AWS Partner Network (APN) Blog
New AWS Security Competency Partner Solution: Sophos Outbound Gateway
The following is a guest post from our friends at AWS Security Competency Partner Sophos.
Fun fact: Sophos is one of the first APN Partners to be featured on “This Is My Architecture”, a new video series that highlights innovative AWS architectural solutions. Check out the Sophos video:
Many of our more security conscious customers in AWS consider controlling outbound traffic just as important as controlling inbound traffic, especially for environments that handle sensitive data. This type of control is called “egress filtering” and has long been a recommendation by security experts like the SANS Institute[1] and required by organizations that need to maintain PCI DSS compliance.
In AWS you can scale your infrastructure to support both inbound and outbound traffic demands by using Auto Scaling groups, Elastic Load Balancing (ELB), and NAT Gateway, but how do you also scale your security layer to support both ingress and egress filtering? To help customers with this need, Sophos has released a new feature called Outbound Gateway (OGW) in its Unified Threat Management (UTM) solution available on AWS. OGW extends UTM’s ability to scale and inspect inbound traffic to now scale and inspect outbound traffic as well, helping you to secure egress traffic in AWS.[2]
Sophos UTM
Sophos UTM on AWS is a security solution in the AWS Marketplace that provides a suite of tools to help you control, protect, and report on traffic entering and leaving your Virtual Private Clouds (VPCs). Sophos UTM combines multiple security tools into one solution and supports the following use cases:
- Next-Gen Firewall
- Inline Intrusion Prevention System (IPS)
- Virtual Private Network (VPN) gateway
- Advanced Threat Protection (ATP)
- Sandbox capabilities
- Web content filtering
- Web Application Firewall (WAF)
- Outbound Gateway – New
Sophos UTM integrates with AWS services like Auto Scaling, CloudWatch, and ELB to ensure inbound traffic is distributed for redundancy and scalability and also scales your security with your infrastructure to inspect your traffic before it leaves your AWS environment.
Outbound Gateway (OGW)
OGW was designed to inspect traffic leaving your VPC using a new routing mechanisms for active-passive or active-active routing. This routing allows Sophos UTM to distribute and inspect traffic leaving your private VPC subnets providing you with redundancy and an easy way to scale your security for egress filtering.
This functionality was primarily designed to help you secure Amazon WorkSpaces environments. Last year during re:Invent 2015, AWS presented how Amazon.com is providing employees, contractors, and vendors a secure remote desktop environment with Amazon WorkSpaces. As part of that move, Amazon.com showed how they used Sophos UTM to restrict network access and provide content filtering for remote users.
The following diagram shows the architecture presented in re:Invent 2015 ISM403.
Figure 1: AWS Architecture presented in re:Invent 2015 ISM403, “How Amazon.com Is Moving to Amazon WorkSpaces” – view the presentation here.
Use Cases for Sophos UTM OGW
In order to support egress filtering, Sophos UTM has to ensure that outbound traffic can be distributed for scale and fault tolerance. OGW uses a combination of GRE tunnels, health checks, and automated route adjustments to support these requirements.
In a typical VPC, the default route for private subnets is static because the route entry points to the Elastic Network Interface (ENI) of a single instance such as a NAT device or NAT Gateway. Additionally, the route can only point to one destination, which may reduce scalability. In contrast, inbound traffic is straightforward using DNS or ELB where incoming traffic can be balanced across multiple interfaces.
To help scale outbound traffic, Sophos UTM deploys an OGW instance that acts as the default gateway for each private VPC subnet you designate. These VPC subnets can be WorkSpaces subnets or any other private VPC subnet you choose. Sophos UTM then establishes GRE tunnels from each OGW instance to the UTM Workers that reside in an Auto Scaling group.
Inbound traffic follows the normal route via ELB, which distributes traffic across multiple Sophos UTM Workers for inspection. Afterwards, the Sophos UTM workers forward traffic to your instances via an internal load balancer or to your WorkSpaces VPC subnet. However, outbound traffic now takes a new route via the GRE tunnels, which distributes the traffic across the same Sophos UTM Workers. The Sophos UTM Workers then inspect the traffic before it leaves your infrastructure. Additionally, the Sophos UTM Workers are configured in Auto Scaling groups which allow the solution to scale up and down for both inbound and outbound traffic.
