Beruflich Dokumente
Kultur Dokumente
Sophos
UTM
on
AWS
Overview
and
Deployment
Guide
Document
date:
November
2014
1
Sophos
UTM
and
AWS
Contents
1
Amazon
Web
Services
..................................................................................................................................
4
1.1
AMI
(Amazon
Machine
Image)
.....................................................................................................................
4
1.2
EC2
Instance
.................................................................................................................................................
4
1.3
VPC
...............................................................................................................................................................
5
1.4
AWS
Regions
................................................................................................................................................
5
2
AWS
Shared
Security
Model
.........................................................................................................................
6
3
Sophos
UTM
on
AWS
...................................................................................................................................
6
UTM
on
AWS
Common
Use
Cases
.............................................................................................................................
6
3.1
Web
Server
Protection
.................................................................................................................................
6
3.2
Augment
or
Replace
AWS
Firewall
and
Provide
Detailed
Reporting
...........................................................
7
3.3
Intrusion
Prevention
System
........................................................................................................................
8
3.4
Remote
VPN
User
Connectivity
....................................................................................................................
9
3.5
Branch
Office
Connectivity
using
RED
..........................................................................................................
9
3.6
Content
Filtering
for
AWS
Workspaces
Virtual
Desktops
...........................................................................
10
3.7
Secure
VPC
to
VPC
Connectivity
.................................................................................................................
10
3.8
Securely
extend
physical
office
to
AWS
Cloud
...........................................................................................
11
4
Launching
a
UTM
AMI
on
AWS
...................................................................................................................
11
Launch
a
UTM
via
AWS
Marketplace
.......................................................................................................................
11
4.1
Choose
a
Sophos
AMI
from
the
Marketplace
............................................................................................
12
4.1.1
Sophos
UTM
BYOL
(Bring
Your
Own
License)
AMI
.........................................................................................
12
4.1.2
Sophos
UTM
Hourly
AMI
................................................................................................................................
12
4.2
Licensing
Differences
.................................................................................................................................
13
4.3
Sizing
a
UTM
for
your
AWS
Environment
...................................................................................................
13
4.4
Choosing
an
AWS
Instance
Type
................................................................................................................
14
4.5
Launch
a
UTM
AMI
as
standalone
or
into
a
VPC
........................................................................................
15
4.6
Choose
Region
............................................................................................................................................
16
Launch
a
UTM
via
AWS
Management
Console
........................................................................................................
16
5
Common
Deployment
Examples
.................................................................................................................
18
5.1
UTM
with
Single
Interface
Protecting
Multiple
VPC
Subnets
.....................................................................
18
5.1.1
VPC
Wizard
.....................................................................................................................................................
18
2
Overview
and
Deployment
Guide
3
Sophos
UTM
and
AWS
4
Overview
and
Deployment
Guide
1.3 VPC
Virtual
Private
Cloud
(VPC)
enables
you
to
launch
AWS
Instances
into
a
virtual
network
that
you've
defined
and
that
you
control.
This
virtual
network
closely
resembles
a
traditional
network
that
you'd
operate
in
your
own
data
center,
with
the
benefits
of
using
the
scalable
infrastructure
of
AWS.
This
lets
you
launch
and
run
EC2
Instances
that
are
isolated
from
the
rest
of
the
AWS
cloud
community,
and
provides
control
over
local
routing,
sub
netting,
IP
addressing,
and
Access
Control
Lists.
With
this
type
of
separation
and
control
you
could
for
example
configure
public
and
private
subnets,
and
place
your
instances
accordingly.
The
below
graphic
shows
a
common
VPC
example,
and
note
that
you
can
increase
your
security
by
deploying
a
Sophos
UTM
in
place
of
the
NAT
instance
so
that
all
traffic
going
to
and
from
the
private
subnet
routes
through
the
UTM
and
your
configured
security
policies.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
5
Sophos
UTM
and
AWS
6
Overview
and
Deployment
Guide
3.2 Augment
or
Replace
AWS
Firewall
and
Provide
Detailed
Reporting
Amazon
Web
Services
provides
both
physical
security
for
their
datacenters,
and
the
ability
to
protect
AMI’s
with
firewall
rules
that
block/allow
specific
networks
and
ports.
While
this
provides
a
base
level
of
protection,
it
may
not
fully
fit
the
needs
of
customers
that
require
layered
protection
and
the
ability
to
block
higher
level
exploits.
