In a previous article, I took you through how to connect remote networks with Sophos RED Devices. In this article, I will take you on a deep dive of the three different deployment options for Sophos RED devices, including what they mean, how they work, and which option is right for you.

Definitions

  • I will be referring to the central network as the network attached to your Sophos UTM. Typically this would be at your head office.
  • I will also refer to the remote network which is the network attached to the Sophos RED device, typically at a remote branch office site.
  • Finally, any network not defined as private is deemed to be public and therefore will be referred to as Internet.

Three Sophos RED Deployment Modes

When deploying a Sophos RED device, you are asked to choose from three different deployment options:

  • Standard/Unified
  • Standard/Split
  • Transparent/Split

Lets take a look at each one.

Standard/Unified Mode

In Standard/Unified mode, the remote network is managed by the UTM, which serves as the DHCP server and default gateway. All traffic generated by the remote network is sent over the UTM.

Enter the IP address for the UTM’s interface in the remote network and the corresponding netmask. The system will automatically set up the:

  • local interface with the specified IP address
  • DHCP server for the remote network, covering half of the available IP range
  • access to the local DNS resolver for the remote network

All these settings can be changed later using the respective configuration pages.

Note: You must still add firewall (and potentially masquerading) rules to allow the remote network to communicate with the rest of your network or the Internet.

In Standard/Unified mode, you completely control the environment attached to the Sophos RED. The UTM and RED supply:

  • DHCP
  • Default gateway
  • DNS
  • UTM-based web filtering
  • Firewall control for all inbound and outbound traffic to and from the remote site

Logically, all traffic flowing out of and into the remote site is through the RED’s secure tunnel to the central network and, thus, through the UTM.

Pros

Standard/Unified mode is great if you want to prevent the remote site from expanding your network perimeter. This not only protects the remote site from external traffic, but by extension, it also decreases the exposed perimeter for the central network.

Essentially what you achieve with Standard/Unified mode are the benefits of a Sophos UTM at the remote site.

Cons

There is one drawback to this deployment. Data accessed from the public Internet suffers performance degradation because the content is downloaded by the Sophos UTM and pushed back over the Internet to the Sophos RED device. If you have decent network connectivity and the RED deployment is not particularly large, you might not notice the dip in performance.

ADSL deployments at the Sophos UTM side

There is, however, a RED/UTM deployment type that can suffer substantially from a performance perspective in Standard/Unified mode.

An asymmetric digital subscriber line (ADSL) is a fantastic option, but it does have one Achilles heel—the asynchronous nature of the connection. ADSL speeds generally are expressed in downstream speeds such as 2Mb, 4Mb or 10Mb. If the connection is synchronous, the same speeds would be possible going upstream as well, but it is not.

Most ISPs are only able to offer upstream speeds between 384Kb and 512Kb. In a simple ‘one RED to one UTM’ deployment, the RED, irrespective of its downstream speed, would never be able to use any more than the upstream speed of the UTM on the other side. For example, a RED site with a 10Mb ADSL connection would only have a maximum throughput of 512Kb.

This limitation based on the UTM’s connectivity type, brings us to the second deployment option.

Standard/Split Mode

In Standard/Split mode, the remote network is managed by the UTM, which serves as a DHCP server and default gateway. Only traffic to specified networks is sent to the UTM. All other traffic is sent directly to the Internet.

Enter the IP address for the UTM’s interface in the remote network and the corresponding netmask. The system will automatically set up the:

  • local interface with the specified IP address
  • DHCP server for the remote network, covering half of the available IP range
  • access to the local DNS resolver for the remote network

All these settings can be changed later, using the respective configuration pages.

Note: You must still add firewall (and potentially masquerading) rules to allow the remote network to communicate with the rest of your network.

The Split networks section is the list of networks that will be redirected to the Sophos UTM. Traffic to all other destinations leave the remote network through the normal default gateway.

In Standard/Split deployment, Sophos UTM and RED control

  • DHCP
  • Default gateway
  • DNS
  • Firewall control for all inbound and outbound traffic to and from the central network site
  • The Central network is defined and expressed as a subnet

Pros

Standard/Split deployment mode is great if you want to control the remote site, and have Sophos UTM control data flowing to and from the remote site to the central network. The key difference is that traffic to and from the public Internet passes through the RED to the Internet directly.

In the simple DSL example used previously, we are still limited to the 512Kb of throughput from the control network location, but Internet access speed has now jumped to 10Mb, which is the raw throughput of the ISP.  The major compelling advantage is that Internet traffic is handled more efficiently because it is accessed directly.

