment to use one SSL certificate for VM1 and another one for VM2.
I hope I described this clear enough with my english knowledge.
If there are any questions don't hesitate to ask.
Thanks for your answers and advises in advance.
Greetings
EDIT: Forgot to mention that I am using latest V9 version of Sophos
This thread was automatically locked due to age.
