UTM On AWS FAQ

Overview
and Deployment Guide

Sophos UTM on AWS
Overview and Deployment Guide

Document date: November 2014
1
Sophos UTM and AWS

Contents
1 Amazon Web Services .................................................................................................................................. 4
1.1 AMI (Amazon Machine Image) ..................................................................................................................... 4
1.2 EC2 Instance ................................................................................................................................................. 4
1.3 VPC ............................................................................................................................................................... 5
1.4 AWS Regions ................................................................................................................................................ 5
2 AWS Shared Security Model ......................................................................................................................... 6
3 Sophos UTM on AWS ................................................................................................................................... 6
UTM on AWS Common Use Cases ............................................................................................................................. 6
3.1 Web Server Protection ................................................................................................................................. 6
3.2 Augment or Replace AWS Firewall and Provide Detailed Reporting ........................................................... 7
3.3 Intrusion Prevention System ........................................................................................................................ 8
3.4 Remote VPN User Connectivity .................................................................................................................... 9
3.5 Branch Office Connectivity using RED .......................................................................................................... 9
3.6 Content Filtering for AWS Workspaces Virtual Desktops ........................................................................... 10
3.7 Secure VPC to VPC Connectivity ................................................................................................................. 10
3.8 Securely extend physical office to AWS Cloud ........................................................................................... 11
4 Launching a UTM AMI on AWS ................................................................................................................... 11
Launch a UTM via AWS Marketplace ....................................................................................................................... 11
4.1 Choose a Sophos AMI from the Marketplace ............................................................................................ 12
4.1.1 Sophos UTM BYOL (Bring Your Own License) AMI ......................................................................................... 12
4.1.2 Sophos UTM Hourly AMI ................................................................................................................................ 12
4.2 Licensing Differences ................................................................................................................................. 13
4.3 Sizing a UTM for your AWS Environment ................................................................................................... 13
4.4 Choosing an AWS Instance Type ................................................................................................................ 14
4.5 Launch a UTM AMI as standalone or into a VPC ........................................................................................ 15
4.6 Choose Region ............................................................................................................................................ 16
Launch a UTM via AWS Management Console ........................................................................................................ 16
5 Common Deployment Examples ................................................................................................................. 18
5.1 UTM with Single Interface Protecting Multiple VPC Subnets ..................................................................... 18
5.1.1 VPC Wizard ..................................................................................................................................................... 18
2
5.1.2 Launch EC2 Instances ..................................................................................................................................... 19

5.1.3 Terminate the NAT Instance .......................................................................................................................... 20
5.1.4 Change the Source/Destination Check setting ............................................................................................... 20
5.1.5 Assign an Elastic IP to the UTM ...................................................................................................................... 20
5.1.6 Modify VPC Route Tables ............................................................................................................................... 21
5.2 UTM with Interfaces in Multiple Subnets .................................................................................................. 22
5.3 UTM used to connect multiple VPC’s ......................................................................................................... 22
6 Advanced Deployment Options .................................................................................................................. 23
CloudFormation ....................................................................................................................................................... 23
UserData Field ......................................................................................................................................................... 23
Avoiding Single Point of Failure ............................................................................................................................... 24
7 Resources ................................................................................................................................................... 24
8 Legal notices .............................................................................................................................................. 25

3
Sophos UTM and AWS

1 Amazon Web Services

Amazon Web Services is a collection of remote computing and web services that together make up the Amazon
Cloud Computing platform. The services currently offered cover Storage & Content Delivery, Database, Mobile
Services, Analytics, App Services, Deployment and Management, and Compute & Networking.
Together these services allow businesses a way to reduce the time and efforts associated with deploying business
applications, and provide a highly secure, scalable, flexible and redundant computing platform. These services along
with the AWS “pay as you go” pricing model provide businesses a way to replace up front capital infrastructure
investments with variable operating costs, and dramatically decrease the time and efforts associated with
deployment.
Discussion of all the available AWS services is outside the scope of this document. Instead we’ll focus on those
services and terms that relate to common Sophos UTM deployments.
1.1 AMI (Amazon Machine Image)

