Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrating from Sophos UTM Home Use License

    Scheduled Pinned Locked Moved
    General pfSense Questions
    sophos ips ssl reverse-proxy
    6
    10
    824
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffshead
      last edited by

      Since the UTM is reaching EOL, I'm looking for a replacement. This is for personal/home lab use but I do host quite a few things behind the device so I need the VPN, WAF, anti-virus, IPS, SMTP proxy, web protection etc. I've been utilizing most of the features of the UTM.

      There must be some people on this forum that are very familiar with the Sophos UTM. Please tell me, can I replace most of the UTM's functionality with pfSense? I'm confused about a few things.

      It was several years back when I set everything up. Back then, not every connection was encrypted but all of my stuff uses HTTPS, now. The UTM's IPS (Snort) catches a lot of things even with HTTPS traffic. This is what's confusing me the most. I've read a lot of posts that state that IPS only works as man-in-middle and that you have to install a cert on all of the clients. I never installed any certs on the workstations or servers behind the UTM but I still see plenty of Snort blocked activity and false-positives in the WAF log so it must be working with HTTPS traffic, right? I'm referring to external traffic (443) coming into the UTM->WAF->internal webserver (80). The UTM's WAF (reverse-proxy) handles the certs and port forwarding. So, is the UTM doing the man-in-the-middle thing by hosting the certs, accepting the HTTPS traffic and forwarding it to the internal web server via port 80?

      Can I get the same functionality with pfSense, with HTTPS traffic? Contrary to what some may think, I have been searching my butt off trying to answer my own question but I'm still confused.

      In pfSense, can IPS be tuned per server/web app? In Sophos UTM's WAF, you can disable different IPS rules and add exceptions for each web app behind the UTM even if they are on the same interface. Based on the info I've obtained so far, it appears that pfSense only goes down to interface level. Is this correct?

      S planedropP 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @jeffshead
        last edited by

        @jeffshead Generally Snort/Suricata cannot see into https/encrypted packets unless the client is using a cert the IDS can decrypt. It can see where the packet is going, so for instance there are rulesets blocking by Dshield block list. (Also in pfBlocker). We do HTTPS inspection for our clients in Bitdefender on the PC.

        pfSense has haproxy though I’ve not used it myself.

        pfSense has no SMTP service.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        J 1 Reply Last reply Reply Quote 0
        • J
          jeffshead @SteveITS
          last edited by

          @SteveITS - Thanks for the response.

          So in pfSense, to replicate what Sophos UTM does to protect web servers, can HAProxy be installed with certs and then Snort/Suricata can see in the unencrypted packets going to the server?

          diagram

          P 1 Reply Last reply Reply Quote 0
          • P
            pokrifchakd @jeffshead
            last edited by

            @jeffshead That's my understanding, since HAProxy takes care of the TLS termination and redirects to the web server on port 80.

            1 Reply Last reply Reply Quote 0
            • planedropP
              planedrop @jeffshead
              last edited by

              @jeffshead Full disclosure, I'm still new to Sophos gear so I'll try to keep this all related to pfSense since I know it's ins and outs pretty well.

              Regarding the HTTPS inspection, if you didn't install certs on your devices for the UTM then it wasn't actually "opening" those packets and inspecting them, that's the whole purpose of TLS communications. So you are correct in saying that the only way to do that is with DPI-SSL (or DPI-TLS) which requires installing certs on the end devices and is actually NOT recommended by most security professionals or even by the government itself. It poses a huge risk to have your router/firewall capable of decrypting all traffic on your network, it becomes a single point of failure and isn't good and breaks end-to-end encryption entirely.

              But, what you were doing on the UTM should be possible on pfSense through Snort, which CAN take actions based on TLS traffic it just can't take actions based on decrypted TLS traffic. It still has visibility into other things that signatures can be built for to block bad traffic, things as simple as source and destination IPs but also other data that isn't encrypted like port, protocol, etc... This is likely what your UTM was doing.

              Now to address some of your other needs:

              • VPN is something that pfSense can not only accommodate but actually probably has the best compatibility out there for it, you can use whatever VPN protocol you like, the only thing it lacks is SSL VPN but please don't use those anyway lol
              • WAF isn't really something pfSense does directly, it does have web proxy capabilities with HA Proxy but it's not really a WAF
              • AV, this isn't really something you do with a firewall other than if you are doing DPI-TLS which please don't lol
              • IPS I already touched on above
              • SMTP proxying is not something it can do as far as I'm aware, I've never tried though so could be missing something

              pfSense is overall super capable though and the beauty of something so open is knowing exactly what is going on inside, which has helped me overcome some odd routing issues and bugs and allowed me to fix things before official fixes were even in place. I think overall it'll do what you need.