Cons

The drawback of Standard/Split mode is that the remote site now has to maintain its own perimeter security, including web filtering. You also lose visibility into the remote site’s public Internet usage as this is no longer logged or reported by Sophos UTM (or therefore Fastvue Sophos Reporter)

Summary of the two ‘Standard’ modes

The first two modes are managed deployments. You configure and manage the remote network through the UTM and the RED, controlling key aspects such as DHCP, DNS and routing.

You can deploy the RED to the remote site, and it does not rely on any configuration being in place on the remote router, other than providing Internet access.

The third mode is very different, not only from an operational mode but also from a deployment perspective.

Transparent / Split Mode

In Transparent/Split mode, the Sophos UTM does not manage the remote network. The UTM is a member of the remote network by requesting an IP address from the remote network using DHCP. Only traffic to networks specified below is forwarded to the UTM.

The Split networks section is the list of networks that will be redirected to the UTM. Traffic to all other destinations will leave the remote network via the normal default gateway.

Optionally, you can specify a list of Split domains that should be resolved via the Split DNS server. All other domains are resolved via the standard DNS server(s) for the remote site.

The UTM is no longer a server to the remote site in this mode; it is now a client of the remote site. The Sophos UTM no longer supplies IPs or DHCP. In fact, it is often a DHCP client in this deployment.

In this deployment, the UTM and RED control

  • DNS to Internal domain names only
  • Central network is defined and expressed as a subnet
  • Firewall control for all inbound and outbound traffic to and from the central network site

Pros

Transparent/Split deployment is suitable when you have a remote site that is well established and has proper infrastructure in place. The Sophos RED is simply used as a connector to the central network.

There are a few scenarios where Transparent/Split mode is desirable:

  • Option 1: If you have a remote site that is not quite big enough to require an onsite UTM but you have other perimeter network security in place.
  • Option 2: If your WAN connectivity is erratic and cannot be considered reliable, this mode allows the remote site to function independently of the UTM.
  • Option 3: You deploy the RED to a customer or supplier’s network.

Cons

As with Standard/Split mode, the remote site is now responsible for its own perimeter security, and the logging and reporting of public Internet usage at the remote site can no longer be performed by the UTM.

Mitigating Perimeter Security Vulnerability

Both of the Split modes rely to some extent on the remote site managing and maintaining remote security. This could be as simple as ensuring they are using an onsite DSL router with no inbound access rules.

One big vulnerability is web filtering. Web filtering is far more than preventing productivity loss by limiting the amount of time employees spend on Facebook; it also allows you to block access to malicious malware-laden web sites, phishing attack sites, etc.

You cannot use your UTM for filtering in the Split modes, but there are other options available.

Open DNS has a number of offerings that allow you to tweak the amount of filtering and protection you want.

In the Standard/Split deployment method, you still control DNS, so simply specify the Open DNS servers as your UTM’s DNS forwarders.

  1. Open the UTM Management console.
  2. Navigate to Network Services | DNS | Forwarders.
  3. Define and add the Open DNS servers relevant to your service.
  4. Uncheck the option for Use forwarders assigned by ISP.
  5. Click Apply.

In Transparent/Split deployment, you specify the router’s DNS server to use the Open DNS server as opposed to the ones assigned by the ISP. The step previous to this would be specific to the router or modem type. Look for settings pertaining to DHCP for the internal network and specify the DNS servers manually.

Switching Sophos RED Modes

You can easily switch between deployment modes on a Sophos RED device. Switching between these two modes is seamless, and no configuration changes are required on the remote site. You could even elect to periodically change a site from one mode to another based on the expected network loads.

  1. Open the Sophos UTM management console.
  2. Navigate to RED Management | Server Client Deployment.
  3. Edit an existing RED.
  4. Change the Operation Mode.

Logging and Reporting Considerations

One important note about the Standard/Split and Transparent/Split modes, is the loss of public network visibility. Because the REDs effectively handle their own Internet access, there is no centralized way of reporting on user web activity at the remote sites.

In your central network location, Sophos UTM is your Internet break out, and logging and reporting gets done there (hopefully using Fastvue Sophos Reporter). When the RED is in Standard/Unified mode, it is simply an extension of the UTM, and traffic is logged the same as any other central network LAN segment.

Conclusion

The Sophos RED devices are versatile and a great way to expand your network. They provide a significant cost benefit compared to deploying Sophos UTM devices for every single site. You can apply your knowledge of how the Sophos RED modes affect data flow when deciding which mode to deploy.

Try deploying different Sophos RED devices in different modes to test the pros and cons and determine the mode that is suitable for each individual site.