An AMI is a special type of virtual appliance that is used in AWS. An AMI contains the information needed to launch
an “EC2 Instance”. An AMI typically contains an operating system, launch permissions, storage details and often
some type of application software. Some common AMI examples are Window Server and Linux AMI’s that provide
ready to go Operating Systems, or the Sophos UTM AMI that has a Linux OS already installed along with the UTM
software. In either case these AMI’s are available for general use, can be easily launched and will be ready in
minutes. Custom AMI’s of any type can also be created and shared, or kept private and used by only the account
holder.
1.2 EC2 Instance

One of the most common services to use in AWS is EC2 (Elastic Cloud Computing), which provides users resizable
compute capabilities in the Cloud. The EC2 Management Console provides the ability to launch EC2 Instances,
which are virtual machines of varying compute sizes, each of which has different associated pricing. These virtual
machine configurations are used with your AMI’s and together provide a customer most everything they need to
run their applications in the Cloud. Users can create, launch, change, and terminate Instances as needed, and pay
by the hour. EC2 also provides users with control over the geographical location of their instances, which allows for
latency optimization, high levels of redundancy, and helps ensure compliance with data laws.
http://aws.amazon.com/ec2/
4
1.3 VPC
Virtual Private Cloud (VPC) enables you to launch AWS Instances into a virtual network that you've defined and that
you control. This virtual network closely resembles a traditional network that you'd operate in your own data
center, with the benefits of using the scalable infrastructure of AWS. This lets you launch and run EC2 Instances that
are isolated from the rest of the AWS cloud community, and provides control over local routing, sub netting, IP
addressing, and Access Control Lists. With this type of separation and control you could for example configure
public and private subnets, and place your instances accordingly. The below graphic shows a common VPC example,
and note that you can increase your security by deploying a Sophos UTM in place of the NAT instance so that all
traffic going to and from the private subnet routes through the UTM and your configured security policies.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
1.4 AWS Regions

AWS is located in 10 geographical ‘Regions’ throughout the world, and includes a separate ‘GovCloud’ in the United
States that is only used for the U.S. Government. Each ‘Region’ is contained within a single country and all services
and data stay within that region.
Each AWS Region is comprised of multiple ‘Availability Zones’, which are distinct data centers. Availability zones are
isolated from each other to prevent outages from spreading, and certain services are designed to operate and/or
replicate across Availability Zones to spread demand and to avoid downtime from failures.

5
Sophos UTM and AWS
2 AWS Shared Security Model

AWS provides Infrastructure as a Service (IaaS), which allows customers to build systems on top of the secure AWS
Cloud infrastructure. Providing such flexibility and control means that a shared security model is necessary. AWS
puts great focus on securing the data centers they operate and they provide built in security tools to secure
endpoints, encrypt data storage, and segregate customers’ virtual networks and instances. They also offer
additional security options such as direct connection options from customer offices; dedicated hardware based
crypto key storage, and the Trusted Advisor service. The customer is then responsible for using the supplied tools to
properly secure access to their environments, configure security groups, and for the security of any applications
running on their EC2 Instances. Additional products are also available to further secure AWS environments and
applications and to provide layered security.
3 Sophos UTM on AWS

The AWS Shared Security Model described above means that the customer must properly secure any systems or
applications they install on top of the secure AWS platform, much as they would in a physical network. The Sophos
UTM suite of integrated security applications allows customers to use the same Next Generation, layered
protection they’re used to in the real world, in the Cloud. Customers can use the UTM security features we offer to
protect their AWS cloud servers, secure access between AWS and remote sites or between VPC’s, provide remote
VPN connectivity to users, provide content filtering and protection to AWS Virtual Desktops or servers, and the
UTM can even manage remote wireless networks and Endpoint agents. All this can be done from a single intuitive
Web Interface, which runs as another instance in your AWS environment. And since our UTM is modular,
customers can pick and choose the functionality they want without having to pay for UTM features they don’t need.
UTM on AWS Common Use Cases

The Sophos UTM that is offered as a pre-‐built AMI is identical in features to both the UTM hardware appliances and
to the software ISO image that can be installed on any Intel compatible hardware. For a full overview of the Sophos
UTM capabilities please see the UTM homepage at www.sophos.com/utm. Below we’ve highlighted some of the
most common use case examples of how customers are deploying the Sophos UTM on AWS.
3.1 Web Server Protection