              J 1 Reply Last reply Reply Quote 0
              • J
                jeffshead @planedrop
                last edited by

                @planedrop - The Sophos UTM's WAF is a reverse-proxy that is terminating TLS and forwarding the traffic to the web apps. With that said, you think it's still not able to peer into the inbound traffic coming in on port 443? I know enough about network engineering to be dangerous so I'm in no way saying you are wrong but is the Sophos UTM able to see into all inbound packets since it is also hosting the SSL certs for the web apps that are behind it? It does catch a lot of SQL injection attempts. I've had to disable many Snort rules and add several exceptions (per each individual web app) because of false positives and it's all been HTTPS traffic.

                Moving forward... What is the "best practices" way to reconfigure my network so that pfSense can replace the Sophos UTM? I use a Windows domain controller for DNS and DHCP for a "dual-brain" setup so that I can serve the same web apps to internal and external users. The Sophos UTM does the forward DNS lookups. I let the Sophos UTM's WAF handle the SSL certs for the external-inbound traffic, only (external interface to private IP's). Then the Sophos UTM WAF port forwards the traffic (by sub-domain) to each server (port 443 to 80 or 443 to 443). Some of my domains/sub-domains are on different servers.

                For internal traffic, I have a NGINX reverse-proxy that handles SSL certs for private IP's to private IP's traffic. I have some web apps that require TLS connections and are accessible only internally and via VPN. The NGINX reverse-proxy uses DNS challenges so that I do not have to open any ports for the Let's Encrypt renewals. I use Let's Encrypt for all internal traffic. Since the certs auto renew, there's really nothing to manage. With this "dual-brain" setup, I can have all LE certs, for both external and internal traffic, auto renew since I use Let's Encrypt for most things along with commercial certs for some external traffic, where needed.

                With my current setup, it has been "set and forget". It just works and every morning I get an email from Sophos showing intrusion attempts so I spend a little time each morning investigating which sometimes results in me adjusting a Snort rule or blocking an IP.

                Since I have to replace the Sophos UTM, I am open to any suggestions on redesigning my entire network so that it is more efficient and secure.

                G 1 Reply Last reply Reply Quote 0
                • G
                  GPz1100 @jeffshead
                  last edited by

                  @jeffshead Any follow up on what you ended up doing?

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    jeffshead @GPz1100
                    last edited by

                    @GPz1100 - I've decided to wait until the Sophos UTM EOL is close. I'm going to attempt to migrate to the Sophos Firewall.

                    pfSense has some nice features but I really need IDS/IPS for encrypted, ingress traffic. Someone correct me if I'm wrong but it is my understanding that pfSsense with Snort/Suricata only works on unencrypted traffic even if you use HAProxy to terminate SSL. Here's a quote to that effect:

                    "It's a shame that pfsense bolted snort 2 on to the side. Having TLS interception, snort 3 and the Cisco Firepower approach to snort rule management would make it much more useful.
                    Currently with an Haproxy pf install, at best you would have to terminate the TLS on HA then feed it out an interface to a backend, but sadly snort is before this instead of after the scan.
                    Even if you could scan it, snort wouldn't have the correct IP address unless it could be patched to look at the x-forwarded-for header. Tbh, its depressing product, but so are "enterprise" ngfw prices. Can't win!"

                    G M 2 Replies Last reply Reply Quote 1
                    • G
                      GPz1100 @jeffshead
                      last edited by

                      @jeffshead Thanks for the prompt reply.

                      I'll be moving to pf in the next few weeks. My inbound traffic is limited to smtp so IDS/IPS for inbound traffic not too important.

                      I experimented with proxmox mail gateway for a while but it seemed to duplicate much of what my mail stack (mailcow) was already doing. Mail server is on its own vlan, isolated from egress to other lans, Ingress only.

                      As for Sophos firewall. Everytime I try it in a vm, within 5 min or less I want to dump it. The entire flow makes no sense. Still no letsencrypt support either.

                      1 Reply Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @jeffshead
                        last edited by

                        @jeffshead
                        That is correct. Snort/Suricata operates outside the firewall so to speak so it cannot inspect ssl traffic. There is no mechanism within pfsense to decrypt a flow and send to an engine to inspect. This largely,in my opinion, makes the threat prevention aspect of pfsense quite useless. It would be more useful to have your endpoint mitigation tools on the clients do the protection.

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post