The
Sophos
UTM
Firewall
provides
both
basic
firewall
capabilities
as
well
as
detailed
reporting
on
network
security
events
such
as
dropped
packets
destined
for
your
Instances
and
where
the
attacks
are
coming
from.
The
Sophos
UTM
can
provide
the
visibility
you
need
to
monitor
security
events,
troubleshoot
issues,
and
displays
information
in
both
real
time
as
well
as
historical
format.
Daily,
Weekly,
and
Monthly
summary
reports
can
be
automatically
delivered
via
email,
and
IPS
and
Advanced
Threat
Protection
event
notifications
can
be
sent
via
SMTP,
Syslog,
and
SNMP
for
real
time
alerting.
7
Sophos
UTM
and
AWS
8
Overview
and
Deployment
Guide
9
Sophos
UTM
and
AWS
10
Overview
and
Deployment
Guide
11
Sophos
UTM
and
AWS
12
Overview
and
Deployment
Guide
• Only
Full
Guard
functionality
is
available
(no
per
sub
licensing
when
using
hourly
pricing).
• End
Point
Protection
is
not
available
right
now.
• Pricing
is
simply
x5
AMI
pricing
• No
support
built
in
(though
available
for
free
via
UTM
UBB).
Once
suggested
way
to
size
an
AWS
instance
for
a
UTM
would
be
to
look
at
out
UTM
hardware
appliance
line
performance
numbers
and
Storage,
and
then
look
at
what
an
equivalent
virtual
UTM
would
use
for
CPU
and
RAM.
The
CPU
and
RAM
information
can
be
used
to
identify
an
equivalent
AWS
instance
type,
and
the
Storage
information
can
be
used
for
guidance
on
what
type
of
EBS
storage
would
be
appropriate.
http://www.sophos.com/en-‐us/medialibrary/PDFs/factsheets/sophos-‐sg-‐series-‐appliances-‐brna.pdf?la=en.pdf
13
Sophos
UTM
and
AWS
14
Overview
and
Deployment
Guide
Exact
guidance
on
the
which
AWS
Instance
to
choose
is
difficult
to
provide
as
there
are
many
variables
and
AWS
frequently
improves
on
and
adds
to
the
types
of
available
instances.
A
good
place
to
start
is
with
the
‘M3’
family
of
Instance
types
as
they
offer
a
good
balance
of
compute,
memory
and
network
resources.
Once
your
UTM
Instance
is
launched
you
can
use
the
built
in
resource
monitoring
tools
to
determine
if
the
Instance
size
offers
enough
resources
or
not,
and
if
not
AWS
allows
you
the
ability
to
easily
change
your
Instance
type
with
just
a
few
clicks.
http://aws.amazon.com/ec2/instance-‐types/
Pricing
guidance
on
AWS
instances
is
also
beyond
the
scope
of
this
document,
but
Amazon
offers
documentation
as
well
as
online
calculators
to
help
understand
and
calculate
costs.
A
good
resource
is
the
site
listed
below.
http://calculator.s3.amazonaws.com/index.html
15
Sophos
UTM
and
AWS
Step
1:
You’ll
now
be
presented
with
a
screen
showing
you
the
available
AMI’s
that
you
may
launch.
Navigate
to
the
“AWS
Marketplace”
option
and
type
“Sophos”
into
the
search
box
to
locate
the
UTM
AMI’s.
16
Overview
and
Deployment
Guide
Step
2:
Select
your
desired
UTM
AMI
type
(Hourly
or
BYOL),
and
then
proceed
to
the
Choose
an
Instance
Type
screen.
As
noted
above
choosing
the
correct
instance
size
for
your
deployment
depends
on
many
factors.
Please
refer
to
the
above
suggestions,
which
should
help
provide
you
enough
information
to
make
an
initial
decision.
Fortunately
AWS
offers
the
option
to
quickly
and
easily
change
the
chosen
instance
type
at
any
time
so
if
not
all
information
is
available
for
proper
sizing,
we
would
suggest
choosing
one
of
the
“m3”
general-‐purpose
instances
as
a
starting
point.
Once
launched
the
UTM
WebGUI
dashboards
and
reports
will
show
resource
utilization,
which
can
be
used
to
determine
if
a
different
instance
size
is
needed.