The UTM is installed in a customer’s VPC where it provides protection for 1 or more web facing application servers
via the Web Server Protection feature set. The UTM can either load balance inbound connections to multiple
webservers, or an AWS Elastic Load Balancer (ELB) can be used. In either case the UTM acts as the gateway for any
client requests destined for the Web Server or application, and provides security, protection and reporting.
6
3.2 Augment or Replace AWS Firewall and Provide Detailed Reporting
Amazon Web Services provides both physical security for their datacenters, and the ability to protect AMI’s with
firewall rules that block/allow specific networks and ports. While this provides a base level of protection, it may not
fully fit the needs of customers that require layered protection and the ability to block higher level exploits. The
Sophos UTM Firewall provides both basic firewall capabilities as well as detailed reporting on network security
events such as dropped packets destined for your Instances and where the attacks are coming from. The Sophos
UTM can provide the visibility you need to monitor security events, troubleshoot issues, and displays information in
both real time as well as historical format. Daily, Weekly, and Monthly summary reports can be automatically
delivered via email, and IPS and Advanced Threat Protection event notifications can be sent via SMTP, Syslog, and
SNMP for real time alerting.
7
Sophos UTM and AWS
3.3 Intrusion Prevention System

Acting as a critical component of the UTM layered protection feature set; the IPS solution protects servers located
in a VPC behind the UTM, and reports and logs Intrusion attempts. The IPS pattern database is updated
automatically on a continuous basis by Sophos Labs (http://www.sophos.com/en-‐us/threat-‐center/threat-‐analyses)
which analyzes data in real-‐time, and provides pattern updates to the UTM via the up2date service. Administrators
can easily protect critical application servers and use the real time and historical reporting information to monitor
intrusion attempts, privilege escalation attempts, vulnerability exploit attempts, and protocol violations.
8
3.4 Remote VPN User Connectivity

The Sophos UTM offers multiple remote VPN user options that support a variety of operating systems and devices.
Remote users can connect securely to the UTM VPN Gateway with the client of their choice or via an HTML 5 VPN
portal which requires no client. Once connected to the UTM clients can access any AWS instances they have
permissions to, or even their corporate network if using the VPC connector functionality. Administrators can easily
manage end user access, and view connection details in both live and historical formats.
3.5 Branch Office Connectivity using RED

The Sophos UTM can be hosted and on AWS while maintaining secure connections to physical offices and users via
options such as RED, standard IPsec VPN tunnels, UTM remote access VPN options, and the UTM Endpoint agents.
9
Sophos UTM and AWS
3.6 Content Filtering for AWS Workspaces Virtual Desktops

The Sophos UTM provides Next Generation content filtering and protection for any device connecting out to the
Internet. The UTM Web Protection module provides real time malware scanning, reputation checking, Layer 7
application control, as well as dynamic content category control options. These features can be used to protect
users on AWS Workspaces Virtual Desktops, or VPC server instances that connect out to remote locations for
updates. In either case the UTM provides granular control and both real time and historical reporting and logging
information.
3.7 Secure VPC to VPC Connectivity

AWS VPC’s in different Regions can be easily connected using Sophos UTM VPN’s. Easily build layer 2 or Layer 3 VPN
tunnels for secure access between Virtual Private Clouds.
10
3.8 Securely extend physical office to AWS Cloud

When creating an AWS VPC you are given the option to isolate your new network so that it is only accessible from a
VPN tunnel. This allows you to ensure that any traffic to/from this virtual network passes through your corporate
network. To do this AWS provides the ability to create and connect IPSEC VPN tunnels directly to your VPC. To
ensure that your VPC is always reachable you are also given the option to create dual IPSEC VPN tunnels that use
the BGP routing protocol for failover. To simplify the setup of the IPSEC tunnels and BGP, Sophos has created a ‘1
Touch’ configuration file option which allows you to simply download a VPC VPN configuration file from AWS which
is then uploaded into your physical site UTM. The UTM will then build the redundant tunnels, rules, and routes
needed for the connection, and monitor the traffic to ensure you always have a path.
4 Launching a UTM AMI on AWS

