Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 5 subscribers
  • Views 26158 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any way to setup WebAdmin to be accessible from the WAN side, without a VPN, yet, without having to worry about brute force attacks?

ftballpack

I setup a UTM for my parents in Bridge Interface + Full Transparent Mode. The great thing about this setup is 1/2 of the network is not filtered in any way, for someone like my lawyer brother who still lives with parents and the other 1/2 of the network has dual AV, Snort, Sophos Content Filtering, with OpenDNS content filtering for my parents, who despite their best efforts, constantly seem to be hitting hijacked ads when on the web, etc.

 Basic topology is:

 Internet[DSL modem/router][Bridged UTM][Unmanaged LAN switch]Airport Extreme in Access Point mode

I can forward port 4444 to the UTM and set the UTM to be accessible from the web. I have no problem doing that; however, since I can not setup A VPN on the UTM in bridge + full transparent mode, I am afraid to leave the UTM accessible to be scanned and attacked on the WAN side. The same goes for my experience with the Sophos UTM and the Amazon Cloud. In testing, I was constantly getting e-mails about IP addresses that have been blocked for too many failed login attempts.

Is there any way that I can secure this setup so that I can manage the UTM remotely without having to worry about a brute force attack, without a VPN? I get that using HTTPS encrypts the traffic, my concern is brute force attacks, that eventually lead to the UTM being compromised on the WAN side.



This thread was automatically locked due to age.
  • 0 in reply to DouglasFoster

    Sorry, I may not have done a good job of explaining this before. In my setup, I have my UTM setup in Bridge Interface + Full Transparent Mode. This means the UTM does not give out IP addresses, as it does not function as a DHCP server. I was under the impression that I could not setup a VPN on the UTM in Bridge Interface + Full Transparent Mode. Maybe this is possible, but I will need to research that further, as Bridge Interface + Full Transparent Mode is atypical of the majority of UTM setups.

    I agree that 2-factor authorization is a good idea. Who knows, if John Podesta had used 2-factor authentication, we might have a different president right now. Not trying to get into politics, but I agree, that it is a good idea in general.

    Lastly, and this is the most important factor for me currently is finding the time to properly become familiarize myself with 2-factor authentication on the Sophos UTM. I am familiar with Dynamic IP address and have no issue with setting that up. I have used DynDNS in the past and was extremely disappoint when they shut down the free version, due to abuse by malware distributors and spammers. I am hesitant to use No-IP as they also have been known for being abused for malware distribution. That is why I am so glad Balfson mentioned FreeDNS. It seems much more reputable and less likely to have free DNS registration expire, which is my biggest concern.

    Believe it or not, I am in the actually in the midst of my last law school finals, in the US. I am taking the Bar Exam, in July. Once the exam is over, I will look into adding 2-factor authentication, but for the time being, if I can restrict it to one external IP with Admin rights, that I can control with a dynamic DNS service, like FreeDNS and lock every other external IP in the world out, I feel comfortable with the setup, until I can eventually add 2 factor authentication + Dynamic DNS limiting remote access to one IP, for remote access. If possible, I will also restrict it to a VPN also.

    In other words, once the bar exams ends in July, I will be able to live like a normal human being again!

  • 0 in reply to ftballpack

    Quick note, according to a post from Etienne Liebetrau over at Fastvue, it appears it is likely possible to setup a VPN on a UTM in Bridge Interface + Full Transparent Mode, behind a router.

    This is the stripped down post from over at Fastvue:

     
    isaac March 15, 2016 at 4:04 am
     
    On a transparent mode, can it be configured to set up VPN dial in. What is hard limitation to the feature when configuring VPN ?
     
    Etienne Liebetrau March 22, 2016 at 8:40 pm
     
    In full transparent mode as this article describes this would be a little different. I have not set this up or tried it yet so I am speaking under correction here. The UTM does not have an external IP address. The IP address would be the bridge interface’s IP, one would have to set up port forwading on the edge router to send traffic to the bridge IP, from there the VPN should function as normal since the traffic from the internal network should originate form the bridge interface’s IP. Internal routing should then be able to route traffic back to this address.
     
    Let us know how it goes if you do set this up.
     
    Regards
     
    Etienne 

    www.fastvue.co/.../

  • 0 in reply to ftballpack

    "In other words, once the bar exams ends in July, I will be able to live like a normal human being again!" - I have a lot of lawyer friends.  Sorry, Scott, you'll never be a normal human being again! [:D][:D][:D]

    Although you cannot configure an L2TP/IPsec VPN behind a NAT, you can configure SSL VPN Remote Access.  You just need to forward the port to the UTM.  I like to configure that to use UDP port 1443 for SSL VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, you are right on that one. Law school messes a person up in all sorts of ways, some for the better, some not so much.

    Thank you for the info about the SSL VPN. As I mentioned earlier, I will look to implement this after the bar exam, this summer.  I want to thank you for the help that you have given me and others on this forum. When searching for information about how to get my UTM up and running, I routinely find that have you given others on here answers which I would otherwise be asking myself. You have probably unintentionally answered questions of my at least 20x, without ever replying directly before this thread, so thank for all your advice!

    Scott

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?