Step
3:
Once
an
Instance
size
is
chosen
you’re
prompted
to
configure
your
Instance
Details.
Default
Details
will
launch
your
UTM
into
EC2-‐Classic,
which
means
as
a
standalone
instance
that
is
not
part
of
a
VPC.
This
option
is
of
limited
value
in
most
production
environments
and
its
suggested
that
you
instead
choose
an
existing
VPC
or
create
a
new
one
at
this
time.
Please
see
the
VPC
section
below
for
more
information
on
configuring
your
UTM
in
a
VPC.
When
choosing
the
VPC
option
you
choose
the
subnet
to
launch
your
UTM
into,
and
you
may
also
configure
the
UTM
Interface
IP
Address
and
add
additional
interfaces.
Note
that
the
Instance
Type
you
choose
limits
the
number
of
Interfaces
you
may
add
to
a
UTM.
Please
see
the
official
AWS
Instance
Type
Documentation
for
more
details.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-‐eni.html
This
section
also
allows
you
to
configure
Advanced
Details
including
“User
Data”
can
be
used
to
configure
instance
details
at
launch
and
can
be
very
useful
for
automating
some
or
all
of
your
UTM
deployment.
Please
see
the
User
Data
section
below
for
additional
information.
Step
4:
The
UTM
utilizes
EBS
volumes
and
the
AMI’s
require
at
least
30
GB
of
either
magnetic
or
SSD
volume
type.
SSD
volumes
will
provide
greater
I/O
which
may
be
useful
in
high
traffic
environments
where
large
amounts
of
data
will
be
generated
and
stored.
Step
5:
Tag
your
Instance
for
greater
visibility.
Step
6:
Assign
or
create
a
security
group
for
your
new
UTM
Instance.
By
default
the
UTM
AMI
will
offer
to
create
a
new
Security
Group
that
allows
all
traffic
for
both
TCP
and
UDP
protocols.
These
recommended
settings
will
ensure
that
all
traffic
you
send
to
the
UTM
will
be
allowed,
and
you
may
then
rely
on
the
UTM
firewall
and
security
policies
to
restrict
or
allow
traffic
destined
to
any
protected
instances
in
your
VPC.
You
may
of
course
create
or
use
your
own
Security
Group
but
please
note
that
the
UTM
WebAdmin
port
requires
TCP
port
4444
by
default
and
must
be
open
for
initial
configuration.
That
setting
can
be
changed
once
you
have
initially
connected
and
please
refer
to
the
UTM
Administrators
guide
for
details
on
doing
so.
http://www.sophos.com/en-‐us/support/knowledgebase/119209.aspx
Step
7:
Review
your
Instance
Launch
details
and
note
any
AWS
recommendations
shown
on
screen.
17
Sophos
UTM
and
AWS
The
final
step
before
launching
your
UTM
AMI
is
to
create
or
choose
a
key
pair
for
use
with
your
new
Instance.
As
the
UTM
is
by
default
managed
by
the
WebAdmin
GUI
a
valid
keypair
is
not
needed
for
initial
connection
and
configuration,
and
so
if
you
wish
you
may
choose
to
continue
without
one.
Note
though
that
it
is
suggested
that
you
assign
a
key
pair
as
you
may
need
it
later
should
you
wish
to
connect
to
the
UTM
shell
for
advanced
configuration.
Once
the
Select
button
is
chosen
you’ll
be
prompted
to
define
your
VPC
details
as
shown
below.
For
our
example
we’re
going
to
leave
our
IP
CIDR
block
as
the
default
10.0.0.0/16,
set
my
Public
subnet
to
10.0.0.0/24,
and
my
Private
Subnet
to
10.0.10.0/24.
Note
that
I
have
not
specified
a
preference
for
Availability
Zone
though
you
may
of
course
do
that,
and
I
have
not
changed
other
default
details
such
as
the
subnet
names,
DNS
hostname
setting,
hardware
tenancy,
or
NAT
details.
The
NAT
instance
will
actually
be
replaced
by
the
UTM
once
configured
and
terminated
to
save
on
the
associated
charges.
Once
details
are
configured
click
on
the
Create
VPC
button.
18
Overview
and
Deployment
Guide
19
Sophos
UTM
and
AWS
5.1.3 Terminate
the
NAT
Instance
Using
the
VPC
Wizard
results
in
a
NAT
instance
with
a
public
Elastic
IP
(EIP)
that
is
not
necessary
for
our
example
as
the
UTM
can
provide
NAT
services.