Launch a UTM via AWS Marketplace
The AWS Marketplace makes launching a UTM simple. Both the Sophos UTM and the Sophos UTM Manager
products are available on the AWS marketplace where they can be used as stand-‐alone AMIs or as part of an
Amazon Virtual Private Cloud (VPC). We also offer 2 different licensing options to fit different customer
requirements. Which option is best depends on your needs and use case, but in either case the offered functionality
is the same. To get started simply visit the AWS marketplace and search on ‘Sophos’. From there you simply need to
choose the appropriate AMI for your needs (BYOL or Hourly), the Instance size, and then launch your UTM as either
a standalone EC2 instance, or into a VPC.
https://aws.amazon.com/marketplace/
11
Sophos UTM and AWS

4.1 Choose a Sophos AMI from the Marketplace

4.1.1 Sophos UTM BYOL (Bring Your Own License) AMI
The BYOL option allows customers to purchase from an authorized Sophos reseller a standard UTM software license
for 1, 2, or 3 years, and then apply and use it on their AWS Cloud UTM. This option allows customers to pick and
choose which subscriptions and support options they would like to use with the UTM, and from Sophos’ perspective
this is no different than a customer building and using a Software or Virtual appliance UTM. The difference to the
customer is that they need to determine the instance size that they need to purchase from Amazon, and all billing
for that, and support for the instance, is handled directly with AWS. If Sophos support is contacted to investigate
issues they would only be able to advise about, and troubleshoot issues related to the Sophos products. It would be
the responsibility of the customer and/or partner to manage anything related to AWS such as security groups,
routing, and installation of the actual UTM AMI.
4.1.2 Sophos UTM Hourly AMI

To satisfy the needs of existing AWS customers, Sophos designed an hourly priced UTM so that customers can
bundle together the price of full UTM functionality with their chosen Instance type. This allows customers to ‘Pay as
you go’ rather than be locked into a 1,2 or 3 year subscription, and is especially useful for those that are securing
testing and/or development environments which may not exist for long periods of time, or that may not be used
often enough to justify a full time UTM subscription. Note that when choosing this option billing is done directly to
the AWS account owner. Partners wishing to resell this option would have to own the AWS account for their
customer and Amazon offers a reseller program to help with that. (http://aws.amazon.com/partners). Support for
this hourly option is also not included except via the Sophos UTM User Bulletin Board (www.astaro.org) or via a
Sophos partner. Customers and/or partners may purchase standard UTM support from an authorized reseller using
standard channels. Note that AWS also now offers the option to purchase an Hourly UTM AMI for an Annual period.
This can provide great savings to customers that wish to use the Hourly billing option.
http://aws.amazon.com/partners/overview/consulting-‐partner/channel-‐reseller-‐program/
http://www.sophos.com/en-‐us/partners/partner-‐locator.aspx

12
4.2 Licensing Differences

The Hourly ‘On Demand’ licensing has the following Key differences from our BYOL license:
• Only Full Guard functionality is available (no per sub licensing when using hourly pricing).
• End Point Protection is not available right now.
• Pricing is simply x5 AMI pricing
• No support built in (though available for free via UTM UBB).
Support contracts can be purchased via regular VAR channel
4.3 Sizing a UTM for your AWS Environment

