Sophos UTM can be configured to act in different operation modes, each with its own potential advantages and drawbacks. In this article we’ll investigate how they work to help you decide which mode(s) to use for your network.
The differences between Sophos UTM’s operational modes are best understood if you understand where they differ from an OSI layer perspective. So lets first recap on some basic networking theory.
Almost all network theory and understanding references the OSI model (Open Systems Interconnection.) The OSI model defines 7 logical layers, each addressing more complex functionality and each layer supporting the one above it.
The model has the following layers:
- Data link
The Physical layer pertains to the actual connectivity medium and device such as the physical cables and network cards. Network devices that operate only at layer one are hubs and repeaters.
The Data link layer is the lowest level where communication occurs. This is where the MAC (Media Access Control) address resides. Network devices that operate up to layer two are switches and bridges
The Network layer provides the means for transferring data from one node to another. This is where the IP address resides. Network devices that work up to layer 3 are routers.
Now we skip ahead to the Application Layer. The application we are referring to is not necessarily the application such as Internet Explorer or Chrome, but rather any process that uses the application layer protocol such as HTTP, DNS, FTP etc. Network devices that operate here are Layer 7 firewalls.
How network traffic knows where to go
Imagine a small network where there are just a few machines connected with a basic Layer 2 switch. All of them have IP addresses in the 10.0.1.0/24 range. This means they all have an IP address between 10.0.0.1- 10.0.0.254 and a subnet of 255.255.255.0.
At this level you don’t even need to specify a default gateway. The machines can communicate with each other because the switch knows all of the MAC addresses attached to it based on the ARP table it builds up while listening to all the devices. The layer 2 switch does not care which IP addresses are used, it simply knows were the MAC addresses are and forwards all the traffic for it to that physical port.
Now imagine you have two of these networks and you need to connect them together. You will need something that can forward the traffic when switch A and switch B don’t know where to send the traffic.
- If you want to stay on layer 2 you need to use a bridge, the bridge will simply build up it’s own ARP table of MAC addresses so that it knows where the MAC addresses are. It will then receive the traffic on one interface and pass it onto the other.
- You can also use a router. The router operates at layer 3 which means it knows about IP addresses. It looks at the traffic and decides where to send the traffic based on the information in its routing table.
The key difference here is that if you are using a bridge to connect the two networks they have to be on the same IP network. All of the machines on Switch A and Switch B would have to share the same 10.0.1.0/24 subnet. In contrast, if you are using a router that is aware of IP addresses, they can be on different subnets. The Switch A network can be on 10.0.1.0/24 and the Switch B network can be on 10.0.2.0/24 or even have a completely different network mask like 10.2.0.0/16.
For machines to be able to communicate with another network it needs a gateway. The router is connected to both switches. On Switch A it has an ip address of 10.0.1.1, while on switch B it has an IP address of 10.0.2.1. For the devices connected to Switch A you specify 10.0.1.1 as the default gateway. For the devices connected to Switch B you specify 10.0.2.1 as the default gateway. The devices now know that if they need to send traffic to an IP that is not on the local network, it should be sent to the router.
In larger networks where you have multiple switches and routers chained together, they all follow the same principle of ‘if you don’t know where it is, send it to the default gateway’. Ultimately, you will have a router that connects to the Internet which would forward all the unknown address traffic to the ISP.
Sophos UTM’s Operation Modes Explained
Now the theory is out of the way, let’s get back into understanding the differences between Sophos UTM’s operation modes.
Sophos UTM Standard Mode
In Standard Mode, your proxy can be connected anywhere on the network. It does not have to be physically located on the route/path out to the Internet.
In Standard Mode, you need to explicitly instruct your browser to use the proxy. This can be specified manually in the browser, or centrally controlled using proxy auto configuration scripts. The browser then sends the traffic directly to the proxy’s internal IP address. The traffic is proxied and the source IP is NAT’d (Network Address Translated) to be the proxy’s external IP address
In the diagram below, the green arrows indicates the normal default traffic flow through the network. The pink lines represent a web page requested by the browser. The Internet router will see the client IP address for all traffic other than proxied web traffic. In those instances, it will see the UTM’s external IP address.
In Transparent Mode, your Sophos UTM must be connected inline on the default route to the Internet, preferably as close to the outbound router as possible.
In Transparent Mode, the browser does not explicitly know to use the proxy server. It simply sends out the browsing request like all other traffic. The traffic will ‘default gateway’ its way through the network until it reaches the Sophos UTM. The UTM will then NAT the request to the UTM’s external address.
In the diagram below, the green arrows indicates the default flow of traffic through the network. All traffic passes through the Sophos UTM. The UTM will see the client IP address for all requests, but it will NAT them so the Internet router will see all network traffic as coming from the UTM.
Full Transparent Mode
As the name implies, Full Transparent Mode it is completely transparent or “invisible” to other network devices.
In Full Transparent Mode, the UTM needs to act as a bridge. As a bridge, the UTM operates at Layer 2. It is not concerned about IP addresses and it simply passes traffic through without NAT’ing the source IPs.
Full Transparent Mode requires you to bridge two interfaces together as a single external interface. This bridged interface now needs to be literally placed inline between traffic leaving the internal switches or router and the Internet router.
In the diagram below, the green arrows indicate the default flow of traffic through the network. The red arrow is the two interfaces in bridge mode. All traffic will flow through the Sophos UTM. The UTM will see the client IP and pass it through without changing it. The Internet router will see all traffic coming from the original client IP.
The Purple arrow represents traffic from the UTM’s internal interface. Managing the UTM occurs through the interface and it will also be used when it connect to Active directory or other internal resources.
For more information on Full Transparent Mode, see our article Easily Evaluate Sophos UTM Using Full Transparent Mode.
Application Layer 7 firewall
The Sophos UTM is a layer 7 network device and that means it can perform all of the functions from the OSI layers. The UTM can route, NAT, masquerade, proxy, intercept, accept, drop, inspect, malware scan, encrypt, etc.
Even in ‘Layer 2 Bridge Mode’, the UTM is able to apply Web filtering policies such as requiring authentication and enforcing URL filtering.
It is important to understand how traffic will be affected when passing through the Sophos UTM under the various operation modes. Sometimes you might need to NAT traffic where at other times you might want to pass it through unchanged. In some more established environments you might simply want to use Sophos UTM as a standard proxy.
You can also setup multiple web filter profiles (previously called Proxy Profiles) to apply different modes to various network segments or interfaces. This makes it extremely flexible and helps when testing and implementing Sophos UTM into an existing environment. Fastvue Sophos Reporter can provide visibility into the web traffic being matched to these Profiles to help troubleshoot policies, authentication issues, or keep an eye on web productivity.
I hope this helps anyone trying to get a better understanding of the various operation modes in Sophos UTM. If you have any questions, let me know in the comments!