Add access controls for RED "Listening" Service
As a Sophos Partner, I'm increasingly getting hammered by clients who have to subject themselves to audits in order to do business. Therefore I am asking that Sophos add access controls to the RED listening service. I am requesting that the RED service on the UTM be configured to use any arbitrary IP address on any of the WAN interfaces, and only allow connections from RED devices from known IPs. Here's why:
I have clients who fail PCI compliance audits because of the self signed IP. I know that the 1 CA trust model is better, but the auditors my clients use don't tend to make any exceptions. The bigger reason for the request is to lock down the service. It only takes one vulnerability in the RED server side code or one of the libraries it relies on, to open the door to a potential compromise. Enabling a more locked down ACL than "any" helps to reduce the surface area such a vuln could exploit.
In cases where the IP's were dynamic on the RED device side and the IPs could not be locked down, it is desirable to configure the RED service listener to an arbitrary IP on the WAN side of the UTM. I shouldn't have a service listening on an interface I don't specifically allow.
I'm not saying the defaults should be anything other than your current default config, but I am asking for the flexibility to configure things more tightly, should I choose to do so.
This is V2 of a previous post that I deleted, to tighten up the request and drop the part about using certs signed by a public CA. He posted some good info, so I wanted to include it here so it won't be lost:
I’ll leave this feature open for votes, though it should be limited to just the restriction of IP addresses, and not the use of a signed certificate for communication.
The RED service uses an unsigned certificate deliberately. Using a publicly signed certificate, and relying on public certificate infrastructure would actually weaken security in this case. The RED protocol uses an arranged key exchange to limit the trust to just two parties – The UTM and the RED device. RED receives the public CA cert of the UTM its connecting to as part of its configuration, and that is its ONLY trusted root ca used for communication between the RED device and the UTM. This is more secure than the the public CA model, which trusts certificates signed by any one of Many CAs.
As for restricting access to the service, I agree this is a desirable feature, but also one that could be highly problematic. RED works best (easiest to deploy) when the RED device receives a DHCP address from a provider. In this case, you wouldn’t know the IP of the RED device prior to its connection, and restrictions would have to cover a large range of public IPs to properly accomodate it in this case. If you are using static IPs at all RED locations, then locking it down might be more feasible. You can in fact do this today, though its not an explicit feature of RED. Instead, create two DNAT rules. The first, like this:
Source: Selected RED IP Addresses
Service: RED port 3400 TCP/UDP and port 3410TCP/UDP if using RED 50.
Destination: External WAN (Address)
Type: NO NAT
Then, for the second rule:
Source: Internet
Service: RED port 3400 TCP and port 3410 TCP if using RED 50.
Destination: External WAN (Address)
Type: DNAT
New Destination: (no change)
New Service: Some Unused port, like 1 or 65536
This will stop all connection attempts to the RED service port from anything other than the desired addresses.
2 comments
-
Tony commented
Would all who voted here, move your votes to:
Thank you
-
Tony commented
NOTE: This must also work for the multi-wan configurations, not just a single wan. I didn't mention that but all my use cases have more than one WAN on the UTM. Imagine UTM with 3 WAN X RED50 with Two Wan. The work around is good to know, but doesn't scale :(