Sizing a UTM for use on the AWS Cloud is similar to sizing a UTM for use on your own Intel compatible hardware or
when sizing a UTM physical appliance. The Sophos UTM solution offers many security features as well as both real
time and historical reporting and logging tools. Which features are used, how much storage is needed, and what
specific throughput requirements are needed are all factors that must be considered to properly size a UTM for
your AWS environment. The UTM software simply uses what virtual resources are available based on the AWS
instance size chosen, and though AWS offers the option to change the underlying instance size even after a UTM
AMI has been launched, proper sizing is still recommended to properly calculate costs over time. When sizing a
UTM the following steps should be taken:
1. Identify what UTM Features will be used
• The Sophos UTM offers many active security features such as malware scanning, IPS, Advanced Threat
Protection, Next Generation FW scanning, Web content filtering, email scanning, and VPN gateway
functionality. All of these features consume CPU processing power and RAM so must be identified for
proper sizing and for licensing should the BYOL option be chosen.
2. Identify the number of protected Instances and/or the number or protected users that will be using UTM
services.
• The UTM features may be used to protect servers located in 1 or more VPC’s (e.g. IPS, WAF) and/or
users (e.g. Next Generation Web Protection, remote VPN connections). This information is needed
both to understand how much traffic will traverse the UTM, and for licensing purposes if the BYOL
licensing AMI option is chosen.
3. Understand specific throughput requirements
• As mentioned above, the amount of traffic that a UTM can process is related to the resources
available. Understanding how much throughput is required will help you decide on the appropriate
sized instance. AWS instances offer different amount of throughput and so official AWS Instance
documentation should be consulted to ensure your chosen option will support your throughput
requirements.
Once suggested way to size an AWS instance for a UTM would be to look at out UTM hardware appliance line
performance numbers and Storage, and then look at what an equivalent virtual UTM would use for CPU and RAM.
The CPU and RAM information can be used to identify an equivalent AWS instance type, and the Storage
information can be used for guidance on what type of EBS storage would be appropriate.
http://www.sophos.com/en-‐us/medialibrary/PDFs/factsheets/sophos-‐sg-‐series-‐appliances-‐brna.pdf?la=en.pdf
13
Sophos UTM and AWS

4.4 Choosing an AWS Instance Type

AWS Instances come in a variety of sizes and configurations ranging from ‘micro’ sized instances that provide a
minimal amount of RAM and limited amount of computing power, up through ‘Extra Large’ instances that contain
large amounts of RAM and multiple computing cores. AWS also offers Instance types that offer enhanced
networking performance, are compute and/or memory optimized, or that use dedicated hardware.
14
Exact guidance on the which AWS Instance to choose is difficult to provide as there are many variables and AWS
frequently improves on and adds to the types of available instances. A good place to start is with the ‘M3’ family of
Instance types as they offer a good balance of compute, memory and network resources. Once your UTM Instance
is launched you can use the built in resource monitoring tools to determine if the Instance size offers enough
resources or not, and if not AWS allows you the ability to easily change your Instance type with just a few clicks.
http://aws.amazon.com/ec2/instance-‐types/
Pricing guidance on AWS instances is also beyond the scope of this document, but Amazon offers documentation as
well as online calculators to help understand and calculate costs. A good resource is the site listed below.
http://calculator.s3.amazonaws.com/index.html

4.5 Launch a UTM AMI as standalone or into a VPC

Once you’ve chosen your UTM AMI and Instance type you’ll need to install it into an AWS region, and choose
whether it will be a standalone EC2 instance, or part of a VPC. Note that prior to launching, AWS calculates your
monthly costs for either Instance only or Instance only plus UTM. If choosing ‘VPC’ you can then choose to launch
your UTM into an already created VPC, or you can choose to create a new VPC.
15
Sophos UTM and AWS
4.6 Choose Region

As mentioned above AWS offers geographically distinct regions which can be used to host your AMI’s. The right
choice depends on your needs and location, and note that pricing will often vary depending on which region is
chosen.
Launch a UTM via AWS Management Console

Deploying a UTM via your AWS Management Console is very similar to launching directly via AWS Marketplace.
Once logged in navigate to “EC2” from the services list, choose your “Region” from the Upper Right of the screen,
and then click on the “Launch Instance” icon.

Step 1: You’ll now be presented with a screen showing you the available AMI’s that you may launch. Navigate to the
“AWS Marketplace” option and type “Sophos” into the search box to locate the UTM AMI’s.

16
Step 2: Select your desired UTM AMI type (Hourly or BYOL), and then proceed to the Choose an Instance Type
screen. As noted above choosing the correct instance size for your deployment depends on many factors. Please
refer to the above suggestions, which should help provide you enough information to make an initial decision.
Fortunately AWS offers the option to quickly and easily change the chosen instance type at any time so if not all
information is available for proper sizing, we would suggest choosing one of the “m3” general-‐purpose instances as
a starting point. Once launched the UTM WebGUI dashboards and reports will show resource utilization, which can
be used to determine if a different instance size is needed.