The following diagram is a reference architecture using Sophos UTM for inbound and outbound filtering.
Figure 2: Reference Architecture for Sophos UTM inbound & outbound filtering
You can deploy multiple OGWs in the same VPC subnet for redundancy, and Sophos UTM will perform health checks against the OGW instances to ensure normal operation. If an OGW instance fails a health check, Sophos UTM automatically reroutes the traffic to another OGW instance, preventing any outbound interruption.
You can also route traffic for inspection between VPCs using VPC Peering since the GRE tunnels between the OGW instances and Workers support peered connections. This allows you to deploy a central set of outbound filters for many VPCs.
Getting Started
To get started using Sophos UTM OGW, first let’s review the different components used for the solution and information you’ll need beforehand:
- UTM Controller for central administration and reporting of all UTM Workers
- UTM Workers reside in an Auto Scaling group and inspect all traffic (both inbound and outbound)
- OGWs reside in VPC private subnets and act as the default gateway for all outbound traffic
- GRE Tunnels route outbound traffic from the OGWs to Workers
Next, you’ll need the following information before deploying OGW. For information on creating VPC subnets, please refer to Your VPC and Subnets.
- VPC subnet(s) in which you want to deploy OGW (We recommend using different AZs for each VPC Subnet)
- VPC subnet route table(s) for those subnets (you cannot use the route table labeled MAIN)
Once you have the VPC subnets and route tables, you’re ready to start. If you plan on deploying the OGW instances in the same VPC subnet as the UTM Workers, you can deploy OGW directly from the UTM Controller. If you plan on deploying the OGW instances in different VPC subnets, please refer to our Sophos knowledge base article.
Automatically Deploy OGWs from Sophos UTM Controller
To deploy an OGW using the Sophos UTM Controller, preform the following steps:
- Access the UTM WebGUI (https://ip_address:4444)
- Browse to the Network Protection> Outbound Gateway for AWS
- Click on the New Outbound Gateway A new definition window will appear with the following fields:
- Failover Group: defines the OGWs that will provide failover for specific subnets (Note by default all OGWs reside in the same failover group)
- Group Name: only used if the Failover Group option is used.
- Position: gateways can be positioned for priority, i.e., gateways listed at the top will have higher priority.
- Resource Management: when checked this option automatically creates the OGW instance.
- AWS Subnet ID: Enter the OGW subnet ID
- Networks: Create or select Client Subnet definitions
- Gateway Network Prefix: Default prefix is 240.0.0.0/8 used for the GRE tunnels. You only need to change this setting if the network address is already in use.
Figure 3: OGW details
Once you create the OGW instance, Resource Management launches the OGW CloudFormation stack, which will match the CloudFormation status section of AWS Management Console.
Figure 4: Resource Management status
Figure 5: CloudFormation stack
After the OGW instance has fully launched, the Sophos OGW definition must be enabled before it will update the VPC route table.
Figure 6: OGW status
The VPC subnet will now show an updated route table with OGW as the default gateway.
Figure 7: Route table
Once you’ve configured Sophos OGW, you’re ready to start creating rules to inspect outbound traffic. Refer to our Sophos UTM Administration Guide under the Web Protection and the Advanced Threat Protection sections for setting up rules for egress traffic.
Available Today
OGW is already available in the AWS Marketplaces and supports Pay-As-You-Go and Bring Your Own License (BYOL) licensing options. To try Sophos UTM OGW, visit the Sophos AWS Marketplace page or follow the instructions in the Sophos Quick Start Guide. Customers that are currently running Sophos UTM can follow the steps for Updating Stacks Directly to get the latest Sophos Amazon Machine Image (AMI) that supports OGW (please note that OGW is only available for Sophos UTM that supports Auto Scaling).
As always, we’d love to hear what you think about OGW or about how you’re using Sophos UTM in AWS. You can visit the Sophos user community forums or leave a comment below if you have any questions. In a follow up blog, we’ll talk about how OGW helps simplify some routing scenarios in AWS.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
[1] https://www.sans.org/reading-room/whitepapers/firewalls/egress-filtering-faq-1059
[2] https://d0.awsstatic.com/aws-answers/Controlling_VPC_Egress_Traffic.pdf