To
terminate
your
NAT
instance
simply
right
click
on
it
from
the
EC2
Instances
screen
and
choose
Terminate.
Note
that
as
mentioned
above,
Tagging
your
Instances
is
suggested
so
you
can
tell
them
apart
from
each
other.
By
default
your
NAT
instance
will
not
have
a
Tag
assigned
to
it.
If
you
have
other
untagged
Instances
and
are
unsure
which
is
your
NAT
Instance
you
can
confirm
by
looking
a
the
Instance
details
section
AMI
ID
information
as
shown
below.
When
terminating
your
NAT
Instance
you
will
be
shown
a
prompt,
which
asks
if
you
want
to
release
your
Elastic
IP.
You
may
do
so
if
you
have
another
that
you
wish
to
use
with
your
UTM,
but
if
you
are
unsure
or
do
not,
simply
proceed
with
the
termination.
20
Overview
and
Deployment
Guide
When
you
click
on
your
other
route
table
you’ll
see
the
Private
route
table
details.
Note
that
the
0.0.0.0/0
route
in
this
table
has
a
status
of
Blackhole.
That’s
because
the
original
VPC
Wizard
settings
created
this
route
and
pointed
it
at
your
Terminated
NAT
instance.
Edit
the
route
table
and
delete
the
information
shown
in
the
Target
column.
When
you
do
this
it
should
list
all
available
route
targets
including
your
Sophos
UTM
Instance.
Choose
the
UTM
as
your
new
route
target
and
save.
Instances
launched
into
the
Private
subnet
will
now
have
their
traffic
routed
to
the
UTM,
which
can
be
used
to
control
and
monitor
outbound
traffic.
Note
that
if
you
do
not
see
your
UTM
as
an
available
route
target
it
may
be
due
to
the
Source/Destination
check
not
being
setup
properly
on
the
UTM
interface.
If
you’ve
checked
that
but
still
do
not
see
the
UTM
try
copying
and
pasting
the
UTM
ENI
information
directly
into
the
“Target”
section.
21
Sophos
UTM
and
AWS
22
Overview
and
Deployment
Guide
http://aws.amazon.com/cloudformation/
UserData
Field
The
User
Data
Field
option
allows
you
to
“bootstrap”
your
EC2
Instances
while
launching
to
set
various
configuration
settings.
The
result
is
a
UTM
that
contains
pre-‐configured
settings
on
launch.
UserData
can
be
set
during
manual
EC2
Instance
launching
through
both
the
management
console
and
API,
and
UserData
can
be
contained
within
a
CloudFormation
Template.
Some
simple
examples
of
things
you
can
set
using
the
UserData
option
are
UTM
hostname,
passwords,
and
basic
setup
data.
You
can
also
use
the
UserData
option
to
import
UTM
backup
and
license
files
during
launch.
Below
is
a
link
to
a
very
useful
tool
that
can
be
used
to
generate
properly
formatted
UserData.
http://utmtools.com/AwsUserData
23
Sophos
UTM
and
AWS
7 Resources
http://www.sophos.com/aws
http://aws.amazon.com/
http://aws.amazon.com/ec2/
http://aws.amazon.com/testdrive/
https://aws.amazon.com/marketplace/
http://aws.amazon.com/partners/overview/consulting-‐partner/channel-‐reseller-‐program/
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
24
Overview
and
Deployment
Guide
8 Legal
notices
Copyright
©
2014
Sophos
Group.
All
rights
reserved.
No
part
of
this
publication
may
be
reproduced,
stored
in
a
retrieval
system,
or
transmitted,
in
any
form
or
by
any
means,
electronic,
mechanical,
photocopying,
recording
or
otherwise
unless
you
are
either
a
valid
licensee
where
the
documentation
can
be
reproduced
in
accordance
with
the
license
terms
or
you
otherwise
have
the
prior
permission
in
writing
of
the
copyright
owner.
Sophos,
Sophos
Anti-‐Virus
and
SafeGuard
are
registered
trademarks
of
Sophos
Limited,
Sophos
Group
and
Utimaco
Safeware
AG,
as
applicable.
All
other
product
and
company
names
mentioned
are
trademarks
or
registered
trademarks
of
their
respective
owners.
25