Step 3: Once an Instance size is chosen you’re prompted to configure your Instance Details. Default Details will
launch your UTM into EC2-‐Classic, which means as a standalone instance that is not part of a VPC. This option is of
limited value in most production environments and its suggested that you instead choose an existing VPC or create
a new one at this time. Please see the VPC section below for more information on configuring your UTM in a VPC.
When choosing the VPC option you choose the subnet to launch your UTM into, and you may also configure the
UTM Interface IP Address and add additional interfaces. Note that the Instance Type you choose limits the number
of Interfaces you may add to a UTM. Please see the official AWS Instance Type Documentation for more details.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-‐eni.html
This section also allows you to configure Advanced Details including “User Data” can be used to configure instance
details at launch and can be very useful for automating some or all of your UTM deployment. Please see the User
Data section below for additional information.
Step 4: The UTM utilizes EBS volumes and the AMI’s require at least 30 GB of either magnetic or SSD volume type.
SSD volumes will provide greater I/O which may be useful in high traffic environments where large amounts of data
will be generated and stored.
Step 5: Tag your Instance for greater visibility.
Step 6: Assign or create a security group for your new UTM Instance. By default the UTM AMI will offer to create a
new Security Group that allows all traffic for both TCP and UDP protocols. These recommended settings will ensure
that all traffic you send to the UTM will be allowed, and you may then rely on the UTM firewall and security policies
to restrict or allow traffic destined to any protected instances in your VPC. You may of course create or use your
own Security Group but please note that the UTM WebAdmin port requires TCP port 4444 by default and must be
open for initial configuration. That setting can be changed once you have initially connected and please refer to the
UTM Administrators guide for details on doing so.
http://www.sophos.com/en-‐us/support/knowledgebase/119209.aspx
Step 7: Review your Instance Launch details and note any AWS recommendations shown on screen.
17
Sophos UTM and AWS
The final step before launching your UTM AMI is to create or choose a key pair for use with your new Instance. As
the UTM is by default managed by the WebAdmin GUI a valid keypair is not needed for initial connection and
configuration, and so if you wish you may choose to continue without one. Note though that it is suggested that
you assign a key pair as you may need it later should you wish to connect to the UTM shell for advanced
configuration.
5 Common Deployment Examples

5.1 UTM with Single Interface Protecting Multiple VPC Subnets
Unlike in a physical network a UTM on AWS can function with just a single Interface that is used to route and
control traffic into and out of private subnets. This is due to the built in AWS routing capabilities that can be
controlled and managed by the AWS VPC administrator. Your VPC and UTM can be configured manually, via the
command line tools, or by using the CloudFormation service, but for this example we’ll use the VPC and EC2 Launch
Wizards.
5.1.1 VPC Wizard

Click on the Start VPC Wizard button to begin. You’ll be shown a menu of options for configuring your VPC, and for
this example we’ll choose to create a VPC with Public and Private Subnets

Once the Select button is chosen you’ll be prompted to define your VPC details as shown below. For our example
we’re going to leave our IP CIDR block as the default 10.0.0.0/16, set my Public subnet to 10.0.0.0/24, and my
Private Subnet to 10.0.10.0/24. Note that I have not specified a preference for Availability Zone though you may of
course do that, and I have not changed other default details such as the subnet names, DNS hostname setting,
hardware tenancy, or NAT details. The NAT instance will actually be replaced by the UTM once configured and
terminated to save on the associated charges. Once details are configured click on the Create VPC button.

18
5.1.2 Launch EC2 Instances

Once your VPC has been created you will launch your EC2 Instances. You can do so from either the link on the VPC
Dashboard, or by navigating to the EC2 Dashboard and clicking the link there. Either way you’ll then be presented
with the same Quick Start menu as mentioned above in the Launching a UTM section. Click on the AWS
Marketplace menu option, search on “Sophos”, and then choose your desired UTM AMI (BYOL or Hourly) from the
options shown. After choosing your desired Instance type you’ll be prompted to Configure Instance Details. Change
the Network setting from the default EC2 to your configured VPC. As the UTM will be providing both inbound and
outbound security for our AWS Instances, we’ll launch it into our Public subnet. There are additional configuration
options available and you can also manage the UTM IP address assignment by scrolling down the Network
Interfaces. For our example we’ll just use the default settings and continue by clicking Review and Launch. Note that
if you don’t wish to use the default settings for Storage, Security Group, or wish to give a Tag to your UTM Instance
you may configure those settings by continuing on with the wizard or modifying the settings during the Review
Instance Launch step. For clarity it’s suggested to Tag your Instances, as it will make administration much easier. AS
mentioned above you will be prompted to choose or create a Key Pair before launching your UTM. You may choose
the option to Proceed without choosing but this is not recommended as you may need y our Key Pair at some point
in the future for more advanced Instance operations.
19
Sophos UTM and AWS
5.1.3 Terminate the NAT Instance
Using the VPC Wizard results in a NAT instance with a public Elastic IP (EIP) that is not necessary for our example as
the UTM can provide NAT services. To terminate your NAT instance simply right click on it from the EC2 Instances
screen and choose Terminate. Note that as mentioned above, Tagging your Instances is suggested so you can tell
them apart from each other. By default your NAT instance will not have a Tag assigned to it. If you have other
untagged Instances and are unsure which is your NAT Instance you can confirm by looking a the Instance details
section AMI ID information as shown below. When terminating your NAT Instance you will be shown a prompt,
which asks if you want to release your Elastic IP. You may do so if you have another that you wish to use with your
UTM, but if you are unsure or do not, simply proceed with the termination.
5.1.4 Change the Source/Destination Check setting

To allow your UTM instance to function as a NAT device, you must change the Source/Destination setting. To do so
simply right click on your UTM Instance and then choose the Change Source/Destination Check. You’ll be prompted
to confirm you wish to disable the setting as shown below.
5.1.5 Assign an Elastic IP to the UTM

Click on the Network Security>Elastic IPs option located on the left side of your EC2 Management Console. If you did
not release your EIP when terminating your NAT instance you should see it listed and available. Highlight and right
click on the Elastic IP and then choose Associate Address from the options. A new screen will popup and you can
click on the Instance field to see your available Instances. Choose the Sophos UTM Instance and then click
Associate.
20
5.1.6 Modify VPC Route Tables

Your UTM Instance should now be reachable via the Elastic IP and may be configured to protect and control
inbound and outbound traffic. Before you can control outbound traffic though you need to tell your private VPC
subnet to route traffic to your UTM for access to the Internet. To do so, navigate to the VPC Dashboard and click on
Route Tables. You should see 2 route tables, one for each of your configured subnets. Click on each route table and
the Routes tab for more details and to identify which is Public, and which is Private. Your Public route table will be
the one that has the Internet Gateway listed as a target as shown below. You can leave this route table as is though
it’s always a good idea to Tag things in AWS to help with future administration.

When you click on your other route table you’ll see the Private route table details. Note that the 0.0.0.0/0 route in
this table has a status of Blackhole. That’s because the original VPC Wizard settings created this route and pointed it
at your Terminated NAT instance. Edit the route table and delete the information shown in the Target column.
When you do this it should list all available route targets including your Sophos UTM Instance. Choose the UTM as
your new route target and save. Instances launched into the Private subnet will now have their traffic routed to the
UTM, which can be used to control and monitor outbound traffic. Note that if you do not see your UTM as an
available route target it may be due to the Source/Destination check not being setup properly on the UTM
interface. If you’ve checked that but still do not see the UTM try copying and pasting the UTM ENI information
directly into the “Target” section.
21
Sophos UTM and AWS
5.2 UTM with Interfaces in Multiple Subnets

In some cases you may wish to have your UTM configured similar to a physical deployment where you have a UTM
interface configured for each subnet. AWS allows you to do this but how many UTM interfaces are possible
depends on the Instance size chosen. Please see the official AWS Instance documentation for specifics on the
number of available interfaces per type. To configure multiple UTM Interfaces simply follow the instructions above
until you get to the Launch EC2 Instances step. At this point you’ll create your primary Interface as outlined above,
but before moving onto the next step you’ll scroll down to the Network Interfaces section and click on the ‘Add
Device’ button. Choose the subnet you wish to create your new Interface in from the Subnet drop down and
optionally assign an IP address. Note also that AWS will show a prompt stating that they can longer automatically
assign an Elastic IP to your instance so you will have to do this manually once your UTM Instance has launched.

5.3 UTM used to connect multiple VPC’s

The Sophos UTM can be used to connect to multiple AWS VPC’s for cross-‐region connectivity. Please see the below
link to a detailed KB article provided by AWS.
https://aws.amazon.com/articles/1909971399457482
22
6 Advanced Deployment Options

CloudFormation
The AWS CloudFormation service allows you to launch a “stack” which is a collection of AWS resources that are
defined in a JSON file. Please see the AWS CloudFormation documentation for full details on using this powerful
service. An example UTM CloudFormation Template can be found when launching a UTM via the Marketplace in
the “Version” section.

http://aws.amazon.com/cloudformation/
UserData Field
The User Data Field option allows you to “bootstrap” your EC2 Instances while launching to set various
configuration settings. The result is a UTM that contains pre-‐configured settings on launch. UserData can be set
during manual EC2 Instance launching through both the management console and API, and UserData can be
contained within a CloudFormation Template. Some simple examples of things you can set using the UserData
option are UTM hostname, passwords, and basic setup data. You can also use the UserData option to import UTM
backup and license files during launch. Below is a link to a very useful tool that can be used to generate properly
formatted UserData.
http://utmtools.com/AwsUserData
23
Sophos UTM and AWS
Avoiding Single Point of Failure

The standard UTM High Availability protocols do not work on AWS as they’re based on the multicast protocol. To
address this we’re currently working on both a High Availability Failover solution as well as an Auto Scaling solution.
High Availability will be available for beta testers mid November 2014, and Auto Scaling is targeted for early 2015.
In the interim many customers are using a combination of stand alone UTM’s, AWS services, the Sophos UTM
rd
Manager, and a 3 party reporting solution to ensure maximum uptime, and to achieve centralized UTM
management and reporting.
As the UTM is simply an EC2 Instance, it can be used with AWS tools and services such as CLoudwatch and Elastic
Load Balancers to ensure that traffic can always flow to and from your AWS environments.

7 Resources
http://www.sophos.com/aws
http://aws.amazon.com/
http://aws.amazon.com/ec2/
http://aws.amazon.com/testdrive/
https://aws.amazon.com/marketplace/
http://aws.amazon.com/partners/overview/consulting-‐partner/channel-‐reseller-‐program/
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
24
8 Legal notices
Copyright © 2014 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with
the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos, Sophos
Anti-‐Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as
applicable. All other product and company names mentioned are trademarks or registered trademarks of their
respective owners.
25

UTM On AWS FAQ

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

UTM On AWS FAQ

Hochgeladen von

Copyright:

Verfügbare Formate

Overview

and Deployment Guide

5.1.2 Launch EC2 Instances ..................................................................................................................................... 19

1 Amazon Web Services

1.1 AMI (Amazon Machine Image)

1.2 EC2 Instance

1.4 AWS Regions

2 AWS Shared Security Model

3 Sophos UTM on AWS

UTM on AWS Common Use Cases

3.1 Web Server Protection

3.3 Intrusion Prevention System

3.4 Remote VPN User Connectivity

3.5 Branch Office Connectivity using RED

3.6 Content Filtering for AWS Workspaces Virtual Desktops

3.7 Secure VPC to VPC Connectivity

3.8 Securely extend physical office to AWS Cloud

4 Launching a UTM AMI on AWS

4.1 Choose a Sophos AMI from the Marketplace

4.1.2 Sophos UTM Hourly AMI

4.2 Licensing Differences

Support contracts can be purchased via regular VAR channel

4.3 Sizing a UTM for your AWS Environment

4.4 Choosing an AWS Instance Type

4.5 Launch a UTM AMI as standalone or into a VPC

4.6 Choose Region

Launch a UTM via AWS Management Console

5 Common Deployment Examples

5.1.1 VPC Wizard

5.1.2 Launch EC2 Instances

5.1.4 Change the Source/Destination Check setting

5.1.5 Assign an Elastic IP to the UTM

5.1.6 Modify VPC Route Tables

5.2 UTM with Interfaces in Multiple Subnets

5.3 UTM used to connect multiple VPC’s

6 Advanced Deployment Options

Avoiding Single Point of Failure

Das könnte Ihnen auch gefallen